DUTIES AND RESPONSIBILITIES:

Security governance & infrastructure protection

• Own and manage the companys IT/security controls across infrastructure (network security, firewalls/WAF, cloud hosting, endpoint security, identity & access, internet and usage policies).
• Define, implement, and maintain security baselines and hardening standards for cloud and on-prem environments.

Security operations & monitoring

• Monitor, investigate, and analyze cybersecurity events; coordinate incident response, root cause analysis, and post-incident improvements.
• Establish operational security processes (alert triage, escalation, reporting, and continuous tuning of detection rules).

Risk management, assessment & secure design

• Conduct security assessments (technical and process-based), identify threats/vulnerabilities, assess likelihood/impact, and maintain risk register with mitigation plans.
• Review security architecture/design for systems and applications, including business continuity and disaster recovery requirements.

Vulnerability management & testing

• Review existing security measures, coordinate penetration tests for internal applications, and ensure findings are tracked to closure.
• Support engineering teams in remediation, patching, and implementing secure coding / secure configuration practices.
• Drive vulnerability remediation timelines and verify fixes (re-test and closure evidence) with the development team.

Compliance & audit readiness

• Support development and rollout of IT policies, standards, and procedures to meet regulatory/legal requirements (e.g., BOT Virtual Bank regulations, PDPA, ISO 27001).
• Perform regular compliance reviews and internal audits to identify control gaps and ensure readiness for external and regulatory audits.
• Prepare, maintain, and coordinate compliance documentation and audit evidence (policies, procedures, control test results, risk assessments, and audit responses).

Cross-team enablement

• Implement security guidelines for collaboration tools and company-wide ways of working (access control, data handling, approved tools, third-party access).
• Provide clear advisory support to stakeholders: explain security findings, technical risks, and remediation options in practical terms.

KNOWLEDGE, SKILLS AND ABILITIES:

• Strong knowledge of IT/cybersecurity laws and regulations (e.g., PDPA, Computer Crime Act, cyber-related regulatory requirements, IT risk management practices).
• (Nice to have) Experience with ISO 27001/ISMS implementation, security audits, cloud security (AWS/GCP/Azure), and common security tooling (SIEM, EDR, WAF, vulnerability scanners).

EDUCATION AND EXPERIENCE:

• 4–5+ years of experience in IT Security Management and project delivery in regulated/complex environments (banking, fintech, insurance, etc.).
• Bachelors degree in Computer Engineering, Computer Science, IT, or related field.