logo
Government Technology Agency

Government Technology Agency

Lead Cybersecurity Engineer (Tradenet)

Full-time

Job Description
The Government Technology Agency (GovTech) aims to transform the delivery of Government digital services by taking an "outside-in" view, putting citizens and businesses at the heart of everything we do. We also develop the Smart Nation infrastructure and applications and facilitate collaboration with citizens and businesses to co-develop technologies.

Join us as we support Singapore’s vision of building a Smart Nation - a nation of possibilities empowered through info-communications technology and related engineering.

What the role is
We are seeking a Lead Cybersecurity Engineer to serve as the security SME for a critical national digital platform. This role sits at the intersection of engineering delivery and regulatory compliance. You will translate policy requirements (IM8 Reform, CSA CCOPv2) into implementable technical controls while working shoulder-to-shoulder with product and engineering teams in an agile delivery environment.

What you will be working on

Cloud & Infrastructure Security
● Assess and validate security controls across IaaS/PaaS/SaaS environments, covering identity management, encryption, and network segmentation.
● Govern security appliance policy and rule changes (WAF, DAM, Firewalls), including oversight of vendor operations and change management.

Application Security
● Triage application security findings against OWASP Top 10, reproduce and validate issues, and coordinate retesting with functional leads or delegates.
● Ensure adherence to secure SDLC practices across the delivery lifecycle.

Regulatory Compliance & Risk
● Translate CSA Cybersecurity Act (CII CCOPv2) and WOG IM8 high-risk cloud requirements into actionable technical and process controls.
● Manage Vulnerability Disclosure Programme findings end-to-end: triage, coordinate with functional leads, track remediation, and close.
● Conduct security risk assessments and map technical controls to compliance requirements across relevant frameworks (ISO 27001, NIST, CIS benchmarks).
● Support internal and external audits, including evidence gathering and coordination with auditors.

Threat Modelling
● Conduct threat modelling with reference to the MITRE ATT&CK framework, scoped to the CII landscape.
● Participate in the design and solutioning of technical setups when new security requirements are introduced, using threat modelling outcomes to prioritize implementation.

Defensive Operations:
● Log and assess GCSOC/GITSIR/agency advisories, determine impact, follow up with functional leads, and track to closure.
● Incident Responder to handle incidents or potential Event of Interest on the Infrastructure (Application) and Endpoints of the engineering team. 

Stakeholder Engagement & Delivery
● Liaise between CSA, Agency CISO stakeholders, and engineering teams — matching regulatory requirements with engineering approaches and design decisions.
● Drive remediation through engineering teams, not just identify gaps.
● Manage cross-functional security initiatives from requirements through deployment.
● Leverage automation for compliance monitoring and evidence collection.
● Establish and track KPIs for compliance posture and risk reduction.
● Champion agile security practices within the delivery cadence.


What we are looking for
● Minimum 5 years of professional experience in cybersecurity engineering, with hands-on work in security operations, risk assessment, or compliance within cloud environments.
● Working knowledge of Singapore-specific regulatory frameworks: WOG IM8 Reform and CSA CCOPv2 for Critical Information Infrastructure.
● Hands-on experience with security technologies such as SIEM, CSPM, ASM, WAF, and vulnerability management tools.
● Familiarity with cybersecurity frameworks and standards including OWASP, MITRE ATT&CK, ISO 27001, NIST, and CIS benchmarks.
● Ability to communicate technical security concepts to policy and compliance stakeholders, and translate compliance requirements into engineering-actionable tasks.
● Pragmatic decision-making: able to balance security requirements with delivery timelines and business needs.
● Experience supporting audit cycles and producing compliance evidence.
● Proficiency in at least one scripting language (e.g., Python, PowerShell, YARA) for automation and tooling.
● Relevant certifications such as GCIH, GCFA, OSCP, CISSP, or AWS Security Specialty are advantageous.
● Ability to conduct in-house VAPT is a strong plus.
● Subject to the nature of your job role that might require you to be onsite during fixed hours.

Our employee benefits are based on a total rewards approach, offering a holistic and market-competitive suite of perks. These include leave benefits to meet your work-life needs and employee wellness programmes.
We champion flexible work arrangements (subject to your job role) and trust that you will manage your own time to deliver your best, wherever you are, and whatever works best for you.

Learn more about life inside GovTech at go.gov.sg/GovTechCareers.

Stay connected with us on social media at go.gov.sg/ConnectWithGovTech

About your application process

If you do not hear from us within 4 weeks of the job ad closing date, we seek your understanding that it is likely that we are not moving forward with your application for this role. We thank you for your interest and would like to assure you that this does not affect your other job applications with the Public Service. We encourage you to explore and apply for other roles within Government Technology Agency or the wider Public Service.