Lead / Senior Cybersecurity Governance Specialist, CISO Office

The Cyber Security Group (CSG) is the cybersecurity arm of GovTech. CSG is committed to create a digital government that is safe and secure. CSG delivers technical and operational capabilities to counteract cyber threats, provides thought leadership on transformative cybersecurity governance and policies and to strengthen the cybersecurity posture of government agencies in a manner that is sustainable, pragmatic, and effective.
 
To enhance infocomm security capabilities in GovTech and the Whole-of-Government (WOG), GovTech appoints Chief Information Security Officer (CISO) teams at the various ministries to oversee infocomm security management.
 
Reporting to the Ministry CISO (MCISO), you will be the primary architect of the Ministry’s security governance and risk management framework. You will ensure that all agencies within the Ministry Family operate under a unified, effective, and modern security standard. Your mission is to transform GRC from a compliance-heavy exercise into a strategic enabler. You will establish the frameworks that allow the Ministry Family to adopt new technologies with confidence, moving away from a "risk-averse" posture toward a "risk-informed" one. You will ensure that risk management is deeply integrated into the lifecycle of every digital system, from web applications to critical Operational Technology (OT) environments.

1. Enterprise Risk Governance & Management

• Dynamic Risk Registers: Establish and oversee the Ministry-wide security risk register. You will ensure that registers are not static documents but "living" tools that accurately reflect the current threat landscape and project status across all agencies.

• Senior Management Facilitation: Lead and facilitate high-level risk conversations with Senior Management and Agency CIOs. You must be able to translate complex technical risks into clear business impacts to drive informed resource allocation and prioritisation.

• Risk Analysis Framework: Develop a robust framework to guide agencies in performing consistent, high-quality risk analysis. This framework should empower agencies to take calculated risks for innovation rather than defaulting to "no" due to risk aversion.

2. Threat Risk Assessment (TRA) & Standards

• Unified TRA Framework: Establish and maintain Ministry-wide standards for conducting Threat Risk Assessments across diverse domains, including Cloud (GCC), Web Applications, and OT/ICS systems.

• Crown Jewel Identification: Develop SOPs to guide agency project teams in identifying "Crown Jewels" (Critical Information Assets) and mapping comprehensive threat vectors.

• Standardisation of Controls: Define common security configuration standards and ensure that controls are technically effective in mitigating identified risks, rather than just meeting baseline requirements.

3. Zero Trust & Architecture Governance

• Zero Trust Roadmap: Lead the establishment of a Ministry-wide Zero Trust Framework, setting the standards for identity-based security, micro-segmentation, and "never trust, always verify" architectures.

• Architectural Advisory: Provide expert GRC input during the design phase of high-impact systems to ensure security-by-design and alignment with Ministry standards.

• Technology Application: Evaluate and recommend security technologies that effectively mitigate specific risks, ensuring that defensive layers remain relevant against modern threats.

4. Supply Chain & Ecosystem Risk Management

• Third-Party Risk Strategy: Establish the framework for managing risks across the software supply chain and IT vendors.

• Dependency & Vendor Risk: Develop standards for assessing the cyber-resilience of third-party partners and managing risks associated with software dependencies (e.g., Open Source libraries).

5. Audit Excellence & Systemic Improvement

• Proactive Readiness: Shift agencies from "reactive" audit preparation to a state of continuous compliance and readiness.

• Root Cause Rectification: Oversee the closure of audit findings, ensuring agencies implement substantive, effective technical fixes rather than surface-level measures.

• Systemic Weakness Identification: Analyse audit trends across the Ministry Family to identify and address systemic weaknesses before they can be exploited.

6. Stakeholder Management & Threat Intelligence

• Education & Advocacy: Partner with Agency CIOs, CISOs, and Project Owners to inculcate a proactive risk management mindset.

• Threat & Tech Foresight: Keep abreast of evolving Actor TTPs (Tactics, Techniques, and Procedures) and technology changes. Periodically review the relevancy of existing Ministry-wide defences against the latest threats.

Experience

• Years of Experience: 10 to 12 years in Cybersecurity GRC, Information Security Risk Management, or Security Architecture.

• Domain Breadth: Proven experience in managing risks across IT and Cloud environments; exposure to OT (Operational Technology) systems is a significant advantage.

• Regulatory Knowledge: Deep familiarity with Singapore Government security policies (e.g., Instruction Manual on IT Management) and international standards (e.g., NIST, ISO 27001).

Technical Skills

• Risk Methodologies: Mastery of risk assessment methodologies (e.g., TVRA) and the ability to translate technical vulnerabilities into business risk.

• Security Technologies: Strong technical understanding of various Zero Trust Architecture (ZTA) components and cloud security technologies. Such as Firewalls, EDR, IAM, SIEM, CSPM, CWPP, CASB and secrets management etc.

• Threat Awareness: Ability to map technical controls to the MITRE ATT&CK framework to ensure defensive coverage.

• Offensive Security: Proficiency in manual and automated testing tools; deep understanding of the MITRE ATT&CK framework and common TTPs.

• Certifications: Professional certifications such as CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), CISSP, OSCP or OSWE (Offensive Security Web Expert) are highly preferred.

Soft Skills

• Strategic Influence: Ability to educate and persuade senior stakeholders (CIOs/Project Owners) on the importance of rigorous risk governance.

• Critical Thinking: Ability to look past surface-level audit compliance to find and fix underlying systemic issues.

• Lifelong Learner: A genuine passion for staying updated on the latest security technologies and evolving cyber threat landscapes.

• Risk Articulation: Exceptional ability to "translate" deep technical issues (e.g., zero-day vulnerabilities, configuration drifts) into business risk for non-technical senior executives.

Other Requirements

• This role is open to Singaporeans Only

We are an equal opportunity employer and value diversity at our company as we believe that diversity is meaningful to innovation. Our employee benefits are based on a total rewards approach, offering a holistic and market-competitive suite of perks. This includes generous leave benefits to meet your work-life needs. We trust that you will get the job done wherever you are, and whatever works best for you – so work from home or take a break to exercise if you need to*. We also believe it’s important for you to keep honing your craft in the constantly-evolving tech landscape, so we provide and support a plethora of in-house and external learning and development opportunities all year round.
 
Subject to the nature of your job role that might require you to be onsite during fixed hours.