'%3e%3cpath fill='%233D4245' d='M12.997 0H5.003A5.016 5.016 0 0 0 0 5.003v7.994C0 15.777 2.25 18 5.003 18h7.994A4.982 4.982 0 0 0 18 12.997V5.003A4.999 4.999 0 0 0 12.997 0'/%3e%3cpath fill='white' fill-rule='evenodd' d='M13.326 4.714a1.022 1.022 0 0 0-1.462 0L8.94 7.652 6.018 4.714a1.022 1.022 0 0 0-1.462 0 1.035 1.035 0 0 0 0 1.47L7.48 9.122l1.462 1.47 1.462-1.47 2.923-2.938c.408-.41.408-1.06 0-1.47m-.73 9.236a1.03 1.03 0 0 0 1.034-1.04V6.637l-2.068 2.078v4.195c0 .58.456 1.04 1.034 1.04m-7.36-.035a1.029 1.029 0 0 1-1.034-1.04V6.602L6.271 8.68v4.195c0 .58-.457 1.04-1.034 1.04' clip-rule='evenodd'/%3e%3c/g%3e%3cdefs%3e%3cclipPath id='a'%3e%3crect width='18' height='18' fill='white' rx='4.5'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath fill='black' d='M6.846 1.246h-.699a.194.194 0 0 0-.194.194v4.351c0 .107.087.194.194.194h.7a.194.194 0 0 0 .194-.194v-4.35a.194.194 0 0 0-.195-.195M5.153 4.9H3.269V1.44a.197.197 0 0 0-.196-.194h-.699a.195.195 0 0 0-.194.194v4.353c0 .106.086.194.194.194h2.779a.194.194 0 0 0 .194-.194v-.7a.194.194 0 0 0-.194-.194m10.39-2.564a.194.194 0 0 0 .195-.194v-.7a.195.195 0 0 0-.195-.195h-2.778a.194.194 0 0 0-.195.194v4.353c0 .106.086.194.195.194h2.778a.194.194 0 0 0 .195-.194v-.7a.195.195 0 0 0-.195-.194H13.66v-.738h1.883a.194.194 0 0 0 .195-.194v-.7a.195.195 0 0 0-.195-.194H13.66v-.738zm-3.905-1.088h-.699a.194.194 0 0 0-.194.194V3.96l-1.83-2.618c-.052-.073-.13-.095-.215-.095-.011-.002-.022 0-.033 0h-.7a.194.194 0 0 0-.194.194v4.352c0 .107.087.195.195.195h.699a.194.194 0 0 0 .194-.195v-2.63l1.909 2.73.022.026c.033.039.08.064.135.069h.713a.194.194 0 0 0 .194-.195V1.441a.195.195 0 0 0-.194-.194z'/%3e%3cpath fill='%2308BF5B' d='M15.79 7.574H2.22a.533.533 0 0 0-.533.533v8.115c0 .294.24.533.533.533h13.57a.533.533 0 0 0 .532-.533V8.107a.533.533 0 0 0-.533-.533'/%3e%3cpath fill='white' d='M6.967 11.154c0 .807-.649 1.456-1.486 1.456h-.636v1.19a.143.143 0 0 1-.143.143h-.684a.143.143 0 0 1-.143-.142V9.84c0-.078.064-.142.143-.142H5.48c.837 0 1.486.65 1.486 1.456zm-.97 0c0-.31-.218-.546-.516-.546h-.636V11.7h.636c.298 0 .516-.237.516-.545m4.577-.169v2.882a.076.076 0 0 1-.075.076H9.74a.075.075 0 0 1-.075-.076v-.21c-.2.23-.497.37-.903.37-.794 0-1.45-.697-1.45-1.6 0-.903.656-1.6 1.45-1.6.406 0 .704.14.903.37v-.21c0-.04.033-.075.075-.075h.759c.04 0 .075.033.075.075zm-.91 1.44c0-.454-.302-.739-.72-.739s-.72.285-.72.74c0 .454.302.74.72.74s.72-.286.72-.74m3.932-1.437-.698 1.758-.722-1.76a.126.126 0 0 0-.116-.078h-.774a.075.075 0 0 0-.07.104l1.204 2.935-.438 1.105a.076.076 0 0 0 .07.103h.774a.124.124 0 0 0 .116-.078l1.614-4.065a.076.076 0 0 0-.07-.104h-.774a.124.124 0 0 0-.116.079z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath id='a'%3e%3cpath fill='white' d='M1.68 1.246h14.635v15.508H1.68z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
What you do:
Security Governance, Policy & Control Design
- Design, implement, and evolve scalable security governance frameworks, including policies, standards, control objectives, and lifecycle management
- Translate regulatory, contractual, and internal requirements into practical, auditable security controls aligned with engineering and operational workflows
- Own control design, documentation, validation, review cadence, exception handling, risk acceptance, and deprecation
- Maintain alignment with external frameworks (e.g., ISO 27001, NIST, PCI DSS) while minimizing duplication and audit fatigue
Risk, Control Operations & Assurance
- Perform security risk assessments, control gap analyses, and governance reviews across systems, services, and third parties
- Design and maintain cross-framework control mappings and track control effectiveness, remediation progress, and risk decisions over time
- Support audits and assessments by producing clear, high-quality, and defensible evidence
- Operate governance workflows for exceptions, risk acceptance, periodic reviews, and renewals
Security Insights, Engineering Enablement & Collaboration
- Oversee governance implications of vulnerabilities across applications, cloud, identity, source code, and third-party dependencies
- Review findings from scans, penetration tests, audits, and incidents to assess root causes and drive governance or control improvements
- Ensure remediation, mitigation, or risk acceptance aligns with defined security standards and policies
- Partner closely with engineering and product teams to embed governance into SDLC, CI/CD, and cloud workflows, acting as a trusted advisor rather than an enforcer
What you need to succeed in this role:
- 5+ years of experience in security governance, risk, compliance, or a closely related security role, with demonstrated ownership of security controls, policies, and risk processes
- Proven experience designing and maintaining security policies, standards, and control frameworks
- Hands-on experience mapping and operating controls aligned with frameworks such as ISO 27001, NIST, PCI DSS, and relevant local regulatory requirements (e.g., BOT, AMLO)
- Experience performing risk assessments, control gap analyses, and risk treatment planning
- Demonstrated ability to support audits and regulatory assessments by producing high-quality, defensible evidence
- Experience operating exception, risk acceptance, and control deviation processes
- Practical understanding of security concepts across cloud, applications, identity, and third-party risk
- Experience partnering with technical teams to embed governance into SDLC, cloud, and operational workflows
It would be great if you have:
- Ability to clearly explain security controls in practical, non-theoretical terms, with strong judgment in balancing risk, usability, and business impact
- Proven track record of improving security governance maturity while minimizing friction in high-velocity, fast-evolving delivery environments
- Experience operating security governance in development-driven organizations, including SaaS, cloud-native platforms, and regulated industries such as financial services
- Confidence influencing engineering and product teams through clarity, trust, and credibility rather than authority
- Familiarity with governance and control processes, including evidence collection and GRC workflows, supported by relevant security or risk certifications (e.g., ISO 27001, CISSP, CISM, CRISC)