Security Architect

Security Architect – Governance, Risk, and Compliance & Platform Security

As a Security Architect, you will be responsible for defining and governing our enterprise security framework across a multi-cloud environment spanning GCP and Tencent Cloud.

This role focuses on security architecture, regulatory compliance, proactive monitoring design, and audit readiness, rather than day‑to‑day cloud operations. You will guide engineering and infrastructure teams on what must be built and why, ensuring security controls align with ISO 27001 and regional regulatory requirements across China and South‑East Asia.

You will act as the bridge between compliance, security design, and engineering execution, ensuring security is embedded into platforms and applications by default.

• Define a centralized security monitoring and alerting architecture across GCP, Tencent Cloud, and Cloudflare.
• Specify log sources, retention policies, and alerting standards to ensure real‑time visibility into security events.
• Design threat detection use cases and “tripwires”, such as:
• Unauthorized MongoDB data access or exports
• Brute‑force or abuse patterns on Java/Spring Boot APIs
• Privileged access or IAM changes in Tencent Cloud
• Work with DevOps and SRE teams to ensure monitoring controls are implemented, tested, and continuously improved.

• Define and document security architecture blueprints and policies for applications and platforms operating across multiple regions.
• Establish identity, access control, and network isolation standards, ensuring least‑privilege and segregation of duties.
• Define data protection requirements, including encryption at rest and in transit, secure key management, and access auditing for MongoDB.
• Specify defense‑in‑depth requirements, including expectations for Cloudflare (WAF, Zero Trust, DDoS) and application‑level security controls.
• Review solution designs and provide security sign‑off for new initiatives and major changes.

• Define security requirements for Secure SDLC, including SAST/DAST expectations within CI/CD pipelines.
• Establish vulnerability severity criteria and remediation SLAs aligned with risk and regulatory impact.
• Ensure application security standards address OWASP Top 10 risks for Java/Spring Boot services.
• Partner with engineering teams to ensure security findings are tracked, resolved, and verified.

• Lead the technical interpretation and implementation of ISO 27001 controls, acting as the primary security architecture point of contact.
• Translate regulatory requirements into practical technical and monitoring controls.
• Maintain continuous audit readiness by defining automated evidence collection for:
• Access reviews
• Logging and monitoring
• Vulnerability scans
• Configuration compliance
• Support internal and external audits with clear, well‑documented security evidence.

• Provide security guidance aligned with China’s regulatory frameworks (e.g., MLPS 2.0, data localization requirements).
• Advise teams on South‑East Asia regulatory considerations, such as:
• Malaysia (PDPA)
• Thailand (PDPA)
• Ensure cross‑border data access and storage designs are reviewed for regulatory impact and compliance risk.
• Work with legal, compliance, and product teams to ensure security architecture supports regional expansion.

• 3–4 years of experience in Security Architecture, Security Engineering, GRC, or Cloud Security Governance roles.

• Strong understanding of Java/Spring Boot security concepts and OWASP Top 10 risks.
• Knowledge of MongoDB security controls, including RBAC, TLS, encryption, and audit logging.

• Experience designing or governing SIEM / log management solutions (e.g., ELK, Datadog, or cloud‑native tools).
• Familiarity with Cloudflare security capabilities (WAF, Zero Trust, DDoS), from a design and governance perspective.

• Working knowledge of ISO 27001 and how to translate controls into technical and operational requirements.
• Awareness of China and South‑East Asia data protection and cybersecurity regulations and their impact on system design.

• Clear, enforceable security standards adopted across engineering teams.
• Proactive detection of security risks through well‑defined monitoring and alerting.
• Strong alignment between security architecture and regional regulatory requirements.
• Audit‑ready posture for ISO 27001 with minimal manual effort.
• Security viewed as an enabler, not a blocker, by product and engineering teams.