Senior Information Security Specialist

The Compliance and Risk Management team ensures that Shopee complies with applicable regulations and is primed for success with the right checks and balances while safeguarding the interests of our stakeholders in an inclusive and sustainable digital ecosystem. The team manages potential risks to the company's operations and reputation through risk assessments, internal fraud control, employee training as well as the implementation of information technology policy and cyber security tools.

About the Team:

As a Senior Information Security Specialist at ShopeePay & Monee Malaysia, you will play a key role in safeguarding our digital assets, information systems and data. You will leverage your extensive information security/cybersecurity experience to develop, implement and manage robust security strategies, policies, and controls. This role involves leading security risk assessments, providing expert technical guidance and overseeing the incident response process to maintain a strong security posture and ensure compliance with regulatory requirements.

Job Description:

Security Strategy & Governance

• Lead the development, implementation, and maintenance of a comprehensive information security framework, policies, procedures, and guidelines.
• Ensure that the organization's security posture aligns with compliance requirements (e.g., NIST CSF, ISO 27001, BNM RMiT/MCIPD, Cyber Security Act, SC TRM, PDPA, SOC2/etc).
• Review and endorse IT and Cybersecurity risk assessments, risk acceptances as well as technology Key Risk Indicators (KRI)
• Provide information security guidance to business and cross-functional teams.
• Coordinate and complete regulatory/compliance posture reporting for technology matters to the related management and Board committees.
• Conduct holistic security risk assessments, audits, and gap analyses to identify gaps, vulnerabilities and potential threats to our systems and networks.
• Oversee and conduct penetration testing, vulnerability scanning, and security architecture reviews.
• Perform independent review / analysis of critical technology / cyber risks, and identify areas for improvement, e.g., network architectural design, Vulnerability Assessment and Penetration Testing (VAPT) findings.
• Recommend and manage the implementation of effective remediation strategies to mitigate identified risks, tracking them through to resolution.

IT Incident Response, Disaster Recovery & Operations

• Lead the information security incident response process, including investigation, containment, mitigation, and root cause analysis of security breaches and events.
• Serve as a technical Subject Matter Expert (SME) during legal, regulatory, or corporate investigations, ensuring proper collection, preservation, and chain of custody for digital evidence.
• Plan, lead, and report on regular, full-scale DR testing and simulation exercises, identifying gaps in the recovery procedures and working with infrastructure teams to remediate the gaps.
• Provide security advice on integrating security requirements into the DR process, ensuring that data and systems recovered at the designated site.
• Conduct Business Impact Analyses (BIA) and risk assessments from a security perspective to determine the criticality of systems and define appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
• Prepare and submit detailed incident reports by translating complex technical jargon details into clear business risks and recommendation actions.
• Collaborate with IT, Infrastructure, Engineering, Security and Development teams (DevSecOps) to integrate security best practices into the System Development Lifecycle (SDLC) and secure system architecture.
• Provide expert technical advice and security requirements for new products, projects, systems, technologies and third party engagement.
• Develop and deliver periodic security awareness training/learning programmes and communications to employees and stakeholders.

Requirements:

• Must possess relevant certifications in IT Risk and Cybersecurity in at least one of the following but not limited to:
  
  • Certified in CyberSecurity (CC)
  • Certified Ethical Hacker (CEH)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified in Risk and Information Systems Control (CRISC)
  • Other relevant cybersecurity certifications
• Proven knowledge and experience in security architecture design, network security protocols, application security assessment, disaster recovery, cloud security and secure system design.
• Proven experience in designing and implementing security controls within on-premise and cloud environments.
• Hands‑on proficiency with security tools and technologies (e.g., SIEM, DLP, IDS/IPS, EDR, APT, DDOS/etc).
• Strong understanding of security governance, risk management, and regulation frameworks (e.g., NIST CSF, ISO 27001, BNM RMiT/MCIPD, Cyber Security Act, SC TRM, PDPA, SOC2/etc).
• Exceptional analytical and problem‑solving skills with a keen attention to detail.
• Strong verbal and written communication skills, with the ability to explain complex security issues to both technical and non-technical audiences.
• Demonstrated ability to lead projects, manage competing priorities, and drive continuous process improvement.
• Experience with digital forensics and malware analysis.
• Experience with scripting languages (e.g., Python, Bash, PowerShell) for security automation and task efficiency is a plus.
• Able to cover Cybersecurity, IT and Business Continuity risks for both ShopeePay and Monee Malaysia.