Assistant Lead & Workforce & Identity Security

You are the person who ensures the right workforce has the right access to the right resources.

You own our Identity & Access Management (IAM), Privileged Access Management (PAM) and workforce security capabilities. You will drive an identity-first, Zero Trust model across on‑prem, cloud and SaaS environments, and lead major IAM/PAM uplift projects that are central to our cyber‑resilience and CSA Cyber Trust Mark ambitions.

This role reports to the Lead, Cyber Defence & Resilience and is a critical counterpart to our Cyber Fusion, Exposure & Vulnerability Management and Digital Trust teams.

In this role, you will be responsible for the strategy, architecture, implementation and ongoing effectiveness of identity and workforce security across:

• Identities & Accounts - Employees, contractors, vendors, service accounts and application identities across multiple directories and HR systems
• Access Control - Role‑based access (RBAC), attribute‑based access (ABAC), segregation of duties (SoD), and entitlements for business and privileged users
• IAM Platforms - Enterprise IAM solutions (e.g. SailPoint, Saviynt, Oracle IAM, Azure AD / Entra ID, Okta or similar) covering identity lifecycle, SSO and federation
• PAM Platforms - CyberArk or equivalent vaulting and session‑monitoring solutions for privileged and sensitive accounts
• Processes & Governance - Joiner‑mover‑leaver (JML), recertification, access reviews, break‑glass processes and exception handling
• Zero Trust & Workforce Security - MFA, adaptive authentication, conditional access, device and contextual signals that underpin an identity‑centric security model

You will work closely with:

• HR, IT Operations, Application Owners, Cloud Engineering and Enterprise Architecture
• Cyber Fusion / SOC (for identity‑related monitoring & response) and Exposure & Vulnerability Management
• Internal Audit, Risk & Compliance and external regulators in demonstrating effective access governance

1. Strategy & Target Operating Model

• Define and maintain the Workforce & Identity Security strategy and roadmap, aligned with Cyber Defence & Resilience, Zero Trust and CSA Cyber Trust Mark requirements
• Design the target operating model for IAM & PAM: roles and responsibilities, RACI, processes, tooling and integration patterns
• Translate business and regulatory requirements into clear identity control objectives and practical implementation plans

1. Architecture, Design & Technology Ownership

• Own the end‑to‑end IAM & PAM architecture, including directories, identity stores, SSO, federation, MFA, just‑in‑time provisioning and password‑less / adaptive authentication
• Set architectural standards for integration of applications and systems into IAM/PAM platforms (e.g. connectors, APIs, SCIM, SAML/OIDC/OAuth, RADIUS)
• Lead design and deployment of role and attribute models (RBAC/ABAC) that support least privilege while remaining maintainable and understandable
• Ensure IAM/PAM designs support hybrid and multi‑cloud environments, remote work, and third‑party access scenarios

1. Delivery of IAM/PAM & Zero Trust Programmes

• Lead multi‑year IAM/PAM and identity‑first security uplift programmes, including re‑platforming or major expansion of IAM and PAM solutions
• Manage full lifecycle of these programmes: requirements, design, build, test, migration, stabilisation and handover to BAU, using Agile or hybrid methodologies
• Coordinate cross‑functional squads (security engineers, IAM developers, infra/AD teams, application owners, HR and business stakeholders) to deliver on time and within budget
• Drive application onboarding at scale, including bulk integrations of business systems and cloud apps to SSO, MFA and PAM platforms

1. Governance, Operations & Continuous Improvement

• Own and continuously improve JML, access request/approval, recertification and SoD processes, ensuring efficiency and strong control
• Oversee access governance reporting and dashboards - who has access to what, where risk hotspots exist, and progress against remediation
• Define and monitor KPIs/KRIs (e.g. orphan accounts, dormant privileged accounts, recertification completion, policy violations, number of manual exceptions)
• Ensure operating procedures, runbooks, and playbooks are in place for identity lifecycle, privileged account management and emergency access

1. Incident Management & Assurance

• Serve as the senior escalation point for identity‑related incidents, including compromised credentials, abuse of privilege or IAM/PAM platform outages
• Coordinate with the SOC and other teams to detect and respond to credential theft, lateral movement and anomalous access behaviour
• Provide detailed evidence and explanations for internal and external audits, red‑team exercises, and regulatory inspections focused on access governance
• Regularly validate that IAM/PAM controls meet or exceed expectations in NIST, ISO 27001 and Cyber Trust Mark control sets

1. Leadership & Stakeholder Engagement

• Act as a trusted advisor to senior business and technology leaders on identity, workforce and privileged access risks, presenting trade‑offs in business language
• Drive user‑centric change management to improve security behaviours (e.g. MFA adoption, secure password practices, responsible use of privilege) without degrading productivity

• Harmonising identity and access across legacy on‑prem systems, modern cloud platforms and diverse third‑party services
• Automating and simplifying controls to reduce manual work, while maintaining strong governance and auditability
• Balancing business demands speed and convenience with robust enforcement of least privilege and SoD

You are expected to:

• Demonstrate strong strategic thinking, able to articulate an identity‑first security vision and translate it into a pragmatic roadmap
• Influence and negotiate at senior levels, resolving tensions between security, usability and delivery timelines
• Lead complex programmes and cross‑functional teams, using structured planning, risk management and communication
• Communicate clearly with both technical and non‑technical audiences, including EXCO, audit and regulators

You bring deep, hands‑on experience in several of these areas:

• Identity & Access Management (IAM)
• Design and implementation of enterprise IAM platforms (e.g. Oracle IAM, SailPoint, Saviynt, Okta, Azure AD/Entra ID, Ping Identity or similar)
• Integration of applications using SAML, OAuth2/OIDC, SCIM, REST APIs, flat files and HR connectors (e.g. Workday, SAP, Oracle HR)
• Directory services and identity stores (Active Directory, LDAP, cloud directories), including schema design and group/role models
• Implementation of SSO, MFA, adaptive/conditional access and self‑service identity features (e.g. self‑service password reset, access requests)
• Privileged Access Management (PAM)
• Deployment and operation of PAM platforms such as CyberArk or equivalent - vaults, connectors, credential rotation, session recording and just‑in‑time access
• Onboarding and management of privileged accounts across Windows, Unix/Linux, databases, network devices, applications and cloud platforms
• Design of break‑glass procedures, privileged account review processes and integration with SIEM/SOC tooling
• Access Governance & Zero Trust
• Defining RBAC/ABAC models, SoD rules and recertification processes for large user populations
• Implementing Zero Trust / identity‑centric security principles in hybrid environments (device posture, identity strength, network and app signals)
• Understanding of and ability to apply frameworks such as NIST CSF, ISO 27001, CSA Cyber Trust Mark, MAS TRM and PDPA to identity controls

• Degree in Information Systems, Computer Science, Cybersecurity, Engineering or related discipline; or equivalent industry experience
• Relevant certifications are advantageous, e.g. CISSP, CISM, CCSP, vendor IAM/PAM certifications (Okta, CyberArk, SailPoint/Saviynt, Azure AD/Entra)
• Typically, 10+ years in security, identity management or infrastructure engineering, including substantial hands‑on IAM/PAM experience
• Proven track record designing and implementing enterprise IAM and/or PAM solutions in complex, hybrid environments (preferably including cloud)
• Experience leading multi‑project IAM programmes - such as SSO rollouts, IAM re‑platforming, large‑scale application onboarding or PAM migration - from design through to operations
• Familiarity with Singapore’s regulatory environment (MAS, CSA, PDPA) and experience contributing to audits, assessments or certifications (e.g. Cyber Trust Mark, ISO 27001) is highly valued