Chief Information Security Officer

Chief Information Security Officer

Duties and Responsibilities

1. Develop and lead the global information and cyber security strategy, ensuring alignment with overall enterprise goals and digital transformation initiatives.
2. Advise executive leadership and the board on cyber risk posture, emerging threats, regulatory trends, and strategic investment decisions.
3. Establish and maintain a comprehensive cybersecurity governance framework, including policies, standards, and architecture (e.g., NIST, ISO 27001, IEC 62443).
4. Drive enterprise-wide risk management through regular assessments, audits, and controls, ensuring compliance with internal policies and external regulations (e.g., Singapore Cybersecurity Act, PDPA, CSA CCOP).
5. Integrate cybersecurity strategy with enterprise IT and product development, embedding "security by design" into products, services, and digital platforms.
6. Oversee the security operations function, including vulnerability management, threat detection, incident response, and recovery planning.
7. Be accountable for the overall information security posture across IT and OT environments, ensuring proactive protection and resilience.
8. Manage cybersecurity budgeting and investments (OPEX/CAPEX), aligning expenditures with strategic objectives and measurable outcomes.
9. Develop and lead security awareness and training programs, fostering a risk-aware culture across all levels of the organisation.
10. Plan and conduct regular incident response exercises, including tabletop and simulation drills to enhance preparedness and response coordination.
11. Oversee assessments of both IT and OT environments, ensuring timely mitigation of vulnerabilities and alignment with operational risk tolerance.
12. Establish cybersecurity metrics and reporting dashboards, providing regular updates to executive stakeholders on performance, risk, and maturity.
13. Build, lead, and develop a high-performing cybersecurity team, ensuring succession planning, talent development, and organisational capability growth.
14. Ensure effective vendor and third-party risk management, including due diligence, contract security terms, and ongoing performance oversight.

Knowledge & Skills

• Excellent communication and executive presence, with the ability to engage senior stakeholders, regulators, and board members.
• Demonstrated ability to build and lead matrixed teams and influence across diverse stakeholder groups, including vendors and external partners.
• Strong knowledge of international and local regulations and frameworks (e.g., ISO 27001, NIST, IEC 62443, GDPR, PDPA, LTA CP8).
• Proven ability to drive cultural change, embed cybersecurity into business processes, and lead digital risk transformation.
• Strategic and analytical thinking with a pragmatic approach to problem-solving and execution.
• Business acumen and deep understanding of sector-specific risks and operational realities.
• Experience managing complex budgets, with familiarity in show-back and chargeback models.
• Knowledge of modern cybersecurity practices such as Zero Trust, DevSecOps, and Secure SDLC.
• Continuous learner with an awareness of emerging technologies and threat intelligence.

Qualifications

• Bachelor's or Master’s degree in Cybersecurity, Computer Science, Engineering, Information Systems, or related field.
• Minimum 10 years of relevant experience, including leadership in cybersecurity, risk, governance, and operational technology environments.
• Professional certifications such as CISSP, CISM, CISA, or CRISC are preferred.
• Demonstrated experience managing large-scale IT/OT security operations and supporting mission-critical environments.
• Experience leading high-performing teams, including management of managers.
• Proven success operating in complex, fast-changing environments with ambiguity and evolving threats.