Assistant Director - Digital Services & Technology Office

[What the role is]

The Agency Chief Security Information Officer (ACISO) needs to have familiarity with Cybersecurity Governance, Operations, Engineering and Testing in on-premises and major cloud platforms (e.g., AWS, Azure, and GCP) and their security features, ensuring security is well-considered and uplifted in the Polytechnic’s ICT and digitalisation transformation matters.

The ACISO will lead all aspects of infocomm security management by planning, refining, recommending, and implementing strategies, policies, and globally accepted practices aligned with the regulatory requirements.

This is a 2-year contract position with the Digital Services & Technology Office.

[What you will be working on]

Reporting to the Polytechnic’s Deputy Chief Information Officer (DCIO), you will collaborate with various stakeholders including Ministry Family CISO (MCISO), GovTech HQ teams, Agency management teams, Agency project teams, and outsourced vendors.

Your responsibilities will include, but are not limited to, the following:

• Lead the formulation of cybersecurity strategies and work plan, policies, standards, and guidelines, supporting Ngee Ann Polytechnic’s digitalisation planning and aligning with Ministry Family (MF) strategic goals and policy baselines.

• Ensure the formulated Agency ICT security policies remain aligned with the Ministry Family’s (MF’s) ICT security strategy goals with regular gap analysis performed.

• Assist the management in overseeing ICT security matters, such as approving and tracking ICT security work plan and resourcing, monitoring performance in security indicators, and risk acceptance decisions.

• Govern the security posture of Ngee Ann Polytechnic by maintaining full visibility of all ICT systems (Assets) across different operating environments, the systems’ security design, implementation, and operations through regular reviews.

• Implement cybersecurity risk assessment and acceptance processes at the management level. Review, provide consultation, and endorse risk management and mitigation plans from Ngee Ann Polytechnic’s project teams.

• Provide advisory and consultancy on the appropriate cybersecurity solutions and technologies to be deployed, suitable to Ngee Ann Polytechnic’s business operations and aligned with WOG-wide advisories and practices.

• Ensure the Ngee Ann Polytechnic's secure ICT development life cycle complies to the security policies, and the security controls implementations comply to the defined security policies, standards, and guidelines.

• Design and implement end-user security awareness programmes and establish defined processes for Threat and Incident Management.

• Plan, design, and conduct security incident response workshops and exercises (table-top exercises, simulation, and drills) and lead the investigation and management of ICT security incidents.

[What we are looking for]

• Relevant qualifications in Computer Science, Information Systems, Engineering or a related Technology based education. Good interpersonal and partner/ executive leadership skills.

• Ability to work with multi-functional, multi-disciplined teams to formulate, institute real time awareness of security posture and baseline among end users.

• Possess knowledge or experience in Infrastructure as Code (IaC) tools such as Terraform and Ansible, including their application in maintaining and automating secure on-premises and cloud environments.

• Identify on-premises and cloud-specific cybersecurity risks and threats, demonstrate skills to thoroughly assess their impact and likelihood. This assessment encompasses, but is not limited to, insider threats, vendor risks, data leakage, malwares including ransomware, account hijacking, and compliance risks.

• Display competence in evaluating the effectiveness of existing controls and recommending appropriate mitigation strategies for on-premises and cloud-related cybersecurity and data security issues.

• Exhibit a strong understanding of compliance requirements and the ability to identify potential violations in on-premises or cloud environments.

• At least 5-8 years of management experience related to information security and solid grasp of ICT operations, security policies, business processes and the relationship between them.

• Certifications are encouraged and demonstrate continuous learning and intake of standard methodologies applicable for this role. E.g., CISSP/ CISM/ CISA certifications.

• We believe in being Agile, Bold and Collaborative, and are looking for people who identify with these values.