Summary
We are seeking a hands-on Security Engineer and GRC Specialist who blends deep technical expertise with risk management and regulatory compliance. This hybrid role involves implementing security controls, actively supporting security operations, and implementing regulatory readiness across the organization. The ideal candidate can define risk and compliance framework while also being deeply engaged in day-to-day engineering tasks, incident response, and continuous security improvement.
Key Responsibilities
Security Engineering
- Apply secure configuration baselines and hardening across operating systems, databases, and cloud environments.
- Automate security processes where possible to improve efficiency and reduce manual overhead.
- Support performing security and vulnerability assessments.
- Support IT teams in implementing patches.
- Support threat hunting, root cause analysis, and post-incident improvement efforts.
Risk, Compliance & Governance
- Identify and assess security risks associated with IT systems and develop strategies to mitigate these risks.
- Develop, document, and enforce security policies, standards, and procedures.
- Conduct risk assessments and implement risk mitigation measures and monitor their effectiveness.
- Ensure compliance with frameworks and regulations such as NIS2, GDPR, ISO 27001, NIST, IEC 62443, and Chinese data and cybersecurity regulations.
- Perform vendor and third-party risk assessments.
- Support the implementation of business continuity, disaster recovery, and incident response plans.
Collaboration & Communication
- Act as a trusted advisor to internal teams on security best practices and secure solution design.
- Translate complex security topics into actionable guidance for both technical and business stakeholders.
Qualifications
- Bachelor’s degree in Information Security, Computer Science, or a related technical field.
- 8–12 years of cybersecurity experience, with both GRC and hands-on engineering background.
- Strong understanding of frameworks and regulations such as NIS2, GDPR, ISO 27001, NIST, and Chinese data and cybersecurity regulations.
- Strong working knowledge of regulatory compliance requirements in NIS2.
- Familiarity with GRC tools, data protection, and risk assessment methodologies.
- Working knowledge of Microsoft Azure, AWS, or OCI security services.
- Experience with tools such as SIEM, EDR, vulnerability scanners, and cloud-native controls will be an advantage.
- Knowledge of IAM concepts including SSO, MFA, PAM, and access reviews.
- Relevant certifications a plus: CRISC, CISA, ISO/IEC 27001 Lead Auditor or similar.
Key Competencies
- Technical Depth: Strong hands-on capability in engineering and cloud security.
- Strategic Vision: Ability to balance long-term design with immediate needs.
- Problem-Solving: Practical, results-driven approach to complex challenges.
- Communication: Clear, concise, and persuasive communicator across all levels.
- Adaptability: Stays ahead of threats, tech changes, and regulatory shifts.
