JOB SUMMARY
This role provides independent oversight to ensure the organization's cybersecurity controls, policies, and practices are effective and compliant, with a particular focus on the Cybersecurity Act 2024 and other relevant regulations.
The role ensures that cybersecurity risks are identified, monitored, and mitigated, and that incident reporting, penetration testing, and simulation exercises are effectively conducted and aligned with regulatory and governance requirements. This position provides strategic oversight without performing operational security functions.
KEY DUTIES AND RESPONSIBILITIES
Cybersecurity Assurance
- Conduct independent assessments to evaluate the design and effectiveness of cybersecurity controls across IT systems and processes.
- Identify gaps or weaknesses in cybersecurity controls and recommend mitigation strategies.
- Ensure cybersecurity policies and standards are effectively implemented across the organization.
Regulatory Compliance (Cybersecurity Act 2024)
- Ensure organizational adherence to the Cybersecurity Act 2024 and related regulations.
- Interpret requirements of the Act and provide guidance to IT and business teams for compliance.
- Coordinate with regulators and internal audit on cybersecurity compliance reporting and assessments.
- Prepare assurance reports demonstrating the organization's alignment with the Act's obligations.
Incident Reporting Oversight
- Review cybersecurity incident reports prepared by the SOC or Incident Response Team for accuracy, completeness, and timeliness.
- Provide independent assurance to CIO/CISO and Audit Committee that incident reporting processes meet regulatory requirements (Cybersecurity Act 2024).
- Participate in post-incident reviews or lessons learned sessions to ensure controls and reporting processes are strengthened.
Audit & Regulatory Oversight
- Plan, coordinate, and oversee cybersecurity audits as required under the Cybersecurity Act 2024.
- Ensure audit findings are documented, reported, and addressed appropriately.
- Provide assurance that IT systems, policies, and processes comply with the Act.
- Collaborate with internal audit and external auditors to verify controls and risk mitigation.
Penetration Testing & Simulation Oversight
- Oversee the planning, execution, and reporting of penetration tests conducted by IT Security/third-party vendors.
- Ensure tests are aligned with regulatory, governance, and risk management requirements.
- Monitor and validate remediation of findings from penetration testing.
- Lead or coordinate simulation exercises and tabletop scenarios to test the effectiveness of cybersecurity policies, controls, and incident response procedures.
- Provide independent assurance that the organization's cybersecurity resilience is tested and improved periodically.
Risk & Control Oversight
- Assess cybersecurity risks and provide assurance that risk management processes are effective.
- Track remediation of control deficiencies and verify proper implementation.
Independent Oversight & Reporting
- Produce periodic assurance reports for regulators, Management and others
- Maintain awareness of emerging threats, standards, and regulatory changes affecting cybersecurity assurance.
Collaboration & Advisory
- Work closely with IT Governance and Compliance Leads to align cybersecurity assurance with overall IT governance frameworks.
- Support training and awareness programs by providing insights on regulatory requirements and control effectiveness.
- Advise IT operation and business units on improving cybersecurity posture and regulatory compliance.
PERSON SPECIFICATION
Minimum Qualifications
- University degree in Cybersecurity, IT, Information Systems or equivalent technical or professional qualification with several years of professional experience in a relevant field of activity.
- 8-10 years of experience in cybersecurity assurance, IT audit, or risk management.
Knowledge, Skills and Abilities
- Cybersecurity Expertise: Knowledge of cybersecurity frameworks (ISO 27001, NIST CSF, COBIT) and regulatory requirements including Cybersecurity Act 2024 and PDPA.
- Audit & Assurance: Ability to plan, oversee, and review audits, penetration tests, and simulation exercises; evaluate controls and recommend improvements.
- Risk & Analytical Skills: Identify, assess, and analyze cybersecurity risks, gaps, and trends; provide actionable recommendations.
- Regulatory Knowledge: Ensure compliance with cybersecurity and data protection laws.
- Communication & Collaboration: Excellent verbal and written communication; able to report to management, regulators, and boards; work effectively across IT, business, compliance, and audit teams.
- Strategic Thinking & Leadership: Align cybersecurity assurance with business objectives; prioritize initiatives and provide independent oversight.
- Personal Attributes: High integrity, detail-oriented, proactive, adaptable, and capable of critical thinking in complex environments.
- Interpersonal skills: open minded, ability to operate within business organizations through social communication and interactions.
- Listening skills: Patient and attentive.
- Public Relations skills: Project and market positive proactive image of the team.
