Client Security Program Manager

Job Description

Title : Client Security Program Manager

Reporting to : SVP Risk and Compliance

Location : Kuala Lumpur, Malaysia

Position Summary

The Client Security Program Manager is responsible for providing dedicated security program leadership for a high‑stakes client engagement with very low tolerance for risk. This role ensures security expectations are met consistently across global delivery environments, including permanent operational sites and temporary/pop‑up locations. The position acts as the single point of accountability for coordinating security activities spanning physical/operational security and cybersecurity, ensuring cohesive execution, clear communication, and proactive risk management.

This role is not a purely technical cybersecurity role or a purely physical security role. It is a program leadership and assurance role that integrates stakeholders, drives actions to closure, and improves the client's confidence in security outcomes.

Key Responsibilities

1) Client Security Partnership & Stakeholder Management

• Serve as the primary security interface for a designated client engagement, building trust through consistency, transparency, and clear follow‑through.
• Establish structured engagement routines (e.g., security governance calls, quarterly program reviews) to align on expectations and surface issues early.
• Translate client security concerns into actionable workstreams and ensure the right internal teams are engaged without unnecessary handoffs.
• Maintain stakeholder alignment across business owners, operations leaders, technology teams, and security teams by providing a single, cohesive view of security posture, priorities, and progress.

This client expects security to be managed with the same rigor as a regulated program with strong controls, reliable execution, and a confident point of contact who can drive outcomes.

2) Security Program Governance & Assurance

• Create and manage the security program plan for the client: scope, objectives, milestones, metrics, and reporting cadence.
• Provide executive‑ready reporting on security posture and trends, including risks, incidents, corrective actions, audit outcomes, and readiness activities.
• Ensure security requirements are documented, traceable, and operationalized across multiple regions and delivery models.
• Drive program discipline: agenda management, action tracking, decision logs, and escalation paths.

A low‑risk‑tolerance client measures security maturity by governance quality as much as by control design.

3) Physical & Operational Security Oversight (Delivery Environment Focus)

• Coordinate security practices and standards for physical environments where services are delivered (e.g., DVR / CCTV network, biometric equipment, access controls, monitoring, incident reporting, evidence handling).
• Partner with operational leaders to ensure security controls are executed consistently and staff are enabled to follow procedures under real‑world conditions.
• Identify recurring operational risks and close the loop via corrective action plans, training reinforcement, and targeted site interventions.
• Support investigations tied to physical environments (as applicable), ensuring clear documentation, structured findings, and prevention‑focused remediation.

In distributed and temporary environments, the biggest risk often comes from inconsistent execution, not missing policy.

4) Cybersecurity & Technology Security Coordination

• Coordinate cybersecurity topics relevant to the client engagement (e.g., monitoring/logging expectations, access management, platform security posture, evidence retention).
• Act as the security translator between client expectations and internal technical teams—ensuring requirements are understood, prioritized, and implemented.
• Track and manage security‑impacting technology changes that could affect client confidence, and ensure security review occurs at the right time.
• Support incident response coordination for security events that include cyber components, ensuring clear communication, accurate status reporting, and post‑incident corrective action follow‑through.

Clients evaluate security holistically — technology controls must align with operational realities and assurance needs.

5) Risk Management, Incident Readiness & Continuous Improvement

• Maintain a client‑specific risk view (risk register or equivalent), including severity, mitigations, owners, timelines, and residual risk acceptance decisions.
• Proactively identify trends across incidents, audits, and operational observations; recommend changes that reduce recurrence and strengthen deterrence.
• Support readiness for client reviews, audits, and assurance requests by ensuring evidence is available, consistent, and easily explainable.
• Build repeatable playbooks for high‑frequency issues (e.g., incident communications, evidence collection, escalation triggers, corrective action tracking).

Low‑tolerance clients want fewer surprises. This role reduces surprises by making risk visible and managed.

Required Qualifications

Experience & Domain Background

• 7+ years of experience in one or more of the following areas: security program management, security operations, operational risk, compliance/assurance, or client‑facing security roles.

Context: This role requires enough experience to independently drive cross‑functional security outcomes and to engage confidently with senior client stakeholders.

• Demonstrated experience supporting a high‑stakes or low‑risk‑tolerance environment (regulated industry, high integrity programs, safety/security‑critical services, or high‑visibility client engagements).

Context: The client will expect high rigor, structured reporting, and rapid escalation when needed.

Program & Coordination Skills

• Proven ability to lead across multiple teams without direct authority, using influence, clarity, and follow‑through to drive work to closure.

Context: Success depends on orchestration - pulling together physical operations, technology, cybersecurity, and assurance functions.

• Strong program management capability, including governance routines, metrics, action tracking, escalation management, and executive reporting.

Context: This is an accountability role; you will be measured on outcomes and predictability.

Security Knowledge (Balanced Physical + Cyber)

• Strong understanding of physical/operational security concepts (control execution, investigations support, procedural compliance, site risk, staff enablement).

Context: Much of the real risk in distributed delivery environments is operational and human‑process driven.

• Working knowledge of cybersecurity fundamentals (access control concepts, logging/monitoring, incident response lifecycle, security requirements translation).

Context: You don't need to be a hands‑on technical engineer, but you must be able to coordinate cyber stakeholders and speak credibly to risk and assurance.

Communication & Client Presence

• Excellent written and verbal communication skills, including the ability to produce client‑ready updates, risk summaries, and executive‑level briefings.

Context: The role must convey confidence, precision, and transparency—especially during incidents.

Preferred Qualifications

• Experience in distributed global operations, multi‑site delivery models, or temporary/pop‑up operational environments.
• Familiarity with governance and service management frameworks (e.g., COBIT, ITIL/IT Service Management, risk frameworks, audit readiness).
• Experience supporting investigations, evidence management, or audit response coordination.
• Relevant certifications (nice to have): CISM, CRISC, PMP, ITIL Foundation (or comparable).

Key Competencies

• Ownership mindset and accountability
• Risk‑based decision making and prioritization
• Stakeholder management and diplomacy under pressure
• Structured communication and executive presence
• Operational judgment and attention to detail
• Continuous improvement and resilience

What Success Looks Like (6–12 months)

• A stable governance cadence exists with clear reporting and measurable improvement.
• Reduced friction and faster security response times for client questions and events.
• Visible reduction in repeat issues through corrective actions and trend‑driven improvements.
• Stronger alignment between physical/operational security and cyber/technology controls, expressed as a single coherent program.