About PayNet: At PayNet, your work doesn't just move money, it moves a nation.
We make every payment count toward Malaysians shared prosperity by powering the platforms millions use every day, from DuitNow and FPX to MyDebit and JomPAY. Our systems keep Malaysia's digital economy running securely, seamlessly, and inclusively, whether you're tapping, transferring, paying bills, or expanding a business. If you're excited about creating impact at a national scale and shaping how Malaysia pays, connects, and progresses, you'll fit right in.
About the Risk & Compliance Division: The Risk & Compliance Division provides independent oversight to safeguard PayNet's operations, resilience, and regulatory standing. The Division establishes and maintains enterprise‑wide risk and compliance frameworks to ensure risks are proactively identified, assessed, monitored, and managed in line with PayNet's strategy, Board‑approved risk appetite, and regulatory expectations.
Summary of responsibility: As a Principal Specialist, Cyber & Technology Risk, you will support the implementation and enhancement of third‑party risk and cloud security governance by identifying, assessing, and managing cyber and technology risks across vendors and cloud environments, ensuring regulatory compliance, informed risk‑based decision‑making, and effective reporting to Management and the relevant committees.
Key Responsibilities
- Lead the implementation and maintenance of a robust cloud security governance framework by defining and implementing clear roles, responsibilities, policies, and controls to enable secure cloud adoption and operations, while ensuring alignment with PayNet's business objectives, regulatory requirements, and industry best practices.
- Conduct comprehensive cyber and technology risk reviews with a strong focus on Cloud Risk Assessments (CRA), including evaluation of IaaS, PaaS, and SaaS environments to identify misconfigurations, assess compliance with internal security policies and standards, recommend appropriate risk mitigation measures, and monitor emerging cloud-related threats to strengthen cloud security resilience.
- Lead the development and implementation of third‑party risk management processes, including criticality assessment, risk assessments, and ongoing oversight of third parties.
- Conduct comprehensive cyber, technology, IT compliance, and relevant risk assessments on third parties to identify key risk exposures and control gaps.
- Perform detailed third‑party due diligence, including assessment of security posture, financial viability, regulatory and industry standard compliance, and operational effectiveness.
- Maintain an up‑to‑date inventory of critical third parties, including tracking of remediation actions, risk treatment plans, and improvement initiatives.
- Conduct periodic monitoring and reporting of critical third‑party risks to senior management and ensure appropriate security and risk‑related clauses are incorporated into third‑party contracts.
- Lead or support the management and Board-level reporting on cloud-related and third-party related risks, including consolidation of key risk exposures, assessment outcomes, control effectiveness, and remediation status, to enable informed risk-based decision‑making and ongoing oversight.
What will make you successful
- Degree in Information Technology (IT), Computer Science, Cyber Security or other related disciplines with relevant experience in managing cyber and technology risk in financial market infrastructures, critical national infrastructure, military, security intelligence or equivalent.
- 8 to 10 years of cyber and technology governance, risk and compliance or information security experience.
- Experience in various regulatory requirements such as BNM RMiT, ISO27001, MAS Technology Risk Management Guidelines, National Institute of Standards and Technology (NIST), Centre for Internet Security (CIS), FMI Cyber Resilience Guidelines or equivalent.
- Strong critical and analytical thinking skills, with the ability to communicate risk clearly and collaborate effectively with stakeholders.
Advantage To Have
- Relevant professional certifications such as CISA, CISM, ISO/IEC 27001 Lead Auditor, or equivalent would be an advantage.
- Strong understanding of end-to-end cybersecurity and technology operations, and how technology interfaces with business functions, risk management, compliance processes, and IT security.
- Fluency in both written and spoken English is required for this position.
- Thorough understanding of end-to-end IT operations and how IT interfaces with business, risk management and compliance processes and cyber security.
