Job Description

Role Mission: 

Reporting to the Chief Technology Officer, the role plays a pivotal role in ensuring the organization's adherence to regulatory and internal policies, managing risk, and maintaining a robust governance framework.

Accountabilities: 

As a 1LoD Cyber Risk Specialist, you will be the dedicated technical partner for Business Unit Heads (Risk Owners) and Technical Leads (Control Owners). Your responsibility is to translate complex cyber threats into business impact, manage the system development lifecycle of security controls, and ensure full compliance with StarHub policies and Singaporean regulatory frameworks (IMDA TCS/BCS, CSA CCoP 2.0)

Short Description

Responsibilities 

Risk & Control Ownership Support

• Advisory to Risk Owners: Assist Business Unit Heads in overseeing the security posture of critical assets. Translate technical vulnerabilities into "Business Impact" language to facilitate informed risk acceptance.
• Control Lifecycle Management: Act on behalf of Control Owners to design, implement, and document the technologies required to mitigate risks.
•  Execution Oversight: Coordinate with Control Performers (Support Teams) to ensure daily security activities are executed according to defined standards.
• Documentation: Maintain formalized standard operating procedures and plans that align with StarHub’s Information Security policies and national requirements.

Operational Cyber Risk Management

• Threat Modelling: Lead threat modelling sessions during the design phase of new systems or infrastructure changes to identify attack vectors before they go live.
• Risk Assessments: Execute cyber risk assessments on identified gaps and vulnerabilities  — through security deviations, operational activities (including but not limited to vulnerability scans, penetration testing, and security events),  external threats, or audit findings — to qualify the risk posed to IT and Operational environments. 
• Remediation Strategy: Propose risk mitigation/treatment strategies (in the context of cybersecurity- corrective action/remediation plans and proposed security controls – Directive, Deterrence, Preventive, Detective, Corrective, and Compensating) to remediate identified gaps and vulnerabilities and maintain compliance with the Starhub Information security policies, standards and Singapore's national/sectoral requirements (e.g., CSA/IMDA).
• Transparency: Provide Risk Owners with operational impact assessments, ensuring they understand potential service disruptions before accepting the residual risks.
• Continuous Monitoring: Track and report on the status of remediation plans to ensure they are completed within agreed-upon timelines.

Compliance (Audit & Assessment) Management 

• Collaborate with ISO to facilitate the end-to-end audit & assessment process (including but not limited to CII audits, Starhub control Self-assessment, or any ad-hoc assessment / testing). You will take the lead in ensuring Risk and Control Owners meet audit milestones and deadlines
• Support the selection and appointment of auditors, providing consultation on fees and operational feasibility. 
• Develop and execute a comprehensive audit plan—including scope, resource allocation, and budgeting—to verify that Starhub’s systems, infrastructure, and operations are resilient and fully compliant with all internal policies and regulatory requirements.
• Take responsibility for the collection and verification of technical evidence (Request for information such as logs, screenshots, configurations). Ensure all artefacts are accurate, reflect the current state of critical assets, and meet the ISO’s standards before submission.
• Collaborate with Risk and Control Owners to develop technically sound and operationally viable remediation plans for draft audit & assessment findings. This involves providing the necessary technical context to justify management’s response and ensuring that the proposed remediation actions are both effective and achievable within the business environment.

Qualifications

Requirements 

• Degree in Information Technology, Cybersecurity or related field.

• 5–7 years' experience, preferably in Telecommunications sector with understanding of service risk and impact, SLAs, network, knowledge of balancing service delivery vs cyber risks and able to balance availability and cyber resilience.

• Certified Information Systems Auditor (CISA), Certificate of Cloud Auditing Knowledge (CCAK) or equivalent, ISC2 or SSCP/CISSP. 

• Hands-on experience supporting ISO 20000, 22301 and/or ISO 27001 equivalent is advantageous.

• Good to have:

• Knowledge of compliance frameworks and regulatory requirements (NIST, ISO 27001, Cybersecurity Act, Personal Data Protection Act, Payment Card Industry Data Security Standard, IMDA Code of Practice for Broadcasting & Telecommunications, etc).
• Knowledge in host configuration review/hardening according to CIS or similar standards
• Experience in cloud and operational technology environments and / or critical information infrastructures.
• Experience in using tools eg Tenable Nessus and similar tools will be essential