Job Description

Role Mission

Reporting to the Manager, Cyber Engineering, this role is central to ensuring the organization’s adherence to regulatory and internal policies, managing cyber risk, and maintaining a robust governance framework. The ideal candidate brings proven first-line GRC operations experience across critical telecom and enterprise environments, a track record of translating complex threats into business-impact language, and the ability to lead full-cycle audit delivery with minimal supervision.

Accountabilities :
As a 1.5LoD Cyber Risk Specialist, you will be the dedicated technical partner for Business Unit Heads (Risk Owners) and Technical Leads (Control Owners). Your responsibility is to understand and identify cyber threats impacting the business, manage the system development lifecycle of security controls, and ensure full compliance with StarHub policies and Singapore’s regulatory frameworks (IMDA TCS/BCS, CSA CCoP 2.0). You will also provide specialist guidance on AI/LLM security risks as the organization expands its use of generative AI technologies.

Short Description

Responsibilities 

Risk & Control Ownership Support
•    Advisory to Risk Owners: Assist Business Unit Heads in overseeing the security posture of critical assets. Translate technical vulnerabilities (CVSS, pen-test findings) into Business Impact narratives that enable informed risk acceptance and capex sign-off.
•    Control Lifecycle Management: Act on behalf of Control Owners to design, implement, and document technologies and safeguards (Directive, Deterrent, Preventive, Detective, Corrective, Compensating) required to mitigate identified risks.
•    Execution Oversight: Coordinate with Control Performers (Support Teams) to ensure daily security activities are executed according to defined standards and documented SOPs.
•    Documentation: Maintain formalized standard operating procedures, runbooks, and plans aligned with StarHub’s Information Security policies, ISO/IEC 27001/20000/22301, and national/sectoral requirements.

Operational Cyber Risk Management
•    Threat Modelling: Lead threat modelling sessions (jointly with your Manager) during the design phase of new systems, AI deployments, and infrastructure changes to identify attack vectors, abuse cases, and control gaps before production go-live; maintain reusable threat libraries mapped to MITRE ATT&CK.
•    Risk Assessments: Execute cyber risk assessments on gaps surfaced through policy deviations, vulnerability scans (Tenable Nessus), penetration tests, security events, external threat intelligence, and audit findings across IT, OT, 5G, and ISP environments.
•    Remediation Strategy: Propose risk mitigation and treatment strategies using the full safeguard taxonomy. Ensure remediation plans are technically sound, operationally viable, and aligned to StarHub’s Information Security policies and Singapore regulatory obligations (IMDA TCS/BCS, CSA CCoP 2.0, Cybersecurity Act, PDPA).
•    Transparency: Provide Risk Owners with operational impact assessments, ensuring service disruption implications are clearly understood before residual risk is accepted.
•    Continuous Monitoring: Track and report on remediation plan status, ensuring closure within agreed timelines; maintain a consolidated cyber risk inventory with credible impact ratings, justifications, treatment plans, and named accountable parties.

Compliance (Audit & Assessment) Management
•    Collaborate with the Information Security Office (ISO) to facilitate end-to-end audit and assessment processes, including CII audits, CSA Cyber Trust Mark reviews, StarHub control self-assessments, and ad-hoc assessments. Lead milestone stewardship with zero missed deliverables.
•    Support the selection and appointment of auditors, providing consultation on scope, fees, and operational feasibility.
•    Develop and execute a comprehensive audit plan covering scope, resource allocation, and budgeting to verify that StarHub’s systems, infrastructure, and operations are resilient and fully compliant with all internal policies and regulatory requirements.
•    Take responsibility for the collection and verification of technical evidence (logs, screenshots, configurations). Ensure all artefacts accurately reflect the current state of critical assets and meet ISO standards before submission; conduct pre-submission rehearsal reviews to head off avoidable findings.
•    Collaborate with Risk and Control Owners to develop technically sound and operationally viable remediation plans for draft audit findings, including management action plans with justified timelines.

Qualifications

Requirements 

•    Degree in Information Technology, Cybersecurity, or a related field (Masters preferred).
•    6-8 years; experience in cybersecurity and GRC, with exposure to the Telecommunications sector and an understanding of service risk, SLAs, network environments, and the balance between service availability and cyber resilience.
•    Certified Information Systems Auditor (CISA); certified or actively pursuing; or equivalent (CISSP, SSCP, or ISC2 certification).
•    Demonstrated hands-on experience supporting ISO 27001, ISO 20000, and/or ISO 22301 compliance cycles including evidence curation, control walkthroughs, and finding closure.

Good to Have
•    Solid knowledge of compliance frameworks and regulatory requirements: NIST CSF/SP 800-53, ISO 27001, CSA CCoP 2.0, Singapore Cybersecurity Act, PDPA, PCI DSS, and IMDA Code of Practice for Broadcasting & Telecommunications.
•    Host configuration review and hardening experience to CIS Level 1/2 benchmarks (Windows/Linux/network).
•    Experience in cloud environments (AWS, Azure, GCP) and operational technology (OT) or critical information infrastructure (CII), and trade-offs between public and private cloud environments. 
•    Hands-on proficiency with Tenable Nessus or equivalent vulnerability management tooling; familiarity with SIEM/SOAR platforms (Sentinel, Chronicle, Splunk, QRadar) and EDR tools (CrowdStrike, SentinelOne, Carbon Black).
•    AI/LLM Security Governance: Familiarity with NIST AI RMF, OWASP Top 10 for LLMs, and MITRE ATLAS; experience assessing generative AI solutions for risk, data-privacy exposure, and adversarial threats (prompt injection, data poisoning, model inversion).
•    Scripting or automation capability (Python, KQL, PowerShell) applied to GRC workflows, evidence capture, or risk reporting.