Security Testing and Assurance Section Head

Overview

JOB SUMMARY

The Section Head of Security Testing and Assurance (STA) is responsible for overseeing all technical security testing activities. This includes the planning, coordination, execution, and oversight of outsourced services related to vulnerability assessments, penetration testing, compromise assessments, threat hunting, red/purple teaming, physical security testing, and application security reviews. The role ensures that all testing initiatives are risk-based, properly documented, and aligned with the Bank’s regulatory obligations, internal security policies, and industry standards. The Section Head manages relationships with third-party providers, validates findings, tracks remediation efforts, and ensures the integration of security testing results into the Bank’s broader risk management and incident response programs. This role also oversees the administration of the Bank’s Network Detection and Response (NDR) tool, Darktrace, and is responsible for monitoring and filing threat intelligence reports from the BAP-CID Threat Intelligence and Collaboration Platform.

JOB DESCRIPTION

• Manage the execution of all technical security testing activities across the Bank, under the strategic oversight of the CISO, ensuring alignment with the Bank’s approved risk appetite and the objectives of the Information Security Strategic Plan (ISSP).
• Plan, coordinate, and manage the delivery of outsourced technical security testing services to identify potential vulnerabilities and assess the effectiveness of the Bank’s defenses. These services include, but are not limited to: Vulnerability Assessments (VA), Penetration Testing (PT), Application Security Testing, Red and Purple Team Exercises, Compromise Assessments, Threat Hunting
• Ensure that all new system applications undergo a thorough vulnerability assessment (VA) before go-live. Similarly, require vulnerability assessments for existing systems that have undergone major enhancements or significant changes, to confirm that new risks have not been introduced prior to deployment.
• Define the appropriate testing methods, success criteria, and priority systems for testing, based on emerging threats and the critical role each system plays in the Bank’s operations.
• Oversee third-party service providers by clearly defining the scope of work, expected deliverables, and service levels through well-structured RFIs, RFPs, contracts, and project plans.
• Assess and confirm the vendor’s capabilities, tools, and testing methodologies before engagement to ensure they meet the Bank’s security standards and requirements.
• Monitor vendor performance using defined metrics such as timeliness of delivery, accuracy of test results, and the effectiveness of remediation recommendations.
• Ensure that vendors submit clear, complete, and timely assessment reports. Provide support to stakeholders in interpreting technical findings and clarifying results when needed.
• Oversee the configuration, tuning, and alert monitoring of the Bank’s Darktrace Network Detection and Response (NDR) platform to ensure accurate detection of unusual or suspicious activity.
• Review, document, and distribute intelligence reports received from the BAP-CID Threat Intelligence and Collaboration Platform for Banks. Escalate relevant advisories or threat indicators to appropriate teams for action and tracking
• Facilitate information security training sessions for new employees as part of the onboarding process, and deliver on-demand security briefings or awareness sessions as requested by business or support units. Ensure that training content reflects relevant findings from security testing activities and emerging threat trends.
• Monitor emerging cyber threats, attack techniques, and advancements in security testing technologies to continually improve the Bank’s testing approach and inform enhancements to third-party service provider capabilities.
• Perform other related tasks and responsibilities as may be assigned by the CISO or ITRMD Head.

JOB QUALIFICATION

• Bachelor’s degree in information security, Computer Science, or related field
• Certifications in information security or IT-related domains (e.g., OSCP, GPEN, GWAPT, CEH, CISSP) are considered an advantage and may strengthen the candidate’s suitability for the role.
• At least 3 years of experience in cybersecurity, including a minimum of 1 year in a leadership or coordination role focused on security testing or offensive security. Should have hands-on experience managing third-party security vendors and overseeing complex technical assessments across systems, applications, or infrastructure.
• Good understanding of cybersecurity concepts, including vulnerability management, secure development practices, and red team methodologies
• Familiar with relevant industry standards (e.g., NIST, OWASP, MITRE, CIS) and regulatory frameworks (e.g., BSP Cir. 982, 1140)
• Able to interpret technical security reports and communicate key risks and insights to both technical and non-technical stakeholders
• Capable of managing projects, coordinating with teams, and preparing structured documentation and executive-ready reports