Cybersecurity Engineer (GRC Manager)

Assurity Trusted Solutions (ATS) is a wholly owned subsidiary of the Government Technology Agency (GovTech). As a Trusted Partner over the last decade. ATS offers a comprehensive suite of products and services ranging from infrastructure and operational services, governance and assurance services as well as managed processes. In a dynamic digital & cyber landscape where trust & collaboration is key, ATS continues to drive mutually beneficial business outcomes through collaboration with GovTech, government agencies and commercial partners to mitigate cyber risks and bolster security postures. Responsibilities: GRC leadership & 2nd line of defence • Act as the de facto lead for GRC, shaping how we govern risk and compliance across managed products and platforms within the team's remit • Operate as 2nd line of defence for ICT risk and controls providing independent challenge on risk, control design, and effectiveness • Partner closely with Product team to embed pragmatic security and compliance into day-to-day delivery Security Plan governance and automation • Own the governance and standards for Security Plan submissions across CIOO and product teams - including templates, minimum evidence expectations, and quality benchmarks • Review Security Plans and supporting evidence, assess control coverage and implementation maturity, and Recommendation of Security Plan approvals to the stakeholders • Treat automation as an "always-on audit": • Collaborate with product and platform teams to define the Security Plan evidence that should be checked automatically • Use automated checks to surface gaps, anomalies, and missing evidence, and drive remediation with product teams • Track and report KPIs for Security Plan (e.g. coverage and consistency of controls, Security Plan cycle time, defect rates) across CIOO and product teams ICT audit and evidence management • Design, implement, and own workflows for ICT audit, risk, and findings management. • Structure and maintain knowledge and documentation spaces as the source of truth for: • ICT audit plans, scopes, and procedures • Control descriptions and standard evidence templates • Central repositories of audit evidence and Security Plan artefacts • Plan and execute thematic and product-level ICT audits under the CISO's direction, independently assessing: • Whether required work has been completed • Whether evidence provided by product teams is sufficient and reliable • Coordinate with internal audit (3rd line) on ICT/security audit engagements, facilitate evidence collection, and track closure of findings in the issue-tracking system • Provide regular management reporting on audit status, key risks, and trends to CIOO leadership and the CISO Security policy ownership • Serve as author and custodian for key GovTech-wide security and technology policies under CIOO's remit, for example: • Sandbox usage (development / test environments) • AI coding practices and guardrails • SaaS usage, onboarding, and clearance requirements • Own the policy lifecycle: drafting, stakeholder consultation, impact assessment, approval routing, publication, and periodic review • Translate policy into clear, practical guidance for product teams (e.g. how to comply in the issue-tracking and collaboration platforms, what "good" evidence looks like, what patterns and exceptions are acceptable) • Monitor policy adoption and escalate material non-compliance or risk acceptances to the CISO where necessary Security Education, Training and Awareness (SeTA) • Lead SeTA for GovTech HQ in alignment with CIOO's cyber strategy and policies • Design and run targeted SeTA campaigns, including: • Phishing simulations and follow-up actions • Security newsletters tailored to different audiences (e.g. tech vs non-tech) • Brown-bag sessions / clinics to deep-dive into topics like SaaS usage, sandboxing, secure coding, and incident reporting • Define and track SeTA KPIs (e.g. phishing susceptibility, completion rates, engagement metrics) and use insights to continually refine content and focus areas Change management & stakeholder engagement • Champion a "new way of doing audit and GRC" using: • standard issue-tracking and collaboration tools as the primary systems of record for audit and evidence • automated controls and analytics for continuous, data-driven assurance • Influence and negotiate with senior stakeholders (Product Directors, Application Owners, central functions) to adopt and sustain these new practices • Communicate complex policy and risk topics in clear, outcome-focused language, tailored to both technical and non-technical audiences • Provide clear, actionable recommendations to the CISO and CIOO leadership on risk, remediation priorities, and structural improvements Requirements • At least 5 years of experience in Cybersecurity, preferably in a regulated or public-sector environment • Strong understanding of: • ICT governance and security controls across applications, infrastructur...