1. Security Testing & Programme Leadership Design, plan, and execute full-scope security testing engagements (network, application, cloud, social engineering awareness, physical) against dtcpay's production and pre-production environments. Develop and maintain simulation and testing plans aligned with recognised industry frameworks and regulatory threat intelligence guidance (e.g. MITRE ATT&CK-informed methodology, TIBER-EU, MAS TPRM). Lead collaborative exercises with the Security Operations team and internal defence functions to validate detection and response controls. Manage the end-to-end vulnerability disclosure programme, triaging findings and coordinating remediation timelines with engineering. Maintain the security testing infrastructure and tooling to production-safe standards. 2. People & Team Management Hire, mentor, and retain a high-performing team of Security Testing Specialists, Penetration Testers, and Threat Intelligence Analysts. Define career paths, training budgets, and certification goals (e.g. OSCP, OSED, CRTO, PNPT, GXPN). Foster a culture of continuous learning, responsible disclosure, and professional ethics. Conduct regular skills assessments and rotate team members across specialisations (web, mobile, OT/IoT, cloud). 3. Technology Risk Management & Governance Translate security testing findings into structured risk statements aligned with dtcpay's enterprise risk framework (ISO 31000, NIST RMF). Interface with the GRC team to update the risk register, contribute to board-level risk dashboards, and provide evidence of remediation for auditors. Define and track KPIs / KRIs for the security testing function: mean time to detect (MTTD), mean time to respond (MTTR), and risk-exposure-reduction metrics. Participate in third-party and supply-chain risk assessments for critical technology vendors. Represent the security testing function in change-advisory and architecture review processes. 4. Regulatory Compliance & Privacy Requirements Ensure all security testing activities are conducted within legal and regulatory boundaries across all operating jurisdictions, including obtaining appropriate written authorisations. Advise on security controls required to meet obligations under MAS TRM, PDPA, GDPR, UK GDPR, PDPD, and related frameworks. Collaborate with Legal and the DPO to ensure any personal data encountered during testing is handled, minimised, and destroyed in compliance with applicable data-protection laws. Contribute to regulatory engagement: respond to MAS, ICO, and supervisory authority queries; prepare evidence packs for technology-risk examinations. Track regulatory developments and proactively update engagement rules of engagement and testing policies. 5. Reporting & Stakeholder Communication Produce executive-level and technical reports with clear risk ratings (CVSS, DREAD), business-impact narratives, and prioritised remediation roadmaps. Present findings to the CISO, CTO, and Risk Committee; tailor communication to both technical and non-technical audiences. Maintain a historical findings database to trend residual risk over time and demonstrate programme maturity. What We're Looking For 8+ years of hands-on security testing experience, with at least 3 years in a team leadership or management capacity. Demonstrated expertise in simulation-based security testing and penetration testing across web applications, cloud (AWS/Azure/GCP), mobile (iOS/Android), APIs, and internal networks. Proven experience operating within a regulated financial-services or payment-industry environment. Deep working knowledge of MAS TRM Guidelines, UK GDPR / FCA Operational Resilience, GDPR, and DORA. Proficiency in industry-standard security testing tools and frameworks, including custom tooling development (Python, C#, PowerShell). Familiarity with cloud-native security risks (IAM misconfiguration, SSRF, container escape, serverless exposure). Exceptional written and verbal communication; ability to present technical risk findings to senior executives and board members. Bachelor's degree or higher in Computer Science, Information Security, or equivalent. Preferred Certifications Technical Security Testing: OSCP / OSED / OSWE / OSMR, CRTO / CRTE, GXPN, PNPT, CCT INF / CRT Governance & Risk: CISSP, CISM, CRISC, CDPSE, CIPP/A or CIPP/E Cloud: AWS Security Specialty, Azure Security Engineer, Google PCSE Preferred Experience Experience with TIBER-EU or iCAST (MAS Intelligence-led Cyber Attack Simulation Tes…