Manager, Information Security - Metro Manila - ABSI

Paglalarawan

Job Roles and Responsibilities

The Manager, Information Security & Data Privacy Engineering is a senior security leadership role responsible for architecting and operationalizing a "Trust by Design" culture across the Asticom ETG ecosystem. This role shifts the security function from a reactive checkpoint to a proactive enablement engine — embedding security and privacy upfront into every process, product, and platform. The Manager leads the Cyber Defense, Identity & Access Management (IAM), Data Privacy, and Threat Intelligence functions, with a mandate to protect Asticom's digital infrastructure while enabling business velocity.

90-Day Success Mandate:

• Achieve 100% MFA compliance across all public-facing tools and critical business systems
• Establish a structured, proactive threat-hunting cadence within the first 60 days
• Complete the DPA technical compliance baseline assessment and publish the remediation roadmap

II. Key Responsibilities

A. Security Engineering & Architecture

• Lead the design and implementation of enterprise security architecture, ensuring all systems are built with "Security by Design" principles from inception
• Own the organization's security roadmap, aligning technical security initiatives with the Asticom ETG's business and revenue objectives (₱3.75B GSR targets)
• Architect and govern Identity & Access Management (IAM) frameworks, including MFA deployment, privileged access management, and user access reviews (UAR) across all platforms
• Drive endpoint security hardening, including patch management, vulnerability remediation, and Zero Trust adoption across all Asticom sites

B. Data Privacy & Compliance Engineering

• Serve as the technical arm of the Data Privacy Office (DPO), operationalizing "Privacy by Design" in all product and infrastructure development lifecycles
• Ensure technical compliance with the Philippine Data Privacy Act (DPA), maintaining data residency standards and data minimization controls across all platforms
• Lead Privacy Impact Assessments (PIAs) and provide technical recommendations for data handling, storage, and cross-border transfer compliance
• Maintain and mature the organization's GRC framework, including risk register management, policy exception reviews, and security awareness programs

C. Threat Intelligence & Incident Leadership

• Serve as the APAC-level Incident Commander for all high-severity cybersecurity incidents, coordinating cross-functional response, resolution, and post-incident reviews
• Establish a proactive threat-hunting function, utilizing threat intelligence feeds and security tooling to detect and neutralize advanced persistent threats (APTs) before impact
• Lead the development and testing of the Cyber Incident Response Plan (CIRP) and Business Continuity Plan (BCP) for all security-critical systems

D. Third-Party Risk & Vendor Governance

• Own the Third-Party Risk Management (TPRM) program, conducting vendor risk assessments, SOC 2 analysis, and ongoing due diligence for all technology suppliers and managed service partners
• Collaborate with Legal and Procurement on vendor contracts, ensuring appropriate security SLAs, data processing agreements (DPAs), and contract language that reflect Asticom's risk posture
• Manage and optimize the organization's GRC tooling platforms (e.g., OneTrust, Archer, ServiceNow) to ensure continuous risk visibility and audit trail integrity

E. Security Leadership & Stakeholder Management

• Translate complex security threats and technical risk data into Executive Brief formats for ManCom and Board-level reporting, enabling informed strategic decisions
• Build, mentor, and develop the team, fostering a security-first culture across all ETG towers
• Partner with Tower 1 (Digital Workplace), Tower 2 (Infrastructure), and Tower 4 (Tech Strategy) leads to embed security controls without impeding operational velocity

Job Qualifications

A. Experience

• Minimum 8–10 years of progressive experience in Information Technology, Information Security, IT Governance, Risk, and Compliance (GRC), or a related discipline within enterprise or multinational environments
• Demonstrated experience leading cybersecurity incident response at a regional (APAC) scale, including coordination of cross-functional teams and executive-level stakeholder communication
• Proven track record in Third-Party Risk Management (TPRM), including vendor risk assessments, SOC report reviews, and risk remediation programs
• Experience in data-intensive, regulated industries (logistics, healthcare, financial services) is a strong advantage, demonstrating adaptability to high-compliance environments
• Background in IT Infrastructure, endpoint management, and systems administration provides a strong operational foundation for this role

B. Education

• Bachelor's Degree in Information Technology, Computer Science, Information Systems, or a related field
• Relevant post-graduate study or advanced certifications may be considered instead of formal advanced degrees

C. Certifications

• Required: ITIL Foundation (V3 or V4) — demonstrating foundational IT service management proficiency aligned with Asticom's Service Value System
• Required: Certified in Cybersecurity (CC) by ISC2, or equivalent foundational cybersecurity credential
• Required: Demonstrated proficiency or active training in GRC tooling platforms (e.g., OneTrust, Archer, or equivalent enterprise risk management systems)
• Preferred: CISSP, CISM, or CISA — or active pursuit of such advanced certifications
• Preferred: Extreme Networks, Cisco (CCNA level), or other network security credentials

D. Competencies

• Deep expertise in GRC frameworks, including SOC 2 analysis, User Access Reviews (UAR), security policy management, and continuous compliance monitoring
• Proficiency in security platforms: identity management, endpoint detection and response (EDR), firewall management, and vulnerability assessment tools
• Working knowledge of Microsoft 365, Power BI, ServiceNow, and workflow automation tools to support data-driven security reporting
• Strong executive communication skills — ability to author Board-ready security briefings, incident post-mortems, and risk register summaries
• Recognized excellence in project delivery and incident management (e.g., industry-standard awards for crisis response or service excellence) is a significant advantage