Security Leader/Manager

The Security Manager is responsible for building and leading beGroup’s security function. This role owns the overall security strategy, governance, and roadmap, and manages the SecOps and AppSec engineers to ensure that security enables fast, safe product delivery rather than blocking it.

1. Security Strategy & Governance

• Define and maintain the security vision, roadmap, and priorities aligned with
  business goals.
• Establish and maintain security policies, standards, and guidelines (identity, access, engineering, incident, vendor).
• Own the risk register: identify, assess, track, and communicate key risks, mitigations, and risk acceptances (with expiry).
• Support audits and regulatory requirements (e.g., Vietnamese PDPD, payments/compliance standards as applicable).

2. Team Leadership & Operating Model

• Lead and mentor the SecOps and Application Security engineers; define clear
  responsibilities and success metrics.
• Design and continuously improve the security operating model (how security works with Engineering, Product, SRE, IT, Data, Finance).
• Plan headcount, hiring, onboarding, and performance reviews for the security team.

3. Identity, Access & Production Guardrails

• Oversee identity and access governance across cloud platforms and key systems (SSO, MFA, admin access, privileged accounts).
• Define and enforce principles for least-privilege and segregation of duties for
  production and sensitive environments.
• Ensure regular access reviews are run and tracked by the right owners (Security, IT, Engineering).

4. SecOps & Incident Management (Oversight)

• Own the incident management framework: severity levels, roles, communication, and post-incident reviews.
• Ensure the SecOps engineer designs and operates effective monitoring, detection, and incident response.
• Report material incidents and long-term corrective actions to the Engineering Director and leadership.

5. Application Security & SDLC (Oversight)

• Define the AppSec program: secure SDLC, minimum controls, CI/CD security gates, and review processes.
• Ensure the AppSec engineer delivers and maintains SAST, SCA, DAST, secrets
  scanning, and secure coding guidelines.
• Drive developer enablement (training, simple guidelines, self-service tools) rather than manual security bottlenecks.

6. Stakeholder Management & Communication

• Act as the single point of contact for security for executives and key stakeholders.
• Communicate security risks, trade-offs, and decisions in clear business language (not only technical terms).
• Partner with Product, Engineering, SRE, Data, Legal, and Compliance to ensure security enables business speed, not slows it down.