Head of GoTo Financial (GTF) Information Security

The Head of GoTo Financial (GTF) Information Security is accountable for the security of GTF’s products and services. GTF (formerly known as GoPay) consists of business units in the financial payments industry. This includes consumer payments, merchant payments, payment gateways, e-money, e-wallet with features including peer to peer and peer to merchant payments. This leader will work closely with Product and Development Group (PDG) stakeholders to ensure security is embedded into development and operating processes. 
He/she will partner with Engineering, Product, and Risk, Privacy, and Government Relations teams to ensure that security is effectively interlocked and aligned with key business stakeholders. This leader is responsible for establishing and driving a security program to integrate security into existing processes as well as establishing new processes to achieve security goals. He/she will serve as a trusted leader, advisor, and will lead a team to ensure that security requirements are met and aligned with business objectives.
He/she will work together with the regulatory organization including relevant industrial associations  in Indonesia to ensure regulatory compliance of GTF’s products and services in terms of IT and information security related regulations.
The Head of GTF Information Security reports to the GTF CISO and will lead and grow an existing team and continuously evolve the product security function to align and scale with the business.
Reporting to the GTF’s CISO, the head of GTF Information Security is accountable for strategic leadership and direction of GTF’s information security program including regulatory compliance, IT GRC, DevSecOps, and security operations ; tight alignment with internal and external stakeholders, including relevant regulators and industrial associations; developing strategic planning for information security and IT risk management includingrisk register development, security roadmap, required security controls for GTF; collaborating with the product and engineering stakeholders to drive the completion of information security & IT GRC controls; develop and lead a diverse and high performing team.

Responsibilities

• Compliance / IT GRC / DevSecOps 


• Achieve and maintain security compliance for GTF Security’s products and services including PCI and ISO 27001
• Develop and execute a secure software development strategy (DevSecOps) with the Product Engineering Group (PDG), including policies, standards and governance. Build and mature the DevSecOps program and implement “shift left” initiatives 
• Ensure an engaged, innovative, and encouraging working environment in the department by motivating, challenging, and mentoring employees towards growth. 
• Design, improve, and manage security automation to integrate application security into various CI/CD across the enterprise
• Improve and expand application security risk posture and processes across GTF’s PDG across GTF product groups
• Develop and execute and IT & information security risk management program in alignment with the corporate risk management framework
• Develop information security architecture that include identification and assessment of relevant information security & IT GRC controls to mitigate possible risks
• Set up information security & IT-GRC objectives and key results including supporting metrics
• Collaborate with relevant stakeholders and disciplines to ensure effective and efficient implementation of information security & IT-GRC initiatives
• Develop and manage GTF information security budget
• Provide regular reporting updates of metrics (OKR’s), risks, and achievements
• The current state of information security posture and initiatives; the current state of IT & information security risk;
• Ensure regulatory and contractual compliance of GTF’s IT and information security practices that includes ensuring positive optics of GTF compliance posture


• Leadership - Team Development and Succession Planning


• Develop and manage key stakeholder relationships with senior leaders from engineering, product, and business teams to ultimately achieve security outcomes
• Work with peer organizations to benchmark and measure security metrics regularly
• Build, grow, mentor and continuously cultivate a high-performance devsecops team
• Actively work on succession planning and develop and mentor managers and staff to achieve career goals
• Leads cross-functional teams to define objectives, strategies and  metrics in working towards targeted security goals and outcomes
• Own and actively and responsibly manage the product / devsecops security budget to ensure highest return on investments
• Participate in personnel management including recruitment and selection, adequate staffing, performance appraisals, education and training

Relevant Experience

• Exceptional relationship management with senior leaders and stakeholders – ongoing building and maintaining collaborative partnerships across all levels of an organization. 
• Strong ability to clearly articulate decisions based on risk-based / business impact decision tradeoffs 
• Strong track record in security with financial technology (FinTech) including e-money, e-wallets, banks, and merchant partners 
• Experience in leading teams on technical security projects – ensuring commitments are met and ensuring key stakeholders are constantly informed of status 
• Experience in working with regulatory organizations including relevant industry associations relevant with IT and information security to ensure regulatory compliance and positive optics of GTF compliance posture; 
• Strong leadership qualities and business acumen able to communicate with all levels of the organization including technical leaders to senior business leaders. 
• Ability to manage and communicate effectively with the ambiguity associated with working in a fast paced and changing environment 
• Strong people management skills – providing direction, monitoring performance, motivating staff and building a positive working environment

The Person

• Bachelor’s of Science degree in an Engineering discipline; Master’s preferred or equivalent work experience
• 10+ years of security experience with specific experience in financial technology (FinTech) highly diversified and high growth organizations. 
• Established track record in leading security teams including IT GRC,  DevSecOps teams in implementing “shift left” strategies
• Track record of aligning and achieving security requirements business requirements and interlock with key stakeholders
• Experience in managing and developing IT GRC, DevSecOps and Product Security function and teams
• Strong experience in securing large technology infrastructures including cloud-based tech including kubernetes, docker, VM. Plus with with experience with Google Cloud Platform (GCP)
• Experience in establishing and rolling out Threat Modeling that can be consumed by developers and engineers into user stories
• Deep knowledge of common information security management frameworks, including but not limited to: ISO 27001 / 27002 and PCI
• Professional security certifications, such as a Certified Information Systems Security Professional (CISSP) or other relevant security credentials desired

About Us
Gojek is a Super App. It’s one app for ordering food, commuting, digital payments, shopping, hyper-local delivery, and dozen other products. It is Indonesia’s first and only decacorn. It's also the only Southeast Asian startup to be part of Fortune's list of 'Companies That Changed The World.'
Our Mission: To create and scale positive socio-economic impact for our customers, driver-partners, business and MSMEs.
As of 2018, Gojek processed more than $9 billion annualised gross transaction value across all markets where it operates - in Singapore, Thailand, Vietnam and Indonesia. We have the largest food delivery product in Asia, (outside of China), and the largest payments wallet in Southeast Asia.
Our investors include Google, Facebook, PayPal, Sequoia Capital, Tencent Holdings among others.
Gojek is committed to building a diverse and inclusive workplace and is an equal opportunity employer. We do not discriminate on the basis of race, religion, national origin, gender, gender identity, sexual orientation, disability, age, education status, or any other legally protected status.