Back to search
National e-Governance Division Linkedin · Posted 7d ago

Security Lead / Architect

India

Linkedin
Continue to application Add your email once, then Caio opens the original posting.

Indexed description

Designation: Security Lead / Architect


Reports to: Director, NeGD


Educational Qualification

  • B.Tech./B.E. in Computer Science, Information Technology, Cybersecurity, or related engineering discipline (Must have; full-time regular course), OR MCA
  • M.Tech./M.S. in Information Security, Cybersecurity, or Applied Cryptography desirable
  • Certifications (at least one required at deployment — Must have): CISSP, CISM, CCSP, or AWS Certified Security – Specialty
  • Certifications (Desirable): ISO 27001 Lead Auditor / Lead Implementer, CKS (Certified Kubernetes Security Specialist), KCSA, CEH, OSCP, CSSLP, SABSA, TOGAF 9, DCPP or DPO training, HashiCorp Vault Associate


Experience

  • 10+ years in application, platform, or cloud security, with minimum 3 years in a Security Lead or Security Architect role owning security for a production platform end-to-end
  • Demonstrated experience embedding security into a DevSecOps toolchain — SAST, DAST, SCA, container scanning, secrets management, policy-as-code — at CI/CD level
  • Demonstrated experience coordinating or leading VAPT, STQC certification, or equivalent third-party security audits for government or enterprise platforms
  • Demonstrated experience defining secure coding standards, conducting threat modelling, and running secure design reviews
  • Prior experience with Government of India security frameworks — MeitY Security Policy, CERT-In guidelines, ISO 27001, CIS Benchmarks — required
  • Familiarity with DPDP Act 2023 operationalisation (consent, data-principal rights, retention, breach reporting) required
  • Prior exposure to Kubernetes-native security (Kyverno, OPA / Gatekeeper, Falco) and supply-chain security (SBOM, Cosign signing, in-toto attestations) required


Key Responsibilities


Security Architecture Ownership

  • Own the security architecture of the platform end-to-end — aligned to NIST CSF, Zero Trust Architecture, OWASP Top 10, ISO/IEC 27001:2022, CIS controls, CERT-In directions, and DPDP Act 2023
  • Define and approve platform-level security controls: RBAC, MFA for privileged roles, secrets management, audit logging, encryption in transit (TLS 1.3) and at rest (AES-256), certificate lifecycle, Kubernetes RBAC
  • Approve threat models, secure design reviews, and residual-risk registers across the developer portal and all platform layers; sign off on security acceptance criteria per phase gate
  • Own the Zero Trust implementation across identity, network, and workload layers

DevSecOps & Supply Chain Security

  • Define standards for security gates in CI/CD pipelines — SAST, DAST, SCA, secrets scanning, container scanning — and approve their integration into golden path templates
  • Own supply-chain security posture: SBOM generation, vulnerability scanning, artefact signing, image provenance, and admission control via Kyverno / OPA-Gatekeeper
  • Approve policy-as-code frameworks and Kubernetes admission policies enforced across the platform

Client-Side Governance of the Agency's Security Function

  • Act as the technical authority over the agency's security engineering resources on all security matters; review their deliverables against contracted scope and validation criteria
  • Approve VAPT scope, findings, and remediation plans; approve pen-test reports before production rollout and after major consumer onboarding waves
  • Review security posture dashboards, vulnerability management pipelines, threat detection workflows, and security audit / evidence packs delivered by the agency

Compliance, Audit & Data Protection

  • Own ISO/IEC 27001:2022-equivalent ISMS coverage across the platform's processes and personnel; ensure certification evidence is submitted and maintained through the engagement
  • Operationalise DPDP Act 2023 compliance — consent architecture, data-principal rights procedures (access, correction, erasure), data minimisation, purpose limitation, retention and deletion, and cross-border transfer controls
  • Conduct or approve Privacy Impact Assessments (PIAs) for sensitive flows including AI analytics
  • Own CERT-In compliance including 6-hour incident reporting, log-retention obligations, and directions applicable to government platforms
  • Own audit readiness — control mapping, evidence collection, gap analysis — for internal and external audits; support MeitY, STQC, and CAG audits

Security Operations & Incident Response

  • Approve the security incident response framework — detection, triage, containment, eradication, recovery, and post-incident review — and its integration with the ITSM layer
  • Approve runtime threat protection, secrets and credential risk management, and SIEM configurations delivered by the agency
  • Own communication with CERT-In on reportable incidents; own breach notification within statutory timelines

Tenant-Facing Security Governance

  • Approve tenant-specific security configurations — namespace isolation, RBAC policies, data-residency and classification requirements, dedicated deployment security posture
  • Advise tenant administrators on security responsibilities under the federated custody model; support tenant-specific VAPT and audit requirements

AI Security & Emerging Threats

  • Approve AI-integration security posture — prompt injection defence, RAG source integrity, PII redaction in conversation logs, model output filtering, adversarial input handling, and MITRE ATLAS-based risk assessment
  • Define human-in-the-loop guardrails and audit logging for AI features across development, security, and operations use cases


Technical Competencies

  • Application Security Testing: SAST (SonarQube, Semgrep, Checkmarx), DAST (OWASP ZAP, Burp Suite), SCA (Trivy, Snyk, Dependency-Track), secrets scanning (Gitleaks, TruffleHog), API security testing
  • Supply-Chain Security: SBOM (Syft, CycloneDX, SPDX), vulnerability management (Grype), artefact signing (Cosign, sigstore), in-toto attestations, SLSA framework
  • Policy-as-Code & Admission Control: Kyverno, OPA / Gatekeeper, Falco; Kubernetes network policies, Pod Security Standards
  • Kubernetes & Container Security: Kubernetes RBAC, admission controllers, workload identity, runtime protection, container hardening, Docker security
  • Cloud Security: AWS IAM, KMS, Secrets Manager, Inspector, Security Hub, GuardDuty, CloudTrail, CloudWatch Logs, ACM, WAF; equivalent controls on Azure or GCP; sovereign / NIC / MeghRaj-hosted deployment security patterns
  • Cryptography & Key Management: AES-256, TLS 1.3, PKI, HSM basics, certificate lifecycle, HashiCorp Vault or equivalent secrets management
  • Identity & Access: OAuth 2.0, OIDC, SAML, LDAP, RBAC/ABAC design; MFA for privileged roles; Keycloak, Auth0, AWS IAM Identity Center, Microsoft Entra ID; Aadhaar authentication and India Stack security patterns
  • Threat Modelling & Secure Design: STRIDE, LINDDUN, PASTA; OWASP ASVS; secure SDLC integration; secure design review methodology
  • SIEM, Detection & Response: SIEM design, log aggregation, correlation rule authoring, threat detection playbooks; incident response frameworks (NIST 800-61)
  • VAPT & Red-Team Coordination: Scoping, execution oversight, remediation tracking; hands-on familiarity with Burp Suite, OWASP ZAP, Metasploit, nmap
  • AI-Specific Security: Prompt injection defence, RAG integrity, model extraction risk, adversarial inputs, output filtering, MITRE ATLAS
  • Compliance Frameworks: ISO/IEC 27001:2022, NIST CSF, CIS controls, CERT-In directions (including 6-hour reporting and log-retention), STQC framework, MeitY Security Policy and Guidelines
  • Data Protection: DPDP Act 2023 (operational implementation), Government of India Data Classification Policy, PIA methodology, cross-border data-transfer controls
  • Scripting: Python or Bash for security automation, evidence collection, and CI/CD integration
  • Communication: Executive briefings to leadership, tenant CISOs, CERT-In, and auditors; ability to translate security posture and residual risk for non-technical audiences


Free. 20 seconds. No password. See every match in this search.

Create a free Caio profile to unlock more results and save your role and location preferences.

Unlock free search
Want help applying to roles like this? Search Caio for free. If CV tailoring and application tracking get heavy, Full Caio Agent adds a human specialist.
View Full Agent