InfoSec Manager (Hiring Immediately)

First Circle is a fast-growing, profitable, credit-led SME NeoBank in the Philippines whose shareholders include the World Bank Group (IFC). Today, our Business Credit Line and Business Bank Accounts are used by thousands of SMEs to grow and run their business. Our product velocity has accelerated — in the next few months we’ll release SME Corporate Cards, Payroll, Invoices, and Solar Financing — redefining the SME NeoBank category through software, financial products, and exceptional risk models.

Our culture emphasises building, problem solving, ownership / responsibility, and personal & professional growth. We balance a collegiate atmosphere with free & direct communication which enables us to move very quickly and avoid politics or toxicity. Our team continues to level up quickly, necessary for business to compound more than 100% per year, which we achieve through individual growth and bar-raiser hiring

Requirements

This is a unique opportunity for a high growth individual to become the first dedicated security professional at a high-growth, regulated bank whose market leadership position lies in its technology.

You will define strategy, priorities, and our security operating model aligned to business goals – reporting to the VP Engineering and supported in your development by our world-class CISO Board advisor.

As the company continues to grow you’ll have unparalleled opportunities for career growth and to build out our infosec team around you.

Your first year is about building foundations, addressing primary risks, and ensuring the bar you set is consistently upheld by the wider technology organisation:

1. ISO 27001 certified. You own the certification from scoping to audit pass.
2. Implement external pen test & remediation. Every finding closed or formally risk-accepted.
3. MSSP/SOC live and producing alerts we act on. SLAs measured monthly. Escalation path drilled at least twice.
4. Engineering development processes aligned with security. Embed secure-by-design principles into technology and product development, working closely with engineering and DevOps teams. Full audit trail.
5. Regulatory compliance. Design, implement, and maintain security policies, standards, and procedures aligned to global standards and local regulations: BSP circulars, EPFS and PPMI (payments) requirements, and PCI DSS scope.
6. Mitigate user & device threats. Define, assess, and upgrade the law of least privilege across users & devices. No unmanaged device touches production.
7. A risk register used monthly by the exec team and Board. Internal and external (eg. vendor, supply chain) risks. Tied to mitigation owners and dates.
8. Develop a strong culture & training practice. Phishing simulation, secure-coding standards, IR runbook drilled live at least once.
9. Tooling. Evaluate and implement security tools and technologies, optimising for a lean, scalable security stack. Oversee vulnerability management and remediation, ensuring regular scanning, prioritisation, and tracking of fixes.

What you own steady-state

The strategy and roadmap with the exec team and Board Risk Committee. The MSSP relationship. Incident response. Vulnerability management. Third-party risk — particularly card processors, payment rails, KYC providers. BSP cybersecurity engagement and PCI DSS scope where it applies. Security culture — making it easier to do the right thing than the wrong thing.

About You

• You've built a security function before, hands-on. Not advised — built. At a regulated fintech, payments business or bank. Be ready to walk us through what was there when you arrived and what was there when you left.
• You've led a Sev-1 from page to post-mortem. Tell us about one.
• You've taken an organisation through ISO 27001 as the responsible owner, not a consultant on the sidelines.
• You've stood up an MSSP — chosen the vendor, defined the use cases, tuned the alerts, fired one when it underperformed.
• You've written IAM policy that survived contact with real engineers. Azure-native (that's our stack).
• You're hands-on enough to read Terraform, open a PR, and debug events. If your last line of code was 5+ years ago, this isn't your role.
• Certifications — CISSP, CISM, CRISC, or ISO 27001 Lead Implementer/Auditor are useful signals. They're a tiebreaker, not the bar.

What this role is not

• Not a CISO inheriting a team — you'll build it. Year 1 you may have one or two hires.
• Not a paper-driven compliance role — we expect you in the codebase, in the cloud console, on the on-call rotation when it matters.
• Not for someone who needs a clean SOC 2 starting point. We're earlier than that, by design, and moving fast.

Benefits

• No fixed budget for this]]>