First Circle is a fast-growing, profitable, credit-led SME NeoBank in the Philippines whose shareholders include the World Bank Group (IFC). Today, our Business Credit Line and Business Bank Accounts are used by thousands of SMEs to grow and run their business. Our product velocity has accelerated — in the next few months we’ll release SME Corporate Cards, Payroll, Invoices, and Solar Financing — redefining the SME NeoBank category through software, financial products, and exceptional risk models.
Our culture emphasises building, problem solving, ownership / responsibility, and personal & professional growth. We balance a collegiate atmosphere with free & direct communication which enables us to move very quickly and avoid politics or toxicity. Our team continues to level up quickly, necessary for business to compound more than 100% per year, which we achieve through individual growth and bar-raiser hiring
Requirements
This is a unique opportunity for a high growth individual to become the first dedicated security professional at a high-growth, regulated bank whose market leadership position lies in its technology. You will define strategy, priorities, and our security operating model aligned to business goals. As the company continues to grow, you’ll have unparalleled opportunities for career growth and to build out our infosec team around you.
Your first year is about building foundations, addressing primary risks, and ensuring the bar you set is consistently upheld by the wider technology organisation:- ISO 27001 certified. You own the certification from scoping to audit pass.
- Implement external pen test & remediation. Every finding closed or formally risk-accepted.
- MSSP/SOC live and producing alerts we act on. SLAs measured monthly. Escalation path drilled at least twice.
- Engineering development processes aligned with security. Embed secure-by-design principles into technology and product development, working closely with engineering and DevOps teams. Full audit trail.
- Regulatory compliance. Design, implement, and maintain security policies, standards, and procedures aligned to global standards and local regulations: BSP circulars, EPFS and PPMI (payments) requirements, and PCI DSS scope.
- Mitigate user & device threats. Define, assess, and upgrade the law of least privilege across users & devices. No unmanaged device touches production.
- A risk register used monthly by the exec team and Board. Internal and external (eg. vendor, supply chain) risks. Tied to mitigation owners and dates.
- Develop a strong culture & training practice. Phishing simulation, secure-coding standards, IR runbook drilled live at least once.
- Tooling. Evaluate and implement security tools and technologies, optimising for a lean, scalable security stack. Oversee vulnerability management and remediation, ensuring regular scanning, prioritisation, and tracking of fixes.
The strategy and roadmap with the exec team and Board Risk Committee. The MSSP relationship. Incident response. Vulnerability management. Third-party risk — particularly card processors, payment rails, KYC providers. BSP cybersecurity engagement and PCI DSS scope where it applies. Security culture — making it easier to do the right thing.
About You- You've built a security function before, hands-on and ideally at a regulated fintech, payments business or bank.
- You've led a Sev-1 from page to post-mortem.
- You've taken an organisation through ISO 27001 as the responsible owner, not a consultant on the sidelines.
- You've stood up an MSSP — chosen the vendor, defined the use cases, tuned the alerts.
- You've written IAM policy that survived contact with real engineers. Azure-native (our stack).
- You're hands-on enough to read Terraform, open a PR, and debug events.
- Certifications — CISSP, CISM, CRISC, or ISO 27001 Lead Implementer/Auditor are useful signals
- Not a CISO inheriting a team you'll build it, likely adding one or two team members in year 1.
- Not a paper-driven compliance role - we expect you in the codebase, in the cloud console and available when it matters.
- Not for someone who needs a clean SOC 2 starting point. We're earlier than that, by design, and moving fast.
Benefits
- No fixed budget for this role, we hire globally and adjust offers based on experience and market rate
- Equity ownership in a 150%+ growing, profitable NeoBank with a market which supports a business 50-100x today’s size
- Flexibility around working hours and location. The role can be worked remotely, with the option to work from one of our offices in London, Manila, Singapore, Hong Kong & Belgrade
- Macbooks, private health insurance, training budgets and more!
- Periodic travel to HQ in Southeast Asia
Disclaimer: all information provided in this advertisement is subject to our terms and conditions.
Skills Required
- Experience building a security function at a regulated bank or fintech
- Hands-on experience with incident response and severity management
- Proficient in ISO 27001 implementation and management
- Experience in vendor management for MSSP selection
- Strong understanding of identity access management (IAM) policy
- Ability to read Terraform and engage with codebase
- Relevant certifications such as CISSP or CISM
What We Do
Founded in 2016, First Circle is the fastest-growing fintech in the Philippines, led by an ex-Morgan Stanley and ex-Bridgewater Associates management team. We have offices in Manila, London and Hong Kong. First Circle offers SME financing and are building smart banking solutions for businesses. First Circle is a trusted partner of the Philippine government and is the official Finance Partner of the Department of Trade and Industry (DTI). We are also a pioneer data provider to the Credit Information Corporation (CIC) and the very first FinTech company to ever be licensed by the Securities and Exchange Commission (SEC) in the Philippines.
