InfoSec Manager

First Circle is a fast-growing, profitable, credit-led SME NeoBank in the Philippines whose shareholders include the World Bank Group (IFC). Today, our Business Credit Line and Business Bank Accounts are used by thousands of SMEs to grow and run their business. Our product velocity has accelerated — in the next few months we’ll release SME Corporate Cards, Payroll, Invoices, and Solar Financing — redefining the SME NeoBank category through software, financial products, and exceptional risk models.

Our culture emphasises building, problem solving, ownership / responsibility, and personal & professional growth. We balance a collegiate atmosphere with free & direct communication which enables us to move very quickly and avoid politics or toxicity. Our team continues to level up quickly, necessary for business to compound more than 100% per year, which we achieve through individual growth and bar-raiser hiring

This is a unique opportunity for a high growth individual to become the first dedicated security professional at a high-growth, regulated bank whose market leadership position lies in its technology.

You will define strategy, priorities, and our security operating model aligned to business goals – reporting to the VP Engineering and supported in your development by our world-class CISO Board advisor. 

As the company continues to grow you’ll have unparalleled opportunities for career growth and to build out our infosec team around you. 

1. ISO 27001 certified. You own the certification from scoping to audit pass.
2. Implement external pen test & remediation. Every finding closed or formally risk-accepted.
3. MSSP/SOC live and producing alerts we act on. SLAs measured monthly. Escalation path drilled at least twice.
4. Engineering development processes aligned with security. Embed secure-by-design principles into technology and product development, working closely with engineering and DevOps teams. Full audit trail.
5. Regulatory compliance. Design, implement, and maintain security policies, standards, and procedures aligned to global standards and local regulations: BSP circulars, EPFS and PPMI (payments) requirements, and PCI DSS scope.
6. Mitigate user & device threats. Define, assess, and upgrade the law of least privilege across users & devices. No unmanaged device touches production.
7. A risk register used monthly by the exec team and Board. Internal and external (eg. vendor, supply chain) risks. Tied to mitigation owners and dates.
8. Develop a strong culture & training practice. Phishing simulation, secure-coding standards, IR runbook drilled live at least once.
9. Tooling. Evaluate and implement security tools and technologies, optimising for a lean, scalable security stack. Oversee vulnerability management and remediation, ensuring regular scanning, prioritisation, and tracking of fixes.

The strategy and roadmap with the exec team and Board Risk Committee. The MSSP relationship. Incident response. Vulnerability management. Third-party risk — particularly card processors, payment rails, KYC providers. BSP cybersecurity engagement and PCI DSS scope where it applies. Security culture — making it easier to do the right thing than the wrong thing.

• You've built a security function before, hands-on. Not advised — built. At a regulated fintech, payments business or bank. Be ready to walk us through what was there when you arrived and what was there when you left.
• You've led a Sev-1 from page to post-mortem. Tell us about one.
• You've taken an organisation through ISO 27001 as the responsible owner, not a consultant on the sidelines.
• You've stood up an MSSP — chosen the vendor, defined the use cases, tuned the alerts, fired one when it underperformed.
• You've written IAM policy that survived contact with real engineers. Azure-native (that's our stack).
• You're hands-on enough to read Terraform, open a PR, and debug events. If your last line of code was 5+ years ago, this isn't your role.
• Certifications — CISSP, CISM, CRISC, or ISO 27001 Lead Implementer/Auditor are useful signals. They're a tiebreaker, not the bar.

• Not a CISO inheriting a team — you'll build it. Year 1 you may have one or two hires.
• Not a paper-driven compliance role — we expect you in the codebase, in the cloud console, on the on-call rotation when it matters.
• Not for someone who needs a clean SOC 2 starting point. We're earlier than that, by design, and moving fast.

• No fixed budget for this role, we hire globally and adjust offers based on experience and market rate
• Equity ownership in a 150%+ growing, profitable NeoBank with a market which supports a business 50-100x today’s size

• Flexibility around working hours and location. The role can be worked remotely, with the option to work from one of our offices in London, Manila, Singapore, Hong Kong & Belgrade

• Macbooks, private health insurance, training budgets and more!

• Periodic travel to HQ in Southeast Asia