CrawlJobs Logo
Citi Logo Citi · IT - Administration

External Penetration Testing - Vendor Lead

Singapore, Singapore · Job Posted January 22, 2026
Apply Position
Job Link Share

Job Description

This is a senior level professional position responsible for serving as a liaison between Citi Stakeholders and External Penetration Testing vendors to address testing challenges, drive vulnerability discussions with Citi Stakeholders, drive operational health of the penetration testing vendors along with their adherence to Citi procedures, analyze vulnerability trends to better improve the root cause model of existing testing mechanisms and maintain the overall security hygiene for the organization. This role will also require the candidate to manage the end-to-end Vulnerability Disclosure Process for Citi that would involve onboarding applications with vendors, triaging and driving lessons learned as part of the public disclosure and Private Bug Bounty program. The overall objective of this role is to ensure the execution of Information Security directives and activities is in alignment with Citi's data security policy.

Job Responsibility

  • Be the central liaison between Citi stakeholders and the external penetration testing vendor, acting as a collaborator to ensure smooth execution of the end-to-end engagement
  • Manage the end-to-end process of Vulnerability Disclosure activities that involves onboarding applications, triaging, retesting and identifying lessons learned from the vulnerabilities reported through this channel
  • Knowledge of OWASP Top 10 and SANS top 25
  • Perform Yearly Quality Checks on the vendors to ensure adherence to technical and process quality
  • Act as an application security subject matter expert to assist both Citi stakeholders and third-party vendors during vulnerability risk discussions
  • Focus and drive quality as it relates to the information submitted by the businesses who are requesting Penetration testing services and ensuring that the provided information is accurate and complete
  • Focus on maintaining a high level of operational oversight with all vendors and ongoing penetration testing activities in order to ensure that engagements are progressing forward with the right level of attention
  • Have strong communication skills in order to effectively communicate expectations and resolve challenges
  • Have strong technical writing and presentation skills to articulate the penetration testing process end-to-end to any audience
  • Contribute to the review of internal processes and activities and assist in identifying potential opportunities for improvement and automation
  • Reduce risk by analyzing the root cause of issues, their impact, and required corrective actions to existing processes
  • Appropriately assess risk when business decisions are made, demonstrating particular consideration for the firm's reputation and safeguarding Citibank, its clients and assets, by driving compliance with applicable laws, rules and regulations, adhering to Policy, applying sound ethical judgment regarding personal behavior, conduct and business practices, and escalating, managing and reporting control issues with transparency

Requirements

  • Minimum of 5 years of relevant experience in Information Security and/or relevant Technology role
  • Advanced proficiency with Microsoft Office tools and software
  • Consistently demonstrates clear and concise written and verbal communication
  • Proven influencing and relationship management skills
  • Proven analytical skills
  • Bachelor’s degree/University degree or equivalent experience

Nice to have

  • Familiarity or hands-on experience in application security testing
  • Basic understanding of Web/ Mobile / API security and relevant testing tools
  • Relevant Certifications is a plus not a requirement: GPEN, GWAPT, GMOB, GWEB
  • Master’s degree preferred
Citi - All Job Offers

Looking for more opportunities?

Search for other job offers that match your skills and interests.

Suggested Tags: Frontend Developer Secretary Talent Manager Salesforce Administrator Data Analyst
Similar Jobs for

External Penetration Testing - Vendor Lead

8 matching positions

Risk & Compliance Auditor

J. J. Keller is seeking a Risk & Compliance Auditor to help strengthen and maint...
Location
Location
United States , Neenah
Salary
Salary:
Not provided
themuse.com Logo
The Muse
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • Bachelor's degree in Business or related field required
  • Minimum of 3 years of related auditing experience required, including exposure to information security controls
  • Experience addressing security and compliance terms in commercial contracts
  • Experience with ISO 27001 and privacy frameworks, and auditing to those frameworks
  • Experience completing security questionnaires and evaluating vendors
  • Experience with Governance, Risk and Compliance tools
  • Strong interpersonal, written, and verbal communication and presentation skills
  • Strong analytical, problem-solving, and conflict management skills
  • A curious and practical mindset that can balance compliance with ethical and business needs
  • Ability to work cross-functionally, with many teams, including sales, infrastructure, security, and product teams
Job Responsibility
Job Responsibility
  • Coordinates and conducts internal and external audits for SOC 2 Type II, ISO 27001, PCI-DSS, Professional Background Screening Association standards (FCRA) and other standards
  • Evaluates audit results, recommends improvements, and issues deficiency notices as needed
  • Evaluates, monitors and consults on resulting corrective action plans and remediation efforts
  • Coordinates and manages the completion of penetration tests with external consultants and internal resources, and the development, implementation, and monitoring of related corrective action plans, and distribution of resulting reports to interested parties
  • Reviews policies, guidance and training for information security, and provides consulting services promoting overall achievement of corporate security objectives and compliance with regulatory and customer requirements
  • Maintains security incident response plans and metrics
  • Leads evaluation of security incident reports, and execution of incident response efforts, including task management, resource coordination, after action reviews, and incident documentation
  • Participates in business continuity efforts by assisting with annual security incident tabletop exercises and generating a post-exercise review
  • Manages the Optro Governance, Risk & Compliance software platform, including creating audits, deploying audit questions, entering corrective actions, generating reports and monitoring completion status
  • Triages security policy exceptions
What we offer
What we offer
  • Health Insurance
  • Dental Insurance
  • Vision Insurance
  • Life Insurance
  • Short-Term Disability
  • Long-Term Disability
  • FSA
  • On-Site Gym
  • Mental Health Benefits
  • Virtual Fitness Classes
  • Fulltime
Read More
Arrow Right

Csis Security Manager - Vice President

CSIS is a corporate security function operating across more than 100 countries. ...
Location
Location
India , Chennai
Salary
Salary:
Not provided
https://www.citi.com/ Logo
Citi
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • Bachelor's Degree or equivalent relevant qualifications and/or apprenticeships/ vocational training programs
  • Ideally, 7+ years security management experience in a corporate, regulatory, consultancy or defence and law enforcement environment
  • Experience working in a corporate or financial services security team in a leadership role
  • A deep understanding of security operations, processes, and controls with demonstrated experience in designing a security program at facility level
  • A strong understanding of applicable local laws/statutes as they relate to security
  • Demonstration of verbal and written communication skills in English and fluency in one official local language
  • Managed team of security professionals and contingent staff
  • Performed critical evaluations of staff to raise operational effectiveness and efficiency
  • Proven experience of providing leadership in managing crisis events or significant security incidents
  • Demonstrated ability to find agile solutions to manage a dynamic threat or risk
Job Responsibility
Job Responsibility
  • Manage and coordinate the security and safety services in Citi Chennai for all Citi businesses
  • Develop a local security program and procedures that conform to the Citi Security Policy and Citi Security Standards
  • Ensure the program meets business requirements and local legal and regulatory requirements
  • Design incident response plans and take the lead during physical security and safety incidents
  • Manage day-to-day operational activities in area of responsibility as well as emergency response, crisis response and recovery functions
  • Maintain, and find ways to improve, current security policies and procedures
  • Manage multiple vendor relationships
  • Collaborate with peers, leadership team and Industry contact to understand risk profile of properties within span of control
  • Keep abreast of security industry standards, technologies and systems
  • Execute efficiently under tight time constraints
  • Fulltime
Read More
Arrow Right

Application Security Engineer

We are looking for an Application Security Engineer to strengthen secure softwar...
Location
Location
United States , Reading
Salary
Salary:
Not provided
https://www.roberthalf.com Logo
Robert Half
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or another related technical discipline
  • At least 5 years of experience in information security, including 3 or more years dedicated to application security, secure software engineering, or DevSecOps
  • Proven success helping build, strengthen, or scale an application security program in a lead or highly influential capacity
  • Strong understanding of common application security risks, secure SDLC practices, and widely recognized vulnerability frameworks and standards
  • Hands-on experience with application security testing platforms such as Burp Suite, Fortify, Checkmarx, Veracode, or similar tools
  • Working knowledge of threat modeling, penetration testing, secure architecture review, and modern software security assessment techniques
  • Practical experience securing cloud environments such as AWS or Azure, along with familiarity with Kubernetes, container hardening, and runtime protection
  • Active passport required, with willingness and ability to travel internationally
Job Responsibility
Job Responsibility
  • Partner with software engineering and cybersecurity teams to build security into application design, coding practices, release processes, and production support
  • Perform in-depth security evaluations through code analysis, threat modeling, penetration testing, and vulnerability assessments to uncover and prioritize risk
  • Establish and uphold secure development standards, reusable patterns, and technical guidance that improve consistency across teams
  • Administer and enhance security controls within CI/CD workflows, including code scanning, infrastructure-as-code checks, and container security tooling
  • Contribute to architecture assessments for cloud-based systems, microservices, and containerized applications to ensure resilient and secure designs
  • Evaluate application risks and support formal security reviews to guide mitigation planning and informed technical decisions
  • Verify that application security activities align with applicable compliance obligations and recognized industry frameworks
  • Create and deliver training sessions that help developers strengthen secure coding habits and increase security awareness
  • Track emerging attack techniques and threat intelligence, then apply those insights to improve preventive and detective controls
  • Support the monitoring, investigation, and remediation of application security issues, while coordinating effectively with external vendors and consultants as needed
What we offer
What we offer
  • Medical, vision, dental, and life and disability insurance
  • Eligibility to enroll in company 401(k) plan
Read More
Arrow Right

Global Head of Cyber Risk and Compliance

The Technology & Cyber Compliance and Operational Risk Office (TCCORO) at Citi i...
Location
Location
United States , Irving, Texas, United States, New York, New York, United States
Salary
Salary:
250000.00 - 500000.00 USD / Year
https://www.citi.com/ Logo
Citi
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • 20+ years' experience in technology risk and/or cyber risk management in the banking/financial services industry, or related field, with at least 5+ years in 2nd or 3rd line senior leadership positions
  • Subject matter expert in technology risk and/or cyber risk management principles and practices across various information system architecture and engineering domains
  • Proven experience in managing complex risk portfolios and developing strategic risk management frameworks for large organizations
  • Robust understanding of operational risk management frameworks, industry standards, regulatory requirements, and risk mitigation practices
  • Experience managing and overseeing large remediation and transformation programs to achieve intended results
  • Extensive experience in effective written and verbal communication with executive audiences including Boards
  • Experienced risk challenger who balances risks vs. rewards aligned with corporate risk culture
  • Understanding of Citi products and services and downstream impacts of technology risk and/or cyber risk strategy
  • Professional certifications in either technology risk and/or cyber risk preferred, including: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), ERM, CET, ISO27001, COBIT, TOGAF, or CRI
  • In-depth, working knowledge of banking technologies, fraud, cybercrime detection and countermeasures, encryption, data retention, as well as information security support for segregation of duties, application development, network and systems operation, testing and vendor management
Job Responsibility
Job Responsibility
  • Oversight and challenge of the cybersecurity incident response programs
  • Oversight of the security operations center (SOC) and cybersecurity fusion center (CSFC)
  • Oversight of cybersecurity penetration testing and red-team operations
  • Oversight of the Chief Information Security Office (CISO), including the review of the effectiveness of the controls, standards and programs across the enterprise
  • Implementation of guidance for overseeing Emerging Technology and Operational Risks, in compliance with OCC Heightened Standards
  • Able to present and lead discussions with key Regulators, internal and external auditors, as well the Board of Directors and the Risk and Audit sub-committees
  • Governance and Oversight of security risks impacting the business and technology
  • Support in the development of Cyber Policy and Standards
  • Oversight of Key Operational Risks and related indicators and thresholds
  • Challenge of Cyber Risk Self Assessments
What we offer
What we offer
  • Discretionary and formulaic incentive and retention awards
  • medical, dental & vision coverage
  • 401(k)
  • life, accident, and disability insurance
  • wellness programs
  • paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays
  • Fulltime
Read More
Arrow Right

Senior Director, Privacy and Cybersecurity

The Senior Director, Privacy and Cybersecurity provides leadership to protect Un...
Location
Location
United States , Alexandria
Salary
Salary:
144000.00 - 180000.00 USD / Year
unitedway.org Logo
United Way
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • Bachelor's degree required
  • Master's in Cybersecurity, Computer Science, or related field strongly preferred.
  • CISSP, CISM, CIPT or other Security Certification required.
  • 10+ years of expert-level experience in privacy, cybersecurity, or cyber law, with 5+ years experience in managing security team.
  • Excellent organization, communication, and motivational skills with an attention to detail.
  • Demonstrated success in cybersecurity program development and staff training/awareness.
  • Experience in facilitation bringing end users to appropriate solutions involving an appropriate balance between end user requirements and risk minimization.
  • A self-starter attitude and strong interpersonal skills with the ability to work independently and collaboratively and ability to interact with people at all levels.
  • Solid understanding of Privacy regulations, data management practices, and IT systems.
  • Understanding of large-scale System Development Life Cycle (SDLC) in addition to experience with implementation, integration, interfaces, data use mapping and flow design.
Job Responsibility
Job Responsibility
  • Serve as the Data Protection Officer (DPO) for United Way Worldwide
  • Monitor, interpret, and implement compliance with global privacy regulations (GDPR, CCPA, HIPAA, PIPEDA, etc.), along with analyzing and advising on recent trends for non-profit organizations
  • Lead alignment with established and emerging privacy laws and regulations applicable to local United Ways at a global level.
  • Develop, deliver, and drive awareness of data privacy and security privacy programs and training
  • Champion Privacy by Design when developing, implementing, or considering new data systems
  • Provide guidance and feedback in contracting/purchasing process to ensure vendors meet security/privacy requirements and to advise on optimizing data matters such as data minimization, flow, and security
  • Conduct Privacy Impact Assessments (PIA: Privacy of Data) and Data Privacy Impact Assessments (DPIA: Risk) and Transfer Impact Assessments (TIA)
  • Identify, build, or implement tools to manage privacy across systems
  • Oversee and manage Data Subject Access Request processes
  • Lead cybersecurity program in alignment with NIST CSF and NIST SP 800-53. Operationalize security practices.
What we offer
What we offer
  • health
  • dental
  • life
  • short-term and long-term disability
  • employee assistance program
  • 403(b) plan
  • tuition assistance
  • paid time off
  • family sick leave
  • medical appointment leave
  • Fulltime
Read More
Arrow Right

Cybersecurity Officer

We are looking for an experienced Cybersecurity Officer to lead our organization...
Location
Location
United States , North Haven
Salary
Salary:
Not provided
https://www.roberthalf.com Logo
Robert Half
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • At least 5 years of experience in information security operations and leadership roles
  • Proven expertise in IT strategy and executive leadership within cybersecurity
  • Hands-on experience with Cisco ASA Firewall and other security technologies
  • Strong knowledge of cybersecurity principles, frameworks, and regulations
  • Familiarity with Agile Scrum methodologies and project management
  • Ability to manage complex cybersecurity projects and budgets effectively
  • Excellent communication skills to present risks, compliance updates, and strategies to senior leadership
  • Demonstrated ability to foster collaboration across teams and external partners
Job Responsibility
Job Responsibility
  • Lead the organization’s cybersecurity operations, including threat detection, vulnerability management, and incident response
  • Develop and implement robust security policies, controls, and risk management frameworks tailored to organizational needs
  • Conduct risk assessments, penetration testing, and vulnerability scans to identify and mitigate potential threats
  • Oversee compliance with regulatory requirements and security standards, ensuring successful audits
  • Manage cybersecurity projects, budgets, and vendor relationships to align with business goals
  • Collaborate with internal teams and external partners to strengthen the overall security posture
  • Direct the investigation and forensic analysis of security incidents to ensure timely resolution and reporting
  • Monitor security systems and tools to ensure prompt identification and remediation of potential risks
  • Evaluate and mitigate third-party and vendor security risks to protect organizational assets
  • Develop and deliver comprehensive security awareness programs to educate staff on best practices
What we offer
What we offer
  • medical
  • vision
  • dental
  • life and disability insurance
  • 401(k) plan
  • Fulltime
Read More
Arrow Right

Grc Manager

We’re looking for a Security Governance Manager to lead Governance, Risk & Compl...
Location
Location
France , Paris
Salary
Salary:
55000.00 - 64000.00 EUR / Year
balzac-paris.com Logo
Balzac Paris
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • 4 to 7 years of experience in GRC, information security, or IT audit, ideally in a startup/scaleup
  • Experience with SOC 2 Type II and other security certifications (ISO 27001, etc.)
  • Knowledge of GDPR and data protection best practices
  • Autonomous, action-oriented, comfortable with AI tools
  • Excellent English
  • French is a strong plus
Job Responsibility
Job Responsibility
  • Own and drive our SOC2 certification program: gap analysis, control mapping, evidence collection, remediation coordination, and auditor management
  • Prepare and coach cross-functional teams for audit readiness through mock audits and training sessions
  • Navigate overlapping regulatory requirements and enterprise customer expectations
  • Provide security expertise to Legal and DPO on regulatory topics (GDPR, AI Act, etc.)
  • Lay the groundwork for future certifications (ISO 27001)
  • Conduct and maintain risk assessments following ISO 27005 methodology
  • Own the risk register with quarterly reviews, prioritizing risks by business impact
  • Perform SaaS security reviews during procurement and manage third-party risk assessments for critical vendors
  • Assess security impact of organizational, technical, or product changes
  • Respond to customer security questionnaires and support sales cycles with accurate, timely answers
What we offer
What we offer
  • Semaine de 4 jours
  • Plan de développement professionnel
  • Congés pour enfant malade
  • Solution de prévention santé mentale
  • Employee Resource Groups (ERG)
  • Fulltime
Read More
Arrow Right

Security Analyst - Crypto

The Business Information Security Officer (BISO) is a subject matter professiona...
Location
Location
United States , Southlake
Salary
Salary:
53.00 - 57.00 USD / Hour
apexsystems.com Logo
Apex Systems
Expiration Date
Until further notice
Flip Icon
Requirements
Requirements
  • Bachelor's degree in Information Security, Computer Science, Engineering, or a related field
  • 7+ years of experience in cybersecurity or technology risk
  • Experience with digital assets, blockchain, or crypto custody/security
  • Familiarity with cybersecurity frameworks including NIST CSF, NIST 800-53, SOC 2, and FFIEC
  • Strong communication and risk articulation skills
Job Responsibility
Job Responsibility
  • Serve as the embedded security partner for Digital Assets business teams, aligning security requirements with product and operational objectives
  • Translate enterprise cybersecurity policies and procedures into practical, actionable expectations for digital asset initiatives
  • Participate in project planning, architecture reviews, and roadmap discussions to ensure secure design and regulatory alignment
  • Support risk exception, risk acceptance, and mitigation processes
  • Lead end-to-end cybersecurity risk assessments for digital asset products, crypto custody models, wallet operations, blockchain integrations, and supporting vendors
  • Evaluate risks related to private key management, wallet operations, smart contract risks, node infrastructure, and transaction processes
  • Document risks, recommend compensating controls, and track remediation to closure
  • Own the security risk lifecycle for digital asset vendors—from due diligence and contract negotiation to ongoing monitoring
  • Review vendor cybersecurity evidence (SOC 2, penetration tests, questionnaires, cloud posture)
  • Ensure contractual controls for data protection, breach notification, crypto asset handling, and regulatory adherence
What we offer
What we offer
  • Medical insurance
  • Dental insurance
  • Vision insurance
  • Life insurance
  • Disability insurance
  • Employee Stock Purchase Program (ESPP)
  • 401K program with company match after 12 months
  • Health Savings Account (HSA)
  • SupportLinc Employee Assistance Program (EAP) with up to 8 free counseling sessions
  • Corporate discount savings program
  • Fulltime
Read More
Arrow Right