Skip to content

JD — Security Architect

Owner Classification Review Date Status
People Operations Internal April 2027 Active

Job Description: Security Architect

Department: Technology & Digital
Reports to: Head of Information Security

Role Overview

Simpaisa holds payment licences in 7 jurisdictions — DFSA Cat 3D (applied), SBP, Bangladesh Bank, NRB, CBI, FINTRAC, and FCA. Every one of those regulators has security expectations. This is not a theoretical security role.

The Security Architect designs the security controls that protect Simpaisa's payment infrastructure, customer data, and regulatory standing. You will embed in the SDLC at Phase 3 (Architecture Review) to ensure every new corridor, operator integration, and product feature is designed securely from the start — not patched after audit.

Key Responsibilities

  • Design and maintain Simpaisa's security architecture — covering application, API, network, data, and cloud layers.

  • Own the threat modelling programme: update threat models for every new payment flow, data store, or integration pattern.

  • Define security requirements for new operator integrations and corridor launches; enforce them at ARB.

  • Lead the shift-left security checklist within SDLC v2.0 — security is a quality gate, not a sign-off at the end.

  • Conduct security risk assessments; maintain the risk register and exception register.

  • Evaluate and recommend security tooling: SIEM, WAF, DAST/SAST, secrets management, vulnerability scanning.

  • Drive compliance with DFSA CBUAE cybersecurity requirements, SBP Cybersecurity Framework, ISO 27001, and PCI-DSS where applicable.

  • Represent Simpaisa's security posture in regulatory audits and external assessments.

  • Respond to and lead post-mortems for security incidents.

  • Mentor Solution Engineers and Solution Architects on secure design patterns.

Required Skills and Experience

  • Security architecture: Deep expertise in designing security controls for web applications, APIs, and cloud infrastructure. Understanding of zero-trust principles.

  • Payments & fintech: Experience securing payment systems, cardholder data environments, or regulated financial services. PCI-DSS knowledge strongly preferred.

  • Threat modelling: Practical experience with STRIDE or PASTA; ability to run threat modelling sessions with engineering teams.

  • Regulatory compliance: Experience working with financial regulators or in DFSA/FCA/SBP-regulated environments. Understanding of what auditors actually look for.

  • DevSecOps: Experience embedding security into CI/CD pipelines — SAST, DAST, dependency scanning (Snyk or similar), secrets detection.

  • Cloud security: AWS or Azure security controls, IAM, encryption at rest and in transit, cloud security posture management.

  • Certifications (preferred): CISSP, CISM, or equivalent. Not a substitute for practical experience.

  • Communication: Ability to explain security risks and controls to a CSNO, a regulator, and a junior engineer — in that order.

General Requirements

  • Bachelor's degree in Information Security, Computer Science, or a related field.

  • 8+ years of progressive experience in information security, with at least 3 years in an architecture or lead security design role.

  • Demonstrated experience designing security for regulated financial or payment systems.

What We Offer

  • Competitive salary benchmarked to Dubai market rates.

  • Security work that has genuine regulatory consequence — DFSA and SBP don't accept "we're working on it."

  • Direct involvement in licence applications and regulatory submissions.

  • Visa sponsorship available for the right candidate.