Back to Jobs
Security Lead / Architect
Actively Reviewing
National e-Governance Division
Job Description
Designation: Security Lead / Architect
Reports to: Director, NeGD
Educational Qualification
- B.Tech./B.E. in Computer Science, Information Technology, Cybersecurity, or related engineering discipline (Must have; full-time regular course), OR MCA
- M.Tech./M.S. in Information Security, Cybersecurity, or Applied Cryptography desirable
- Certifications (at least one required at deployment — Must have): CISSP, CISM, CCSP, or AWS Certified Security – Specialty
- Certifications (Desirable): ISO 27001 Lead Auditor / Lead Implementer, CKS (Certified Kubernetes Security Specialist), KCSA, CEH, OSCP, CSSLP, SABSA, TOGAF 9, DCPP or DPO training, HashiCorp Vault Associate
Experience
- 10+ years in application, platform, or cloud security, with minimum 3 years in a Security Lead or Security Architect role owning security for a production platform end-to-end
- Demonstrated experience embedding security into a DevSecOps toolchain — SAST, DAST, SCA, container scanning, secrets management, policy-as-code — at CI/CD level
- Demonstrated experience coordinating or leading VAPT, STQC certification, or equivalent third-party security audits for government or enterprise platforms
- Demonstrated experience defining secure coding standards, conducting threat modelling, and running secure design reviews
- Prior experience with Government of India security frameworks — MeitY Security Policy, CERT-In guidelines, ISO 27001, CIS Benchmarks — required
- Familiarity with DPDP Act 2023 operationalisation (consent, data-principal rights, retention, breach reporting) required
- Prior exposure to Kubernetes-native security (Kyverno, OPA / Gatekeeper, Falco) and supply-chain security (SBOM, Cosign signing, in-toto attestations) required
Key Responsibilities
Security Architecture Ownership
- Own the security architecture of the platform end-to-end — aligned to NIST CSF, Zero Trust Architecture, OWASP Top 10, ISO/IEC 27001:2022, CIS controls, CERT-In directions, and DPDP Act 2023
- Define and approve platform-level security controls: RBAC, MFA for privileged roles, secrets management, audit logging, encryption in transit (TLS 1.3) and at rest (AES-256), certificate lifecycle, Kubernetes RBAC
- Approve threat models, secure design reviews, and residual-risk registers across the developer portal and all platform layers; sign off on security acceptance criteria per phase gate
- Own the Zero Trust implementation across identity, network, and workload layers
DevSecOps & Supply Chain Security
- Define standards for security gates in CI/CD pipelines — SAST, DAST, SCA, secrets scanning, container scanning — and approve their integration into golden path templates
- Own supply-chain security posture: SBOM generation, vulnerability scanning, artefact signing, image provenance, and admission control via Kyverno / OPA-Gatekeeper
- Approve policy-as-code frameworks and Kubernetes admission policies enforced across the platform
Client-Side Governance of the Agency's Security Function
- Act as the technical authority over the agency's security engineering resources on all security matters; review their deliverables against contracted scope and validation criteria
- Approve VAPT scope, findings, and remediation plans; approve pen-test reports before production rollout and after major consumer onboarding waves
- Review security posture dashboards, vulnerability management pipelines, threat detection workflows, and security audit / evidence packs delivered by the agency
Compliance, Audit & Data Protection
- Own ISO/IEC 27001:2022-equivalent ISMS coverage across the platform's processes and personnel; ensure certification evidence is submitted and maintained through the engagement
- Operationalise DPDP Act 2023 compliance — consent architecture, data-principal rights procedures (access, correction, erasure), data minimisation, purpose limitation, retention and deletion, and cross-border transfer controls
- Conduct or approve Privacy Impact Assessments (PIAs) for sensitive flows including AI analytics
- Own CERT-In compliance including 6-hour incident reporting, log-retention obligations, and directions applicable to government platforms
- Own audit readiness — control mapping, evidence collection, gap analysis — for internal and external audits; support MeitY, STQC, and CAG audits
Security Operations & Incident Response
- Approve the security incident response framework — detection, triage, containment, eradication, recovery, and post-incident review — and its integration with the ITSM layer
- Approve runtime threat protection, secrets and credential risk management, and SIEM configurations delivered by the agency
- Own communication with CERT-In on reportable incidents; own breach notification within statutory timelines
Tenant-Facing Security Governance
- Approve tenant-specific security configurations — namespace isolation, RBAC policies, data-residency and classification requirements, dedicated deployment security posture
- Advise tenant administrators on security responsibilities under the federated custody model; support tenant-specific VAPT and audit requirements
AI Security & Emerging Threats
- Approve AI-integration security posture — prompt injection defence, RAG source integrity, PII redaction in conversation logs, model output filtering, adversarial input handling, and MITRE ATLAS-based risk assessment
- Define human-in-the-loop guardrails and audit logging for AI features across development, security, and operations use cases
Technical Competencies
- Application Security Testing: SAST (SonarQube, Semgrep, Checkmarx), DAST (OWASP ZAP, Burp Suite), SCA (Trivy, Snyk, Dependency-Track), secrets scanning (Gitleaks, TruffleHog), API security testing
- Supply-Chain Security: SBOM (Syft, CycloneDX, SPDX), vulnerability management (Grype), artefact signing (Cosign, sigstore), in-toto attestations, SLSA framework
- Policy-as-Code & Admission Control: Kyverno, OPA / Gatekeeper, Falco; Kubernetes network policies, Pod Security Standards
- Kubernetes & Container Security: Kubernetes RBAC, admission controllers, workload identity, runtime protection, container hardening, Docker security
- Cloud Security: AWS IAM, KMS, Secrets Manager, Inspector, Security Hub, GuardDuty, CloudTrail, CloudWatch Logs, ACM, WAF; equivalent controls on Azure or GCP; sovereign / NIC / MeghRaj-hosted deployment security patterns
- Cryptography & Key Management: AES-256, TLS 1.3, PKI, HSM basics, certificate lifecycle, HashiCorp Vault or equivalent secrets management
- Identity & Access: OAuth 2.0, OIDC, SAML, LDAP, RBAC/ABAC design; MFA for privileged roles; Keycloak, Auth0, AWS IAM Identity Center, Microsoft Entra ID; Aadhaar authentication and India Stack security patterns
- Threat Modelling & Secure Design: STRIDE, LINDDUN, PASTA; OWASP ASVS; secure SDLC integration; secure design review methodology
- SIEM, Detection & Response: SIEM design, log aggregation, correlation rule authoring, threat detection playbooks; incident response frameworks (NIST 800-61)
- VAPT & Red-Team Coordination: Scoping, execution oversight, remediation tracking; hands-on familiarity with Burp Suite, OWASP ZAP, Metasploit, nmap
- AI-Specific Security: Prompt injection defence, RAG integrity, model extraction risk, adversarial inputs, output filtering, MITRE ATLAS
- Compliance Frameworks: ISO/IEC 27001:2022, NIST CSF, CIS controls, CERT-In directions (including 6-hour reporting and log-retention), STQC framework, MeitY Security Policy and Guidelines
- Data Protection: DPDP Act 2023 (operational implementation), Government of India Data Classification Policy, PIA methodology, cross-border data-transfer controls
- Scripting: Python or Bash for security automation, evidence collection, and CI/CD integration
- Communication: Executive briefings to leadership, tenant CISOs, CERT-In, and auditors; ability to translate security posture and residual risk for non-technical audiences
Required Skills
Similar Jobs
View all →
ServiceNow Lead/Architect
RSCP
Hyderabad
₹12–18 LPA
ServiceNow Development
ITSM
REST API
+4
Cloud Platform Engineer
HCLSoftware
Noida
Red Hat
Compliance frameworks
ISO 27001
+22
Oracle cloud Infrastructure Engineer
ValueLabs
India
Security Compliance
ISO 27001
Compliance frameworks
+16
Engineering Infrastructure Security Manager
Gruve
Pune
Security Compliance
ISO 27001
Compliance frameworks
+13
DevSecOps / Security Engineer
Aivar Innovations
Bengaluru
Compliance frameworks
Adobe Illustrator
Python
+13
Share
Quick Apply
Upload your resume to apply for this position
–