Bestkaam Logo
Back to Jobs
National e-Governance Division

Security Lead / Architect

Actively Reviewing

National e-Governance Division

Delhi Contract 4–8 yrs exp Posted 1 hour ago  · Apply by Sep 14, 2026

Designation: Security Lead / Architect


Reports to: Director, NeGD


Educational Qualification

  • B.Tech./B.E. in Computer Science, Information Technology, Cybersecurity, or related engineering discipline (Must have; full-time regular course), OR MCA
  • M.Tech./M.S. in Information Security, Cybersecurity, or Applied Cryptography desirable
  • Certifications (at least one required at deployment — Must have): CISSP, CISM, CCSP, or AWS Certified Security – Specialty
  • Certifications (Desirable): ISO 27001 Lead Auditor / Lead Implementer, CKS (Certified Kubernetes Security Specialist), KCSA, CEH, OSCP, CSSLP, SABSA, TOGAF 9, DCPP or DPO training, HashiCorp Vault Associate


Experience

  • 10+ years in application, platform, or cloud security, with minimum 3 years in a Security Lead or Security Architect role owning security for a production platform end-to-end
  • Demonstrated experience embedding security into a DevSecOps toolchain — SAST, DAST, SCA, container scanning, secrets management, policy-as-code — at CI/CD level
  • Demonstrated experience coordinating or leading VAPT, STQC certification, or equivalent third-party security audits for government or enterprise platforms
  • Demonstrated experience defining secure coding standards, conducting threat modelling, and running secure design reviews
  • Prior experience with Government of India security frameworks — MeitY Security Policy, CERT-In guidelines, ISO 27001, CIS Benchmarks — required
  • Familiarity with DPDP Act 2023 operationalisation (consent, data-principal rights, retention, breach reporting) required
  • Prior exposure to Kubernetes-native security (Kyverno, OPA / Gatekeeper, Falco) and supply-chain security (SBOM, Cosign signing, in-toto attestations) required


Key Responsibilities


Security Architecture Ownership

  • Own the security architecture of the platform end-to-end — aligned to NIST CSF, Zero Trust Architecture, OWASP Top 10, ISO/IEC 27001:2022, CIS controls, CERT-In directions, and DPDP Act 2023
  • Define and approve platform-level security controls: RBAC, MFA for privileged roles, secrets management, audit logging, encryption in transit (TLS 1.3) and at rest (AES-256), certificate lifecycle, Kubernetes RBAC
  • Approve threat models, secure design reviews, and residual-risk registers across the developer portal and all platform layers; sign off on security acceptance criteria per phase gate
  • Own the Zero Trust implementation across identity, network, and workload layers

DevSecOps & Supply Chain Security

  • Define standards for security gates in CI/CD pipelines — SAST, DAST, SCA, secrets scanning, container scanning — and approve their integration into golden path templates
  • Own supply-chain security posture: SBOM generation, vulnerability scanning, artefact signing, image provenance, and admission control via Kyverno / OPA-Gatekeeper
  • Approve policy-as-code frameworks and Kubernetes admission policies enforced across the platform

Client-Side Governance of the Agency's Security Function

  • Act as the technical authority over the agency's security engineering resources on all security matters; review their deliverables against contracted scope and validation criteria
  • Approve VAPT scope, findings, and remediation plans; approve pen-test reports before production rollout and after major consumer onboarding waves
  • Review security posture dashboards, vulnerability management pipelines, threat detection workflows, and security audit / evidence packs delivered by the agency

Compliance, Audit & Data Protection

  • Own ISO/IEC 27001:2022-equivalent ISMS coverage across the platform's processes and personnel; ensure certification evidence is submitted and maintained through the engagement
  • Operationalise DPDP Act 2023 compliance — consent architecture, data-principal rights procedures (access, correction, erasure), data minimisation, purpose limitation, retention and deletion, and cross-border transfer controls
  • Conduct or approve Privacy Impact Assessments (PIAs) for sensitive flows including AI analytics
  • Own CERT-In compliance including 6-hour incident reporting, log-retention obligations, and directions applicable to government platforms
  • Own audit readiness — control mapping, evidence collection, gap analysis — for internal and external audits; support MeitY, STQC, and CAG audits

Security Operations & Incident Response

  • Approve the security incident response framework — detection, triage, containment, eradication, recovery, and post-incident review — and its integration with the ITSM layer
  • Approve runtime threat protection, secrets and credential risk management, and SIEM configurations delivered by the agency
  • Own communication with CERT-In on reportable incidents; own breach notification within statutory timelines

Tenant-Facing Security Governance

  • Approve tenant-specific security configurations — namespace isolation, RBAC policies, data-residency and classification requirements, dedicated deployment security posture
  • Advise tenant administrators on security responsibilities under the federated custody model; support tenant-specific VAPT and audit requirements

AI Security & Emerging Threats

  • Approve AI-integration security posture — prompt injection defence, RAG source integrity, PII redaction in conversation logs, model output filtering, adversarial input handling, and MITRE ATLAS-based risk assessment
  • Define human-in-the-loop guardrails and audit logging for AI features across development, security, and operations use cases


Technical Competencies

  • Application Security Testing: SAST (SonarQube, Semgrep, Checkmarx), DAST (OWASP ZAP, Burp Suite), SCA (Trivy, Snyk, Dependency-Track), secrets scanning (Gitleaks, TruffleHog), API security testing
  • Supply-Chain Security: SBOM (Syft, CycloneDX, SPDX), vulnerability management (Grype), artefact signing (Cosign, sigstore), in-toto attestations, SLSA framework
  • Policy-as-Code & Admission Control: Kyverno, OPA / Gatekeeper, Falco; Kubernetes network policies, Pod Security Standards
  • Kubernetes & Container Security: Kubernetes RBAC, admission controllers, workload identity, runtime protection, container hardening, Docker security
  • Cloud Security: AWS IAM, KMS, Secrets Manager, Inspector, Security Hub, GuardDuty, CloudTrail, CloudWatch Logs, ACM, WAF; equivalent controls on Azure or GCP; sovereign / NIC / MeghRaj-hosted deployment security patterns
  • Cryptography & Key Management: AES-256, TLS 1.3, PKI, HSM basics, certificate lifecycle, HashiCorp Vault or equivalent secrets management
  • Identity & Access: OAuth 2.0, OIDC, SAML, LDAP, RBAC/ABAC design; MFA for privileged roles; Keycloak, Auth0, AWS IAM Identity Center, Microsoft Entra ID; Aadhaar authentication and India Stack security patterns
  • Threat Modelling & Secure Design: STRIDE, LINDDUN, PASTA; OWASP ASVS; secure SDLC integration; secure design review methodology
  • SIEM, Detection & Response: SIEM design, log aggregation, correlation rule authoring, threat detection playbooks; incident response frameworks (NIST 800-61)
  • VAPT & Red-Team Coordination: Scoping, execution oversight, remediation tracking; hands-on familiarity with Burp Suite, OWASP ZAP, Metasploit, nmap
  • AI-Specific Security: Prompt injection defence, RAG integrity, model extraction risk, adversarial inputs, output filtering, MITRE ATLAS
  • Compliance Frameworks: ISO/IEC 27001:2022, NIST CSF, CIS controls, CERT-In directions (including 6-hour reporting and log-retention), STQC framework, MeitY Security Policy and Guidelines
  • Data Protection: DPDP Act 2023 (operational implementation), Government of India Data Classification Policy, PIA methodology, cross-border data-transfer controls
  • Scripting: Python or Bash for security automation, evidence collection, and CI/CD integration
  • Communication: Executive briefings to leadership, tenant CISOs, CERT-In, and auditors; ability to translate security posture and residual risk for non-technical audiences