Responsibilities

• Lead identity separation including Entra ID/Active Directory tenant setup, domain and workload migrations, MFA/Conditional Access, PIM, and service accounts
• Define and enforce access governance (RBAC, joiner‑mover‑leaver processes, approvals, audit trails) and conduct periodic access reviews
• Implement data protection and compliance controls: classification/labeling, encryption, DLP, secure transfer, retention, and eDiscovery
• Oversee secure connectivity and perimeter controls (network segmentation, firewalls, VPN/SASE, DNS/DHCP, internet breakout)
• Coordinate security assessments, penetration testing, and vendor risk reviews; manage risks with remediation plans
• Establish incident response readiness for cutover and early life support; integrate logging, monitoring, and SIEM
• Align with institutional security standards and deliver compliance sign‑off

Requirements

• 10+ years of experience across infrastructure and cyber security, with at least 5 years designing and operating Microsoft 365/Entra ID/AD at scale
• Proven track record leading at least two end‑to‑end identity/infrastructure/security separations (e.g., Microsoft 365 tenant split, AD domain separation, network carve‑out) with successful cutover and no unauthorized access or data leakage
• Hands‑on expertise with Microsoft 365 tenant build and tenant‑to‑tenant migrations (Exchange Online, SharePoint/OneDrive, Teams), Conditional Access, PIM, Intune/MDM
• Strong background in network and security engineering: firewalls (Fortinet, Cisco, Palo Alto), VPN/SASE, segmentation, DNS/DHCP, Wi‑Fi
• Exposure to Microsoft security and compliance features (DLP, Purview, eDiscovery) and SIEM/SOAR platforms (e.g., Microsoft Sentinel) preferred
• Knowledge of PDPO and ISO 27001; experience conducting audits and penetration tests
• Relevant certifications preferred: CISSP/CISM, SC‑100/SC‑300/AZ‑500, MS‑102, and/or network security certifications (CCNP, NSE)
• Excellent coordination across workstreams and strong risk management skills
• Fluent in English and Cantonese
• Onsite presence in Hong Kong, with flexibility for after‑hours and weekend migration/cutover support