Cloud Security Lead — SaaS Platforms

ETP Group is an AI-first SaaS company serving the Retail and e-Commerce industries across Asia Pacific. With 39 years of trust in the market, it supports 500+ brands in 17 countries through enterprise-grade platforms. ETP’s cloud-native solutions—ETP Unify and Ordazzle—cover POS, CRM, Inventory, Promotions, PIM, OMS, WMS, LMS, and seamless marketplace integration. For large-format retail, ETP V5 offers a hybrid omni-channel suite. Built on secure, scalable M.A.C.H architecture. ETP delivers frictionless, personalized experiences across channels. Its intuitive, asset-light platforms accelerate cloud transformation, reduce IT overhead, and help retailers enhance CX, drive growth, and lead in a fast-evolving commerce environment. Here is a glimpse of what we do - http://www.etpgroup.com/Videos.html For more information, log on to www.etpgroup.com

Experience Required
6 - 8
Location
Mumbai
Role Type
Full Time
Share it on
0/ 300 characters
Designation: Cloud Security Lead — SaaS Platforms
Department: R&D
Location: Saki Vihar, Mumbai
Work Mode: Work from office
Working Days: Monday to Friday
Experience: 6 - 8 years

Job Description:

The Cloud Security Lead is the day-to-day owner of security for ETP's SaaS platforms - ETP Unify and Ordazzle - across cloud infrastructure, application, data and operations. Working closely with the CTA, engineering leads and the SRE function, the role implements and operates security controls across a multi-tenant SaaS estate, embeds DevSecOps into our SDLC, and drives ETP's ISO 27001 and SOC 2 programmes hands-on, with support from external audit partners. This is a builder's role with real ownership: the right candidate will establish ETP's SaaS security function in practice, with a clear growth path to leading it formally as the business scales.

Key Responsibilities

  • Security Architecture and Engineering
    • Implement and maintain the security architecture of ETP Unify and Ordazzle with the CTA and platform architects — tenant isolation, encryption in transit and at rest, key management, and secure service-to-service communication.
    • Design, implement, and harden the cloud network infrastructure by securing the Virtual Private Cloud (VPC) and deploying a Web Application Firewall (WAF) to protect internet-facing applications from cyber threats, following industry best practices such as the OWASP Top 10 and the principle of least privilege.
    • Define and maintain the identity and access management model across the platforms and cloud accounts — SSO, RBAC, least privilege, privileged access management and secrets management.
    • Maintain and evolve ETP's layered security framework and the cloud shared responsibility model, keeping customer-facing security documentation accurate and current.
    • Participate in engineering design reviews to assess security impact of architecture and design changes.
  • DevSecOps and secure SDLC
    • Embed security controls into CI/CD and GitOps pipelines: SAST, DAST, SCA/dependency scanning, container and image scanning, IaC scanning and secrets detection, with clear severity gates.
    • Operationalise the SDLC Quality Standard's security requirements, including secure coding guidelines, peer review criteria and pre-release security sign-off.
    • Run the vulnerability and patch management programme across the SaaS stack, aligned to ETP's existing patch and component EOL management policies, with defined SLAs by severity.
    • Commission and manage penetration tests and red-team exercises; drive remediation to closure.
  • Cloud Security Posture and Operations
    • Implement and operate cloud security posture management (CSPM) and workload protection across all production and non-production environments.
    • Define security logging, monitoring and alerting standards with the SRE function; own detection use-cases and the SIEM/monitoring roadmap.
    • Own the security incident response process end-to-end — playbooks, on-call integration, severity classification, customer notification obligations and post-incident reviews — integrated with ETP's incident management framework.
    • Govern backup, disaster recovery and business continuity controls for the SaaS platforms from a security standpoint.
  • Compliance, Certification and Data Protection
    • Drive ETP's VAPT programmes for Unify and Ordazzle hands-on: control implementation, evidence collection, internal audits and coordination with external consultants and auditors.
    • Ensure compliance with data protection regulation across ETP's operating markets, including Singapore PDPA, India DPDP Act, Indonesia PDP Law and other applicable APAC regimes, including data residency requirements.
    • Maintain the information security policy suite, risk register and statement of applicability; run periodic risk assessments and management reviews.
    • Manage third-party and vendor security risk, including cloud providers and sub-processors.
  • Customer Trust and Commercial Support
    • Act as the security authority in enterprise sales cycles: respond to customer security questionnaires, due-diligence audits and contractual security schedules in SaaS agreements.
    • Build and maintain a customer-facing trust pack (security whitepaper, certifications, pen-test summaries) that shortens security review cycles in deals.
    • Brief customers, prospects and partners on ETP's security posture when required.
  • Security culture and reporting
    • Build and run a security-champions network across engineering squads; deliver ongoing secure development training.
    • Report security posture, risk and compliance status to the CTA on a defined cadence, with clear metrics, and present to the CEO periodically.
    • Help define and, over time, hire into the security team as the SaaS business scales.
  • Success Measures — First 12 Months
    • VAPT readiness achieved for the defined SaaS scope (with external consultant support); SOC 2 Type re-certification.
    • Security gates live in all Unify and Ordazzle CI/CD pipelines with agreed severity SLAs; measurable reduction in mean time to remediate critical vulnerabilities.
    • Incident response playbooks tested through at least two tabletop exercises; zero unmanaged critical incidents.
    • Customer security questionnaire turnaround reduced to an agreed SLA with a standard trust pack in place.
    • CSPM deployed with baseline misconfiguration findings remediated across production environments.

The Job responsibilities of the candidate shall include but not limited to the Job Description & to perform any other tasks/functions as required by the Company.

Qualification and Experience

  • Required Skills
    • 6–8 years in information security or DevSecOps, with at least 2–3 years securing multi-tenant SaaS or cloud-native platforms, ideally in a product company.
    • Deep hands-on knowledge of at least one major cloud provider's security services (IAM, KMS, network security, logging and detection), plus Kubernetes and container security.
    • Strong hands-on experience embedding DevSecOps into CI/CD and GitOps pipelines (SAST/DAST/SCA, IaC scanning, secrets management) — this is a core, daily part of the role.
    • Direct working experience in an ISO 27001 and/or SOC 2 programme (implementation, evidence and audits); having led one end-to-end is a strong plus.
    • Working knowledge of the India DPDP Act, with awareness of Singapore PDPA and other APAC data protection regimes and their impact on SaaS platforms.
    • Strong understanding of application security for Java-based platforms and relational databases (MySQL hardening, encryption, patching).
    • Experience participating in — and ideally running — security incident response in a production SaaS environment.
    • A relevant certification (CCSP, CISSP, OSCP, CKS, or a cloud provider professional security certification) is desirable but not mandatory — demonstrated hands-on capability matters more.
    • Strong written and verbal communication in English, with the confidence to engage enterprise customers on security topics.
  • Desirable Skills
    • Experience in retail technology, payments or other regulated B2B SaaS domains; familiarity with PCI DSS.
    • Exposure to SRE practices, SLO-based operations and DORA metrics.
    • Ambition and aptitude to grow into a Head of Security role; experience helping build a security function in a scale-up environment.
    • Familiarity with AI-assisted engineering workflows and securing AI-enabled product features.

Perks and Benefits

  • Pick & Drop facility from Saki Naka Metro.
  • Complimentary breakfast.
  • Medical insurance coverage.