Director of Information Security (Stablecoin)

Overview

Director of Information Security (Stablecoin) Jobs in Central & Western District, Hong Kong SAR at AXG (Solowin Holdings)

Title: Director of Information Security (Stablecoin)

Company: AXG (Solowin Holdings)

Location: Central & Western District, Hong Kong SAR

Job Overview

We are hiring a Director of Information Security for AX Coin. This is a critical leadership role for a hands-on security expert who understands how to operate at the intersection of digital assets, stablecoins, and next-generation financial infrastructure.

AX Coin is the first and only licensed stablecoin issuer under the regulation of the Central Bank of Bahrain. It is building a regulated, institution-grade digital asset platform, and security sits at the core of everything we do. We are looking for someone who can design, build, and execute a robust security framework across our blockchain infrastructure, platforms, and data environments. 

This role requires a strong balance of technical depth and execution capability. We are not looking for a purely advisory profile — this is a builder role for someone who has hands-on experience securing digital asset platforms on a scale.

 

Key Responsibilities

1.Security Strategy and Global Regulatory Governance

• Regulatory Engagement: Lead the information security framework for the stablecoin business to meet key regulatory requirements including MiCA, DORA, the Central Bank of Bahrain CBB, Singapore PSA, and the Hong Kong Monetary Authority.
• Risk Reporting: Establish an independent security reporting line to the board of directors and regulatory bodies, and regularly issue a Proof of Reserves and Security Posture Report.
• Framework Certification: Lead the implementation of ISO 27001, SOC 1/2 Type II, and NIST frameworks within blockchain operations and achieve multi-entity certification globally.

2.Digital Asset Security Architecture

• Key and Private Key Management: Design and implement an enterprise-grade HSM + MPC strategy. Establish full lifecycle standards for private key generation, shard storage, backup, recovery, and destruction across cold, warm, and hot wallets.
• Smart Contract Security: Establish a secure SDLC for smart contract development, lead third-party code audits, and build real-time risk control and blocking models against reentrancy attacks, flash loan attacks, and oracle manipulation. The candidate must be able to write PoCs to verify the existence of vulnerabilities.
• Infrastructure Protection: Build a highly available blockchain node cluster resilient against DDoS attacks, eclipse attacks, and consensus layer hijacking.
• Cloud and Application Security: Ensure compliance of cloud environments such as AWS, GCP, and Azure as well as internal application systems with security baselines, IAM policies, and data encryption requirements.

3.End-to-End Security Operations

• End-to-End Architecture: Own the complete security architecture design for cloud, applications, and infrastructure, covering the entire chain from code commit to production deployment.
• DevSecOps: Embed security capabilities into CI/CD pipelines, and drive automated SAST/DAST scanning, container image signing, and dependency vulnerability detection.
• On-Chain Risk Control: Deploy and maintain on-chain forensics tools to conduct real-time anomalous transaction monitoring on issuance and burn contracts, and block interactions with funds from mixers and OFAC-sanctioned addresses.
• Cross-Chain Bridge Security: For multi-chain deployment scenarios, establish third-party risk assessment and whitelisting mechanisms for cross-chain bridges to prevent cross-chain message forgery attacks.

4.Emerging Risks and Compliance Alignment

• Identify and control risks from AI deepfakes, malicious AI-generated contracts, and Web3 governance attacks.
• Audit and monitor the security maturity of all partners, node operators, oracles, and liquidity providers.

5.Incident Response and Resilience

• Establish 24/7 monitoring and emergency response mechanisms, and develop playbooks for extreme scenarios such as private key loss or multi-signature downtime.
• Organize red team vs. blue team exercises and conduct penetration testing on core functions such as minting, burning, and redemption.
• Ensure the business balances rapid iteration with security baselines in a high-growth environment.

Key Requirements

1.Experience Requirements

• Background: At least 5 years of information security experience, with no less than 3 years as a security lead or core architect in a payment institution, custodian, cryptocurrency firm, stablecoin issuer, or exchange.
• Regulatory Hands-On Experience: Proven track record of directly participating in bank regulatory examinations or IT audits, and familiarity with the regulatory pace of the Central Bank of Bahrain CBB or similar central banks.

2.Hard Technical Skills

• Cryptography: Deep understanding of the practical application of BIP-32/39/44, SLIP-39, Shamir secret sharing, ECDSA, EdDSA, and other algorithms in private key management.
• Architectural Ability: Familiarity with enterprise-grade custody technology stacks such as Fireblocks, Cobo, and Copper. Experience architecting high-concurrency signing systems.
• Contract Auditing: Capability to perform security audits of Solidity/Rust smart contracts and independently write PoCs to verify common vulnerabilities.
• Cloud/Application Security: Proficiency in core AWS/Azure services including security groups, IAM, KMS, and WAF, and familiarity with Kubernetes security hardening.
• Scripting Ability: Proficiency in using Python, Shell, and Solidity to develop security test scripts and PoCs.

3.Soft Skills

• Strong ability to work across time zones, handle pressure, and demonstrate a strong willingness to respond promptly to work requirements.
• English must be usable as working languages, with the ability to read international regulatory bills fluently and communicate directly with overseas regulators and auditors. Mandarin, Cantonese or other foreign languages are a strong plus.