Chief Information Security Officer

Job Title: Chief Information Security Officer (CISO)Location: Mumbai - Work From OfficeReporting To: Chief Risk Officer (with dual reporting to Board Risk / Audit Committee)Sector: General InsuranceExperience: 15+ years in Information Security with leadership exposure in BFSI, ideally Insurance or FinTechSalary: 50LPA+ based on fitment Role Overview- The Chief Information Security Officer (CISO) will define and implement the company’s end-to-end Information Security framework, ensuring secure design, regulatory readiness, and operational resilience as the company moves from 0 to 1.- This is a strategic yet hands-on leadership role, ideal for someone who has managed security at scale in a regulated BFSI/Insurance environment, and now wants to build a secure-by-design foundation for a cloud-native, API-driven, AI-powered insurance platform.- The CISO will anticipate and pre-empt risks by leveraging prior experience, ensuring that the company’s technology-led innovation is always backed by enterprise-grade security and compliance discipline. Key Responsibilities1. Information Security Strategy & Governance- Define and implement the enterprise-wide Information Security strategy, encompassing governance, risk management, data protection, and cybersecurity.- Establish security policies, frameworks, and control baselines in alignment with IRDAI, CERT-In, ISO 27001, and DPDP Act.- Build a scalable ISMS (Information Security Management System) from the ground up. 2. Cloud, Application & API Security- Review and work with engineering teams to develop secure architecture design for cloud-native systems, APIs, and microservices.- Review implemented automated controls for containerized and serverless environments.- Ensure security by design is baked into engineering processes through DevSecOps practices and CI/CD pipelines. 3. Cybersecurity Operations & Threat Management- Set up and oversee Security Operations (SOC), including SIEM, SOAR, and vulnerability management.- Build detection and response capability tailored for API-driven, AI-heavy applications.- Lead threat intelligence, incident response, and post-incident reviews. 4. AI & Data Security- Develop frameworks for secure and responsible AI/ML model governance, including data lineage, model access control, and risk mitigation for bias and data leakage.- Protect customer and training data in compliance with DPDP and data residency norms. 5. Regulatory & Compliance Management- Ensure readiness for IRDAI cyber security and IT governance audits.- Collaborate with Compliance and Legal teams for ongoing adherence to regulatory reporting and certifications (ISO 27001, SOC 2, etc.).- Build documentation and audit trails for pre-emptive compliance. 6. Third-Party & Ecosystem Security- Design and enforce Third-Party Risk Management (TPRM) framework for partners, TPAs, technology vendors, and data processors.- Conduct due diligence and continuous monitoring of vendor security posture. 7. Business Continuity & Resilience- Establish cloud-native BCP/DR plans, aligned with IRDAI requirements.- Lead incident and crisis management drills to validate resilience under simulated failures. 8. Security Culture & Awareness- Foster a security-first culture across engineering, product, and operations teams.- Conduct awareness programs, red/blue team simulations, and executive security workshops. 9. Leadership & Board Engagement- Advise leadership and Board Risk / Audit Committee on key threats, mitigation strategies, and regulatory posture.- Build and mentor an internal security team capable of scaling with the business. Desired Profile- 15+ years in Information Security, with at least 5 years in senior InfoSec roles at Insurance, NBFC, Bank, or FinTech.- Experience securing cloud-native, API-driven, or AI/ML-intensive platforms.- Strong grasp of IRDAI, CERT-In, DPDP Act, and global security standards.- Proven ability to design and operationalize security frameworks from zero, while ensuring future scalability.- Strong collaboration with Product, Engineering, and Risk teams. Qualifications / Certifications- Bachelor’s or Master’s degree in Computer Science, Cybersecurity, or related field.- Preferred certifications: CISSP, CISM, CCSP, ISO 27001 LA, AWS Security Specialty, CRISC.- Familiarity with frameworks like NIST CSF, Zero Trust Architecture, and OWASP API Security Top 10. Key Behavioural Attributes- Strategic foresight backed by operational pragmatism.- Startup agility with an enterprise governance mindset.- Strong executive presence and regulatory confidence.- Builder-leader who can “set up from scratch” yet think “at scale.”- Ethical, transparent, and decisive under pressure.