Information Security GRC

Job Title: AVP – Information Security Governance, Risk and Compliance (IS GRC)

Department: Information Security Group (ISG)

Reporting To: Head – Information Security GRC

Job Location: REMOTE

Duration: 1 year,CONTRACT

Job Purpose:

The AVP – IS Governance, Risk and Compliance (IS GRC) is responsible for developing, managing, and executing Mashreq Bank's Information Security GRC strategy to:

• Support the business and technology vision with secure and resilient service delivery
• Ensure adherence to internal policies and global/regional information security regulations
• Strengthen the bank's cyber posture and drive a risk-aware, compliance-driven culture
• Support enterprise-wide governance initiatives as the Deputy to the Head of IS GRC

This role demands a T-shaped leader—deep expertise in one GRC domain and breadth across all others (Policy, Governance & Culture, Cyber Strategy & Program Management, Risk & Compliance).

Key Responsibilities:

1. Policy, Governance & Culture

• Design and maintain information security frameworks, policies, and standards in line with ISO 27001, NIST, and other best practices
• Lead governance forums (e.g., IS Committee, BRC, ORC) and manage resulting actions
• Define and monitor KPIs and KRIs related to ISG effectiveness
• Promote cyber awareness programs, staff training, and cultural initiatives bank-wide
• Coordinate and support internal/external audits and regulatory inspections
• Support global governance adherence and ESG (Environmental, Social, and Governance) alignment

2. Cyber Strategy & Program Management

• Support development and execution of the bank's multi-year cybersecurity strategy
• Oversee cyber program management, budgeting, and prioritization of strategic initiatives
• Align cybersecurity workforce and capabilities to business objectives
• Drive performance benchmarking and maturity assessments against peers
• Promote best practice sharing and embed a continuous improvement mindset
• Quantify cyber risk impact using qualitative and quantitative methods

3. Risk & Compliance

• Establish and operationalize the IS risk lifecycle aligned with ERM and ORM
• Govern Third-Party Risk Management (TPRM) and perform security due diligence
• Implement and track RCSA and IS risk register in the GRC platform
• Act as the business owner of the IS GRC solution (e.g., Prism), ensuring automation, dashboards, and centralized governance
• Maintain regulatory obligation registers, calendars, and ensure compliance with frameworks including:
• UAE NESA IAS
• PCI-DSS
• SWIFT CSP
• HKMA-C-RAF
• DFS500
• FFIEC
• Lead cyber insurance and encryption key management initiatives

General Responsibilities:

• Maintain and update the GRC roadmap; report progress bi-monthly to the Head of IS GRC
• Ensure timely closure of legal, regulatory, and audit-related issues with high quality
• Support local CISOs and IS SPOCs with GRC enablement, issue tracking, and audit readiness
• Deliver RTB (Run the Bank) and CTB (Change the Bank) initiatives with strong governance and minimal operational surprises

Key Performance Indicators:

• Measurable reduction of IS and cyber risk exposure
• Timely and high-quality closure of audits, exceptions, and regulatory issues
• Improved security awareness and behavior across the organization
• Operationalization of automated governance dashboards
• Compliance with all regulatory submissions and central bank directives

Key Working Relationships:

• Internal: Business Units (LOD-1), Tech GRC, IT, Compliance, Operational Risk, Fraud Prevention, Internal Audit
• External: Regional and International Regulators, Central Banks, Security Vendors, Audit Partners

Decision-Making Authority:

• Recommend and validate risk mitigation aligned with the bank's risk appetite
• Lead implementation of controls and frameworks that align with global security standards and local regulations
• Escalate and manage compliance or operational risk gaps proactively

Knowledge, Skills, and Experience:

Experience:

• 15+ years in Information Security, with at least 2–3 years in a GRC leadership capacity
• Deep understanding of security frameworks: ISO 27001, NIST 800 series, SWIFT CSP, PCI-DSS, COBIT
• Experience in regulatory compliance and cyber governance across international jurisdictions
• Proven track record managing large-scale enterprise security programs or GRC initiatives
• Hands-on experience with GRC platforms (e.g., Archer, Prism, MetricStream)

Education:

• Master's degree in Information Security, IT, or a related discipline

Certifications (any of the following mandatory):

• CISA
• CISSP
• PCI-QSA
• SABSA
• CRISC

Key Attributes:

• Strategic thinking with operational execution capabilities
• Ability to influence and collaborate across business units and international geographies
• Strong interpersonal, analytical, and risk-based decision-making skills
• Proactive, structured, and results-driven leader
• Committed to innovation, automation, and continuous improvement