Information Security Officer

Job Description

About the company

Credit cards haven't changed much for over half a century so our team of seasoned bankers, technologists, and designers set out to redefine the credit card for you - the consumer. The result is OneCard - a credit card reimagined for the mobile generation. OneCard is India's best metal credit card built with full-stack tech. It is backed by the principles of simplicity, transparency, and giving back control to the user.

Key Responsibilities:

Security Strategy and Governance:

1. Develop, implement, and maintain a comprehensive information security roadmap and strategy aligned with business objectives.
2. Establish, mature, and enforce security policies, standards, and procedures to ensure a robust governance framework.
3. Collaborate with executive leadership on budget planning, forecasting, and management for security-related expenditures.

Audit and Compliance Management:

1. Lead and manage all aspects of internal and external audits, including those from regulatory bodies and clients (vendor due diligence).
2. Serve as the primary point of contact for auditors, ensuring all evidence requests are fulfilled accurately and on time.
3. Drive the remediation and closure of audit findings by coordinating with relevant technical and business teams.
4. Ensure ongoing compliance with key standards and regulations, including ISO 27001, ISO 22301, Credit Information Companies (CIC), and data localization laws.
5. Conduct routine compliance activities, such as management review meetings, to maintain certifications and ensure continuous improvement.

Risk and Vendor Management:

1. Establish and operate a robust vendor due diligence (VDD) program, working with internal teams and external audit vendors to assess third-party risk.
2. Oversee the end-to-end financial process for security vendors, including obtaining proposals, securing internal approvals, and tracking payments.
3. Identify, assess, and communicate security risks to the company's leadership and other key stakeholders.

Security Operations and Collaboration:

1. Act as the primary security advisor for the company, working closely with various technical teams and Technology Service Providers (TSPs).
2. Provide expert guidance and oversight for the implementation and management of security controls across key domains, including:

Cloud Security:

1. Advise on best practices for securing AWS environments.
2. Application Security: Champion the integration of security into the SDLC (SAST/DAST, penetration testing).

Network & Endpoint Security:

1. Guide the deployment and configuration of firewalls, WAF, IDS/IPS, and EDR solutions.
2. Identity & Access Management (IAM): Ensure robust implementation of SSO, MFA, and privileged access controls.

Qualifications and Experience:

1. Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field.
2. 5-6 years of progressive experience in information security, with a focus on governance, risk, and compliance.
3. Demonstrated experience in developing or significantly maturing an information security program.
4. In-depth, hands-on experience leading and facing audits for frameworks like ISO 27001, SOC 2, or PCI DSS.
5. Professional certifications such as CISSP, CISM, CISA, or ISO 27001 Lead Auditor/Implementer are highly desirable.

Skills and Competencies:

1. Leadership and Ownership: A strategic leader with the ability to operate with a high degree of autonomy. Possesses a strong sense of ownership and takes full responsibility for the security posture of the company.
2. Independent Decision-Making: Proven ability to make critical, well-reasoned decisions independently and confidently drive security initiatives forward.
3. Stakeholder Management: Exceptional communication and interpersonal skills, with the ability to effectively articulate complex security concepts and risks to diverse stakeholders, including company directors, executive leadership, and heads of technology departments.
4. Broad Technical Proficiency: Strong, advisory-level knowledge across multiple security domains (Cloud, Network, Application, Endpoint, IAM).
5. Compliance Expertise: Deep understanding of ISO 27001, ISO 22301, CIC, and data localization principles.
6. Creative Problem-Solving: A proactive and innovative approach to identifying and solving complex security challenges in a dynamic environment.