Chief Information Security Officer

Job Title: Chief Information Security Officer (CISO) Location: Mumbai - Work From Office Reporting To: Chief Risk Officer (with dual reporting to Board Risk / Audit Committee) Sector: General Insurance Experience: 15+ years in Information Security with leadership exposure in BFSI, ideally Insurance or FinTech Salary: 50LPA+ based on fitment Role Overview - The Chief Information Security Officer (CISO) will define and implement the company’s end-to-end Information Security framework, ensuring secure design, regulatory readiness, and operational resilience as the company moves from 0 to 1. - This is a strategic yet hands-on leadership role, ideal for someone who has managed security at scale in a regulated BFSI/Insurance environment, and now wants to build a secure-by-design foundation for a cloud-native, API-driven, AI-powered insurance platform. - The CISO will anticipate and pre-empt risks by leveraging prior experience, ensuring that the company’s technology-led innovation is always backed by enterprise-grade security and compliance discipline. Key Responsibilities 1. Information Security Strategy & Governance - Define and implement the enterprise-wide Information Security strategy, encompassing governance, risk management, data protection, and cybersecurity. - Establish security policies, frameworks, and control baselines in alignment with IRDAI, CERT-In, ISO 27001, and DPDP Act. - Build a scalable ISMS (Information Security Management System) from the ground up. 2. Cloud, Application & API Security - Review and work with engineering teams to develop secure architecture design for cloud-native systems, APIs, and microservices. - Review implemented automated controls for containerized and serverless environments. - Ensure security by design is baked into engineering processes through DevSecOps practices and CI/CD pipelines. 3. Cybersecurity Operations & Threat Management - Set up and oversee Security Operations (SOC), including SIEM, SOAR, and vulnerability management. - Build detection and response capability tailored for API-driven, AI-heavy applications. - Lead threat intelligence, incident response, and post-incident reviews. 4. AI & Data Security - Develop frameworks for secure and responsible AI/ML model governance, including data lineage, model access control, and risk mitigation for bias and data leakage. - Protect customer and training data in compliance with DPDP and data residency norms. 5. Regulatory & Compliance Management - Ensure readiness for IRDAI cyber security and IT governance audits. - Collaborate with Compliance and Legal teams for ongoing adherence to regulatory reporting and certifications (ISO 27001, SOC 2, etc.). - Build documentation and audit trails for pre-emptive compliance. 6. Third-Party & Ecosystem Security - Design and enforce Third-Party Risk Management (TPRM) framework for partners, TPAs, technology vendors, and data processors. - Conduct due diligence and continuous monitoring of vendor security posture. 7. Business Continuity & Resilience - Establish cloud-native BCP/DR plans, aligned with IRDAI requirements. - Lead incident and crisis management drills to validate resilience under simulated failures. 8. Security Culture & Awareness - Foster a security-first culture across engineering, product, and operations teams. - Conduct awareness programs, red/blue team simulations, and executive security workshops. 9. Leadership & Board Engagement - Advise leadership and Board Risk / Audit Committee on key threats, mitigation strategies, and regulatory posture. - Build and mentor an internal security team capable of scaling with the business. Desired Profile - 15+ years in Information Security, with at least 5 years in senior InfoSec roles at Insurance, NBFC, Bank, or FinTech. - Experience securing cloud-native, API-driven, or AI/ML-intensive platforms. - Strong grasp of IRDAI, CERT-In, DPDP Act, and global security standards. - Proven ability to design and operationalize security frameworks from zero, while ensuring future scalability. - Strong collaboration with Product, Engineering, and Risk teams. Qualifications / Certifications - Bachelor’s or Master’s degree in Computer Science, Cybersecurity, or related field. - Preferred certifications: CISSP, CISM, CCSP, ISO 27001 LA, AWS Security Specialty, CRISC. - Familiarity with frameworks like NIST CSF, Zero Trust Architecture, and OWASP API Security Top 10. Key Behavioural Attributes - Strategic foresight backed by operational pragmatism. - Startup agility with an enterprise governance mindset. - Strong executive presence and regulatory confidence. - Builder-leader who can “set up from scratch” yet think “at scale.” - Ethical, transparent, and decisive under pressure.