Senior Role

Job Description – GRC (Infosec)

Job Summary
: The selected candidate will lead the development, implementation, and continuous improvement of the organization's governance, risk management, and compliance frameworks and programs. This role is critical in fostering a strong risk-aware and compliant culture across all departments, ensuring the organization meets its legal, regulatory, and ethical obligations while strategically managing potential threats to its operations and objectives.

Education & Qualification:

B.E. / B.Tech with minimum 13 + years of experience in in Governance, Risk, and Compliance roles, with a significant portion in a leadership capacity.

Professional certifications such as Security+, Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Governance of Enterprise IT (CGEIT), GRC Professional, Certified Chief Information Security Officer (CCISO) or similar are preferred.

Key Responsibilities:

Define the overall GRC strategy, policies, standards, and procedures.

Oversee the identification, assessment, analysis, and prioritization of enterprise-wide risks, including operational, reputational, and cybersecurity risks.

Develop and implement robust risk mitigation strategies and controls

Monitor the effectiveness of risk management activities and report on the organization's risk posture to senior leadership and the Board.

Ensure the organization complies with all applicable laws, regulations, industry standards, and internal policies (e.g., data privacy regulations like DPDPA, RBI regulatory requirements and compliance)

Develop and manage compliance programs, internal audits, and assessments to identify and address compliance gaps.

Drive a strong governance culture by establishing clear accountability, transparency, and ethical conduct throughout the organization

Develop and implement governance policies and procedures to guide decision-making and operational processes

Develop meaningful GRC metrics, dashboards, and reports for various stakeholders, including executive management and the Board.

Collaborate closely with various departments, including Enterprise Risk, IT Operations, Legal, Finance and HR to integrate GRC principles into daily business operations.

Act as a trusted advisor to business on Infosec Risk and Compliance matters.

Thoroughly review of all incoming information security requests (e.g., user access, system configuration changes, firewall rules creation/modifications, software installations, data access, third-party system integrations) and approve them.

Assess requests for completeness, accuracy, and adherence to established information security policies, procedures, & guidelines and analyse potential security risks, impacts associated with each request, including data confidentiality, integrity, and availability.

Review and approve access requests to sensitive systems, applications, and data and validate justifications, roles, and least-privilege principles prior to approval.

Maintain a comprehensive understanding of evolving security threats, vulnerabilities, and regulatory changes related to upcoming technologies like Blockchain and AI to take informed approval decisions.

Review and recommend exceptions to security policies and standards, identify and document any residual risks associated with approved exceptions, and ensure that compensating controls are in place for recommended exceptions, documenting the rationale, validity period, and expiration tracking.

Communicate clearly and concisely with requestors, providing detailed explanations for approvals, denials, or requests for additional information.

Identify opportunities to streamline the request approval process, enhance efficiency, and improve security controls.

Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements

Provide guidance and mentorship to junior security team members.

Technical Skills:

• Deep understanding of GRC principles, methodologies, and best practices.
• Strong analytical and problem-solving skills with the ability to identify, assess, and mitigate complex risks.
• Excellent communication, interpersonal, and presentation skills, with the ability to articulate complex GRC concepts to diverse audiences (technical and non-technical, all levels of management).
• Proven leadership and team management abilities, including the ability to influence and collaborate across departments.
• Strategic thinking with a proactive approach to GRC challenges.
• High level of integrity and ethical conduct.
• Ability to manage multiple projects and priorities in a dynamic environment.
• Proven track record of developing, implementing, and managing successful GRC programs in a complex organizational environment.
• Strong experience with risk assessment methodologies, control frameworks, and compliance audits.
• Experience with relevant regulatory frameworks (e.g., ISO 27001, NIST, SOC 2, PCI DSS, DPDPA, GDPR etc.).
• Strong understanding of security domains (e.g., network security, data security, application security).
• Understanding on cryptographic standards, application security, enterprise architecture, software development lifecycle etc.
• Experience with security frameworks (e.g., MITRE, NIST, ISO).
• Familiar in Vulnerability Management and Configuration Management with a commitment to staying current on emerging security threats and technological advancements.
• Knowledge of identity and access management (IAM) concepts and technologies and Familiarity with role-based access control (RBAC) models and approval workflows.
• Knowledge of cryptography, secure communication protocols, data encryption techniques, understanding of Key management process.
• Deep understanding of security vulnerabilities exploits applications, infrastructure and APIs
• Strong analytical and problem-solving skills.
• Basic understanding of cloud security principles (AWS, Azure, GCP) is a plus.
• Experience with ITSM or request/ticketing systems (e.g., ServiceNow, Jira, Remedy).