National Head Information Security, Audit and Compliance

ROLE SUMMARY

The National Head of Information Security, Audit, and Compliance is responsible for organizations information security governance, risk management, and compliance frameworks are robust, aligned with regulatory requirements, and continuously improved to mitigate risks and enhance security controls. The role will be responsible for overseeing and leading the organization's information security audit and compliance functions across all business units and regions.

The Head will be responsible for developing and executing a strategic audit plan for information security, ensuring adherence to industry standards (such as RBI and other relevant guidelines), and managing a team of skilled auditors. Additionally, the role involves driving operational governance related to information security and audit functions, enabling improvements in efficiency through robust compliance frameworks, and fostering a culture of security awareness and innovation within the team. The Head will focus on enhancing the skills and capabilities of the information security team while creating an environment that promotes high performance.

KEY RESPONSIBILITIES

Strategic Direction

• Develop and implement a comprehensive information security audit strategy aligned with the organizations business objectives, risk appetite, and regulatory requirements
• Ensure the development and execution of the audit framework, annual audit plan/calendar, prioritizing audits based on risk assessments and business impact.

Risk & Compliance

• Review and ensure that information security governance frameworks and policies are well-defined, communicated, and adhered to across MFL.
• Oversee and ensure compliance with regulatory requirements, such as RBI guidelines, ISO 27001, PCI DSS, GDPR, and other relevant standards specific to the Non-Banking Financial Company (NBFC) sector.
• Assess and evaluate the information security risk across business units and implement appropriate controls and mitigation strategies.
• Lead end-to-end audits of the MFL's IT systems, infrastructure, applications, and business processes, focusing on identifying security vulnerabilities, non-compliance issues, and gaps.
• Evaluate the effectiveness of existing controls and security measures, providing recommendations for improvements.
• Ensure periodic reviews of third-party vendors and service providers to ensure they comply with the company's security standards and regulatory obligations.
• Provide regular updates to the Board on risk and compliance matters, incorporating their feedback into the overall strategy and operational plan

Stakeholder Management & Reporting

• Collaborate with various business units, including IT, Risk, Legal, and Compliance, to promote awareness and understanding of security audit findings and best practices.
• Work with the business units and functions for ISO certification
• Work with the external auditors, regulators, and other stakeholders to ensure alignment on compliance-related issues.
• Prepare and present audit reports, findings, and recommendations to senior management and quarterly to the Audit Committee.

Operational Excellence

• Leverage information security practices effectively while driving innovation for efficiency improvements, ensuring that compliance considerations remain central to all initiatives
• Lead efforts to enhance security and compliance across all existing and future products, services, and processes to maintain a competitive advantage
• Develop and lead training programs to enhance awareness and understanding of security and compliance within the organization.
• Drive the continuous improvement of information security policies, procedures, and audit methodologies, ensuring they remain relevant and effective in addressing emerging risks.

Team management and capability development

• Develop clear goals for the compliance team and facilitate alignment with broader organizational objectives, regularly reviewing team performance and providing constructive feedback
• Identify training needs and implement capability-building programs that empower teams to excel and adapt to the evolving regulatory landscape
• Foster a culture of collaboration, accountability, and excellence within the team

KEY CHALLENGES

• Driving awareness and building an environment where audit is considered as a priority
• Internal pace of working and slow pace of approvals

KEY DECISIONS TAKEN

• Sign off on the IS Audit before sharing with Audit Committee
• Recommendations across business with respect to risk and compliance in reference to information security

KEY INTERACTIONS

Internal Stakeholders

External Stakeholders

Audit Committee: Present audit findings to the committee every quarter

Senior Leadership: Provide insights on the key findings from the audits conducts and gaps identified

All functional heads to seek alignment on the audit process and ensure compliance as per set standards

Vendors Audit Partners – Provide necessary support to carry out auditing process

Regulatory Authorities such as RBI to ensure compliance with external regulations and directives

KEY ROLE DIMENSIONS

Team Size: 2 direct reports

EDUCATION / EXPERIENCE

Minimum Qualification:

Bachelor's or Master's degree in Computer Science, Information Security, Audit, Risk Management, Business Management or a related field.

Nature of Experience:

• At least 12-15 years of proven experience in information security, audit, risk management, and compliance, with at least 5 years in a leadership role in BFSI or NBFC.
• Strong background in compliance frameworks, risk management, and security strategy.
• Professional certifications such as CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), or equivalent are highly desirable.
• Proven track record in implementing effective security solutions that enhance operational efficiency and ensure regulatory compliance.
• In-depth knowledge of regulatory frameworks, standards, and best practices for information security (e.g., RBI Guidelines, ISO 27001, NIST, GDPR).
• Strong background in conducting internal audits related to information security, risk management, and IT governance within the financial services or NBFC sector.
• Proven track record of successfully leading audits, driving compliance, and implementing corrective actions.
• Strong understanding of the information security landscape, including risk management, vulnerability management, incident response, data protection, and business continuity planning.
• Experience with tools and technologies used for security auditing and vulnerability assessment.
• Excellent communication and interpersonal skills, with the ability to interact with senior management, regulators, and external auditors.
• High degree of integrity, professionalism, and ethical standards.
• Strong analytical and problem-solving skills.
• Ability to handle multiple priorities and work under pressure to meet deadlines.
• Strong leadership and team management skills, with a collaborative approach to achieving organizational objectives.