Assistant Vice President

Role Summary :

The AVP Cyber Security is a critical leadership role responsible for driving the effectiveness of the bank's cyber security posture, governance, and regulatory compliance, specifically focusing on the RBI Cybersecurity Framework.

The role demands a proactive approach to risk management, acting as a trusted security advisor to technology and business stakeholders, and ensuring robust internal controls and audit readiness.

This position involves deep involvement in policy development, risk assessment, vendor oversight, and managing the cyber security awareness program.

Roles and Responsibilities :

- Execute comprehensive cyber security risk assessments, proactively integrating intelligence on latest technology developments and underlying emerging risks across the enterprise.

- Lead the periodic review and revision of the Bank's Information Security and Cyber Security Policy documentation to maintain relevance, robustness, and alignment with evolving regulatory landscapes.

- Conduct regular reviews of the effectiveness of the bank's Data Loss Protection (DLP) program, ensuring operational efficiency and providing oversight on the timely investigation and closure of all DLP alerts.

- Guarantee timely and complete compliance with all regulatory guidelines, advisories, and circulars issued by the RBI and other relevant bodies pertaining to Information and Cyber Security.

- Review the correctness and completeness of all data compiled for various regulatory submissions and filings concerning Information Security to ensure accuracy and integrity.

- Maintain a communication channel with Business and Technology stakeholders to keep them abreast of key regulatory compliance requirements and the emergence of new cyber risks.

- Periodically review and analyze Information/Cyber Security Key Risk Indicators (KRIs) and metrics to accurately assess and report the bank's current security posture to senior management.

- Provide active assistance during both Internal and External Audit processes, meticulously tracking and ensuring the timely remediation and implementation of corrective actions for all Information Security Audit findings.

- Review and integrate global and domestic Cyber security advisories/alerts as a core component of the Banks Vulnerabilities Management program, tracking remediation efforts across technology platforms.

- Analyze evolving trends and fundamental changes in the cyber threat landscape, particularly within rapidly evolving technology areas such as Public Cloud environments and APIs.

- Review the effectiveness of the half-yearly Technology and Information Security Risks Controls Self-Assessment (RCSA) process through targeted testing and validation procedures.

- Evaluate residual risks and review deviation approvals sought by technology or business teams against established security control standards, ensuring executive sign-off where appropriate.

- Orchestrate and conduct Information Security Committee meetings on a quarterly basis, generating detailed Minutes of Meeting (MoM) and strictly tracking all resultant actionable items to closure.

- Review the cyber security controls implemented by Outsourced Service Providers (OSP) and provide subject matter expertise for the security evaluation of new product/process approvals (NPA).

- Drive the bank-wide information security awareness program, ensuring mandatory training for all staff and vendors on critical Cyber Security best practices and emerging threats.

- Maintain a close working relationship with Technology teams, acting as a trusted security advisor throughout technology initiatives and formal processes like change management, incident response, patch management, security configuration, and vulnerability management.

- Guide the Security Operations team (SecOps) for the smooth and effective operationalization of the banks Info-Sec policies and regulatory guidelines within their BAU activities.

- Actively participate in operational risk forums and technology risk forums, providing expert advice as a Subject Matter Expert (SME) on areas of concern related to technology and cyber risk.

- Collaborate with complementary risk units, such as fraud risk controls and Business Continuity Management (BCM), on issues related to cyber fraud incidents and business continuity planning.

- Coordinate effectively with any 3rd party auditors appointed for independent IT/IS audits or specific regulatory compliance assignments, providing necessary documentation and context.

Required Technical Skills

- Cyber Security: Extensive experience in enterprise cyber security governance, risk assessment methodologies (e.g., ISO 27005, NIST RMF), and controls enforcement.

- RBI Cybersecurity Framework: Deep, working knowledge of the RBI's Cybersecurity Framework and its related circulars, guidelines, and compliance requirements for commercial banks.

- Information Security Audits: Proven experience in coordinating, managing, and remediating findings from both internal and external IS audits.

- Risk Management: Expertise in developing, tracking, and reporting on Key Risk Indicators (KRIs) and conducting Risk and Control Self-Assessments (RCSA).

- Policy Management: Demonstrated ability to draft, update, and implement enterprise-wide Information Security and Cyber Security Policies.

- DLP & Vulnerability Management: Strong understanding of Data Loss Protection (DLP) concepts and practical experience with Vulnerability Management processes and remediation tracking.

- Technology Risks: Awareness of cyber risks inherent in modern technologies such as Public Cloud architectures (Azure/AWS), APIs, and microservices.

Preferred Skills :

- Certification in relevant domains (CISM, CISSP, CISA, or CRISC).

- Experience with governance and risk platforms (GRC tools) for integrated risk and compliance management.

- Prior experience in the Banking, Financial Services, or Insurance (BFSI) sector is highly advantageous.

- Expertise in third-party vendor risk assessment (due diligence on OSP/NPA).

- Practical knowledge of Security Information and Event Management (SIEM) systems and log analysis.

- Experience in developing and delivering large-scale security awareness and training programs.

- Familiarity with business continuity and disaster recovery planning from a cyber security perspective.

- Knowledge of global data privacy regulations (GDPR, CCPA) beyond local mandates.