Security Governance - Overseas

Job Title

Job Grade

Function

Sub-function

Location:

Job Summary/Areas Of Responsibilities

Create your own sunshine

Are You Ready to Create Your Own Sunshine?

Job Summary

Key Responsibilities

• Strategic Leadership:
• Develop and maintain a comprehensive IT security governance framework, policies, and procedures aligned with global standards like ISO 27001, NIST Cybersecurity Framework, and specific pharmaceutical regulations such as FDA 21 CFR Part 11 and GxP.
• Incident Response Oversight:
• Provide oversight of the incident response plan, ensuring a rapid and effective response to any security breaches or incidents to minimize impact and ensure business continuity.
• Team Management:
• Lead, mentor, and develop a team of IT security professionals, fostering a high-performance culture and ensuring the team is equipped with the necessary skills and resources.
• GRC Strategy & Framework:
• Design, implement, and sustain the organization’s information security GRC strategy and framework, ensuring alignment with industry standards (e.g., ISO 27001, NIST, COBIT) and Indian regulatory requirements (e.g., RBI guidelines, IT Act 2000, SEBI, IRDAI).
• Develop and enhance GRC policies, standards, procedures, and guidelines to support effective risk management and regulatory compliance.
• Promote the integration of GRC practices into core business processes and IT operations.
• Monitor changes in regulatory and legal requirements, as well as industry standards, and translate them into practical GRC initiatives.
• Risk Management:
• Lead the identification, assessment, analysis, and prioritization of information security and IT risks across the organization.
• Develop, implement, and manage comprehensive risk management strategies, mitigation plans, and a robust IT security risk management program, including appropriate methodologies, tools, and reporting mechanisms.
• Conduct regular risk assessments and audits, such as business impact analyses (BIA), security risk assessments, and third-party risk assessments to evaluate the effectiveness of existing controls and recommend improvements.
• Maintain and manage the IT risk register, tracking identified risks, mitigation efforts, residual risk levels, and providing regular updates to senior management.
• Facilitate risk treatment decisions and monitor the ongoing effectiveness of risk mitigation strategies.
• Implement a program to assess and manage the cybersecurity risks posed by third-party vendors, suppliers, and partners. Ensure that all external parties handling company data meet the required security standards.
• Monitor emerging threats, vulnerabilities, and regulatory changes that could impact risk posture.
• Compliance Management:

• Oversee the organization's adherence to all relevant information security, data protection, data privacy, and other regional laws including IT-related laws, regulations, and contractual obligations. This includes specific focus on:
• IT Act 2000 & Rules: Covering cybersecurity framework, data localization, outsourcing, etc. Including rules related to sensitive personal data.
• SEBI Regulations: If applicable to capital markets.
• GDPR / CCPA: Data of individuals from EU/California.
• HIPAA: For Patient data
• Industry Standards: ISO 27001, DPDP, ITGC, SOC 2, etc.
• Lead and coordinate internal and external security audits, assessments, and certification efforts (e.g., ISO 27001), serving as the primary liaison throughout the process.
• Monitor and manage audit findings, ensuring timely resolution and effective remediation.
• Design and implement compliance monitoring frameworks, including dashboards for ongoing oversight.
• Promote a culture of compliance by driving awareness and training initiatives across all departments.
• Policy & Controls Management:
• Develop, review, and regularly update information security policies, standards, and procedures to align with evolving risks, technologies, and regulatory requirements across all business units and systems, including those related to access control, data encryption, and incident response. Ensure these policies are communicated and understood by all employees.
• Oversee the effective implementation and operationalization of security controls across the organization.
• Perform control effectiveness testing and maturity assessments to ensure continuous improvement.
• Ensure GRC initiatives are aligned with business goals and meet applicable regulatory obligations.
• Conduct periodic reviews to keep policies and procedures current with industry best practices and the changing regulatory landscape.
• Security Awareness & Training:
• Lead the development and execution of a company-wide security awareness and training program to foster a culture of security, ensuring all employees understand their roles and responsibilities in protecting company information.
• Reporting & Communication:
• Create and present regular GRC reports, dashboards, and key performance metrics to senior leadership, offering visibility into major risks, compliance posture, and continuous improvement efforts.
• Clearly articulate complex GRC concepts and requirements to both technical and non-technical stakeholders.
• Act as a strategic advisor to business and IT teams on governance, risk, and compliance matters.
• Administer and optimize GRC tools and systems used for tracking risks, managing compliance, and generating reports.
• Team Leadership & Collaboration:
• Potentially lead and mentor a team of GRC professionals, if applicable, fostering a culture of expertise, collaboration, and continuous improvement.
• Work closely with Legal, Internal Audit, IT Operations, Business Units, and other key departments to ensure cohesive and integrated GRC initiatives.
  

Job Requirements

Educational Qualification

Specific Certification

• CISA (Certified Information Systems Auditor)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CISSP (Certified Information Systems Security Professional)
• ISO 27001 Lead Auditor/Implementer
• Any relevant certifications in data privacy (e.g., CIPP/E, CIPP/A)
  

Experience

• Minimum of 8+ years of progressive experience in IT/Information Security, with at least 3 to 5 years dedicated to Governance, Risk, and Compliance (GRC) in a leadership or senior managerial capacity.
• Proven track record of designing, implementing, and managing comprehensive GRC programs in complex organizational environments.
• Hands-on experience with GRC platforms/tools is a plus.
• Experience in a regulated industry (e.g. Pharmaceuticals, Healthcare) is highly desirable.
• In-depth understanding of cybersecurity frameworks (e.g., ISO 27001, NIST) and key pharmaceutical regulations (e.g., FDA 21 CFR Part 11, GxP).
  

Skill (Functional & Behavioural)

Skills & Competencies:

• Technical GRC Knowledge:
• Deep understanding of information security frameworks (ISO 27001, NIST CSF, COBIT).
• Expertise in various risk assessment methodologies and frameworks.
• Strong knowledge of IT controls and audit processes.
• Familiarity with data privacy regulations (e.g., GDPR, DPDP) and their implications.
• Understanding of IT infrastructure, applications, and cloud environments from a risk and compliance perspective.
• Analytical & Problem-Solving:
• Excellent analytical skills to interpret complex regulations, evaluate risks, and detect control weaknesses.
• Robust problem-solving capabilities to design practical and effective GRC solutions.
• Meticulous attention to detail and commitment to accuracy in all GRC-related tasks.
• Communication & Interpersonal:
• Excellent written and verbal communication skills, with the ability to articulate complex GRC concepts to diverse audiences, including senior management, technical teams, and external parties.
• Strong presentation skills.
• Exceptional stakeholder management and negotiation skills.
• Leadership & Management:
• Demonstrated leadership skills with experience managing programs and, where applicable, leading teams.
• Strategic thinker capable of translating regulatory requirements into practical, organization-wide initiatives.
• Strong project management capabilities to ensure successful execution of GRC initiatives.
• Exemplifies high integrity, ethical behaviour, and discretion in all activities.
• Able to work both independently and collaboratively in a dynamic, fast-paced environment.
  

Your Success Matters to Us

Disclaimer: