CHIEF INFORMATION SECURITY OFFICER

Define and execute the enterprise information security strategy, aligning it with business goals and regulatory requirements.

Architect the security posture end-to-end: policies, access controls, network security, application security, cloud infrastructure hardening, and data protection.

Own and drive all applicable security certifications (ISO 27001, SOC 2, etc.), including internal audits, risk treatment plans, and management reviews.

Lead risk assessments, vulnerability management, penetration testing programmes, and threat intelligence initiatives.

Build and manage the incident response framework — from detection and containment to forensics and post-incident reporting.

Oversee security architecture for cloud-native environments (AWS / GCP), ensuring secure CI/CD pipelines, container security, and infrastructure-as-code practices.

Collaborate with Engineering, Product, Legal, and Compliance teams to embed security into the SDLC and product development lifecycle.

Establish security awareness training and foster a security-first culture across the organisation.

Report security posture, risk metrics, and strategic initiatives to the CEO and board of directors.

Evaluate and manage relationships with third-party security vendors, auditors, and consultants.

8+ years of progressive experience in information security, cybersecurity, or IT risk management, with a significant portion in leadership roles.

Proven track record of building and managing security programmes in regulated environments (fintech, banking, NBFC, or financial services).

Degree in Computer Science, Information Security, Computer Engineering, or a related field.

Deep knowledge of cloud security (AWS / GCP / Azure), network security, application security (OWASP), and identity & access management.

Experience with security tooling: SIEM, IDS/IPS, DLP, endpoint protection, vulnerability scanners, and penetration testing frameworks.

Strong understanding of secure software development lifecycle (SSDLC) and DevSecOps practices.

Experience working in regulated environments with exposure to RBI guidelines, CERT-In directives, or equivalent regulatory frameworks.

Excellent communication skills — ability to translate technical risk into business language for executive and board-level stakeholders.

Hands-on experience implementing and maintaining security frameworks such as ISO 27001:2024 (latest edition), SOC 2 Type II, or similar — from gap analysis through certification audit.

Industry certifications such as CISSP, CISM, CISA, ISO 27001 Lead Auditor / Lead Implementer, or equivalent.

Familiarity with GDPR, DPDPA (India), and cross-border data protection regulations.

Background in threat modelling, red team / blue team exercises, and security operations centre (SOC) management.

Experience securing AI/ML pipelines and LLM-based applications.