Manager IT Governance Risk & Compliance

Job Description:

We are seeking a seasoned Information Security professional who has expertise in GRC with over 8+ years of progressive experience across data security, access management, IT security, network security, IT risk management, and compliance with standards such as ISO 27001, HIPAA, GDPR, NIST. This individual will lead GRC efforts, ensuring the confidentiality, integrity, and availability of the organization’s IT infrastructure, while aligning security governance with business needs.

Key Responsibilities:

• Leadership & Governance:
• Lead and manage security across cloud applications, networks, cloud infrastructure, and end-user environments.
• Develop and implement enterprise-wide security governance, IT risk management, and compliance strategies.
• Ensure alignment with industry frameworks (e.g., NIST, ISO, GDPR, ITGC) and regulatory requirements (e.g., IT Act, CERT guidelines).
• Security Operations & Incident Management:
• Oversee IT security operations, ensuring the effectiveness of security controls, incident response, and vulnerability management.
• Conduct vulnerability assessments reviews and lead system security hardening and remediation efforts, patch management.
• Perform IT security risk assessments and lead security audits in compliance with ISO 27001, HIPAA, and other relevant standards.
• Ensure all information security and privacy incidents are recorded, reported to top management, and communicated to relevant CFT members.
• Risk & Compliance Management:
• Lead risk assessments and gap analysis, providing recommendations for improvements to contracts, policies, and processes.
• Manage compliance dashboards and reports, ensuring that data confidentiality and customer information protection are maintained.
• Ensure adherence to internal security policies and external regulatory requirements through regular audits and reviews.
• Security Tools & Technology Management:
• Design and manage Security Information and Event Management (SIEM) tools (e.g., Splunk) and SOC monitoring solutions (e.g., ForeScout, Darktrace).
• Oversee Identity Access Management (IAM) and Privileged Access Management (PAM) systems, including user access reviews and DLP Policies etc
• Security Awareness & Training:
• Develop and manage security awareness programs for both internal teams and external clients, ensuring best practices are communicated and followed.
• Integrating Security & Privacy Requirements:
• Ensure information security and privacy management systems are integrated into organizational processes and achieve their intended outcomes.
• Leadership & Support:
• Direct and support personnel to enhance system effectiveness, while guiding other management roles in demonstrating leadership in their areas of responsibility.
• Policy & Risk Management:
• Approve all security and privacy-related policies, procedures, and plans.
• Identify actual and potential information security and privacy risks.
• Establish criteria for risk acceptance and perform risk assessments consistently.
• Identify risk owners, evaluate risks related to data confidentiality, integrity, availability, and privacy, and select appropriate risk treatment options.

• Control Implementation:
• Ensure necessary controls are in place, compare them and produce a Statement of Applicability, justifying included or excluded controls and report the same.
• Compliance & Audits:
• Ensure compliance with legal requirements, conduct internal audits, document findings, and ensure corrective actions are implemented.
• Reporting & Review:
• Regularly report system performance to top management, conduct management review meetings (MRM), and circulate meeting minutes to Cross-Functional Team (CFT) members and leadership.
• Documentation & Communication:
• Manage documentation, including the distribution, amendment, and review of security and privacy records. Communicate internal audit results and ensure awareness of established policies and security/privacy initiatives within the CFT.

Key Considerations:

• Ensure alignment with recognized frameworks (ISO 27001, NIST, GDPR, HIPAA, COBIT, ITIL) and regulatory standards.
• Certifications CISA, CISM/CRISM, ISO27001
• Use GRC software tools for report automation, ensuring efficiency and consistency across reporting efforts.
• This role requires a strong leader capable of managing complex security initiatives, driving compliance, and ensuring that the organization’s security posture evolves in line with emerging risks and business objectives.

Required Skills & Expertise:

• 8+ years of experience in Information & Cyber Security, with expertise in IT risk management, data security, access management, and network security.
• Strong knowledge of industry standards, including NIST, ISO, GDPR, and ITGC, and familiarity with compliance audits such as ISO 27001 and HIPAA.
• Proven experience with SIEM tools, IAM solutions, vulnerability assessments, and IT security frameworks.
• Ability to lead and manage complex security projects, including audits and risk management activities.
• Experience in regulatory audits, policy design, and incident management.
• Independent contributor with strong leadership, documentation, and reporting skills.

Reports and Dashboards:

• Incident Reports: Summary of security incidents, including mitigation actions.
• Compliance Activity Status: Ongoing compliance checks, audits, and the status of non-compliance observations.
• Vulnerability Management Report: Summary of vulnerabilities, patching, and remediation efforts.
• Access Management Report: Review of access controls, unauthorized access attempts, and privilege updates.
• Risk Events Log: Detailed records of identified risks, escalations, and mitigation efforts.
• Policy Adherence Monitoring: Reports on adherence to internal security and data privacy policies.

Monthly Reports:

• Risk Assessment & Mitigation: Overview of risk landscape, new risks, and risk management progress.
• Compliance Dashboard: Key compliance metrics against GDPR, ISO 27001, and other regulatory standards.
• Audit Findings: Summary of internal and external audit findings, gaps, and improvement recommendations.
• Vendor Risk Management: Assessment of third-party vendors’ compliance and remediation efforts.
• Security Awareness Training: Progress and completion rates for security and compliance training.
• Data Privacy Monitoring: Reports on personal data handling and breach incidents.

Quarterly Reports:

• Enterprise Risk Management: Comprehensive review of organizational risks, risk appetite, and mitigation strategies.
• IT Compliance Audit: Results of quarterly audits, including outstanding compliance issues.
• Business Continuity & Disaster Recovery (BCP/DR): Status of BCP/DR plans, including test results and areas for improvement.

Yearly Reports:

• Annual GRC Report: A detailed overview of governance, risk, and compliance activities for the year.
• Annual Security Risk Assessment: Review of security risks and the effectiveness of mitigation strategies.
• Regulatory Compliance Report: Summary of compliance with GDPR, SOX, HIPAA, and other relevant regulations.
• Vendor Risk Performance: Annual review of vendor compliance and risk levels.
• Cybersecurity Incident Summary: Summary of key incidents and lessons learned over the year.

Ad Hoc Reports:

• Regulatory Audit Reports: Custom reports for audits, including PCI-DSS, SOX, or specific regulatory inquiries.
• Incident Response Reports: Detailed reports on breaches or incidents, including root cause analysis and remediation steps.
• Board Reports: High-level summaries of risk, compliance, and governance for presentation to senior leadership.