Security and Privacy Governance Risk and Compliance Manager (GRC), Lower Parel, Mumbai

Job Description:

Job Purpose (Job Summary): Security and Privacy Governance Risk and Compliance Manager

The Department

The Governance and Risk Compliance Manager reports into the Chief Information Security Officer (CISO) and is accountable and responsible, on a global basis, for all Security and Privacy governance, controls and compliance activities

Your Role

The GRC Manager will establish and conduct risk and controls operational responsibilities of the Security and Privacy function, including aligning the vision, goals, objectives, policies, and standards of this function with the Company business strategy. The GRC Manager will work closely with Invesco Global Security to design and monitor policies and standards and will represent across relevant governance forums.

The GRC Manager will demonstrate a customer-first mindset, working alongside company officers, business managers, security teams, managed service providers and IT managers to effectively monitor Company assets to ensure alignment with security and privacy controls, which includes customer data held across our software environments. To support a thriving and secure business, the GRC Manager will:

Key responsibilities / Duties:

• Represent Security and Privacy and act as the interface to the Company business. Build strong partnerships with the Company business to promote better interaction, communication, and understanding. Serve as the primary point of contact and escalation for business security matters.
• Understand the Company business strategy and direction, requirements, major initiatives, high-value assets, and risk appetite and tolerances. Drive alignment between Security and Privacy and the Company business. Inform and focus our Security and Privacy initiatives and promote a business-driven approach.
• Identify and communicate security risks within the Company business (including through third-party providers) and explain those risks in language understood outside Security and Privacy. Develop plans together (with input from Security and Privacy disciplines) to address and reduce those risks, including through the design, implementation, and maintenance of effective security and privacy controls (administrative, physical, and technical). Oversee implementation and compliance with all security and privacy program objectives (policies/standards, data lifecycle management, access recertification, etc.).
• Engage with the Company business at a strategic level on key projects and initiatives. Provide general security and privacy consulting services including project reviews and identification of requirements for security and privacy solutions to support business needs. Assess the relevance and significance of changing security and privacy regulations and interpret their impact on the business.
• Advise and educate the Company business on security and privacy requirements and risks. Promote a more risk-aware culture in which well-informed decisions are made on security and privacy risk. Deploy role-based security and privacy training and awareness.
• Advise and report to key leadership and management groups, committees, and Boards in Company on security and privacy risks, incidents, and topics, by providing appropriate metrics. Ensure security and privacy risk is appropriately represented in relevant business and governance forums.
• Help to plan, prepare for, and manage physical, information security and privacy incidents, events, and investigations. Advise on emergency actions to protect the business. Assist with review/approval of data and investigation requests.
• Provide input into Security and privacy strategy, policies, standards, processes, and procedures based on business requirements, risk tolerance, and financial industry/ISO standards.
• Represent Security and Privacy externally (to clients, Boards, and regulators) by providing information and reassurance as required. Assist with coordinating and communicating results of third-party risk assessments to ensure appropriate implementation of controls for accessing or handling firm information.

The experience you bring:

• Solid proven experience from at least cybersecurity and privacy discipline.
• Understanding of the financial services industry (asset management preferred).
• Experience of large/global corporate environments involving multiple businesses
• Experience with conducting and participating in audit and regulatory reviews.
• Understanding of any of the following: (1) audit/risk management methodologies and regulatory security requirements; (2) technology general controls, various technology disciplines, and industry standards (ISO, COBIT, COSO, ITIL); and (3) risk identification, assessment, response and mitigation planning, and reporting.
• Experience of reporting (including developing relevant metrics) and presenting to senior management and audiences.
• Management of security projects, security advice to major initiatives (e.g., significant acquisitions), and/or definition of security strategy (e.g., to protect high-value assets).
• Experience of security and privacy incidents and investigations (e.g., cyber incident response).
• CISSP/CRISC/CISM or equivalent preferred.
• Effective communicator and presenter (written and verbal, including to large or formal audiences).
• Ability to translate complex/technical topics into business language and to articulate points in terms widely understood.
• Strong analysis and assessment skills to evaluate risks and recommend action based on fact.
• Collaborative style to engage effectively with all personalities and across functional disciplines and to build strong working relationships.
• Ability to plan and deliver projects.
• Good crisis management skills.
• Degree level (computer science or technology related an advantage).