Cybersecurity Risk & Governance Expert

Role : Cybersecurity risk & governance expert

Location : Hyderabad

Hiring manager : Naveen Agarwal

Our Team:

Our Governance, Risk & Compliance team, reporting directly to the CISO alongside the Security Architecture and Security Operations & SOC teams, plays a pivotal role in safeguarding the organization's assets and ensuring regulatory compliance. Under the leadership of the Governance, Risk & Compliance Lead, this team ensures our organization's technological infrastructure is secure, compliant, and resilient against evolving cyber threats.

Main responsibilities:

The Governance & Risk FTE, reporting to the GRC Lead, will play a pivotal role in ensuring robust risk management and governance within the Governance, Risk & Compliance team. This role focuses on orchestrating risk appetite decisions, conducting thorough risk assessments and penetration testing, managing third-party risks, supporting governance-driven activities, and overseeing data privacy initiatives. Key responsibilities include:

• Risk appetite & management
  • Orchestrate decisions on cyber risk appetite for the organisation in collaboration with the broader business
  • Define and deliver risk reporting plans and key indicators
  • Assess risk and govern the process of updating risk appetite at least every 12 months in coordination with other teams
  • Monitor compliance to cyber policies across the organisation (incl. policies & tech standards, DLP, IAM)
• Risk assessment & pen testing
  • Conduct risk assessments at least every 6 months across all environments
  • Conduct penetration testing at least every 3-6 months across most (>75%) on-premise and cloud environments
  • Prepare vulnerability disclosure reports on outward facing systems (in the future)
• Third party management support
  • Design, review and update supplier risk assessment frameworks (incl. criteria for tiering of vendors)
  • Communicate cyber policies to strategic vendors, assess their cybersecurity risk and compliance at least every 12 months and based on need, and drive remediation/mitigation of risks
  • Review the cybersecurity risk posed by the supply chain of all strategic vendors at least every 12 months
  • Monitor deployed 3rd party HW/SW for vulnerabilities and ensure compliance
• Support GRC-driven activities
  • Support the definition of cybersecurity-related enterprise standards, policies and controls
  • Support audits covering risk-centric assessments (incl. follow up findings with corrective measures), provide inputs to regulatory and compliance teams on cybersecurity risk; support the deployment of corporate compliance programs
• Data privacy
  • Define data privacy policies and standards and monitor compliance across the organisation from legal/regulatory perspective
  • Support of Global Data Privacy program (e.g., managing requests across regions, mapping of data and specific regulations, coordination with Global GBS)
  • Management of data process agreements (incl. review of contracts, annual assessment re-evaluation)

About you

• Experience:
  • 5-10 years of professional experience (equivalent combination of experience and education accepted)
  • Previous experience in implementing ISO27001 and NIS-2
  • Previous work in an international environment.
  • Demonstrated experience in working within cybersecurity teams, particularly in governance and risk.
  • Proven track record of contributing to the design and implementation of governance and risk solutions aligned with organizational goals and regulatory requirements.
  • Experience collaborating with Security Architect and Operations teams in a feedback loop.
  • Ability to develop and communicate policies based on feedback from the Security Architect team.
• Soft skills:
  • Broad experience in working in large digital teams, with an understanding of how digital and business processes are linked.
  • Stakeholder management and communication skills, especially when interacting with senior leadership.
  • Skilled problem solver and self-starter.
  • A hands-on pragmatic attitude to driving change.
  • Positive, "can-do" attitude.
• Technical skills:
  • Experience with AGILE or similar project management frameworks.
  • Working knowledge of common information security management frameworks (ISO/IEC 27001, ITIL, NIST, NISD, CISSP/CCSP, QxP, CIS20).
• Education:
  • Bachelor’s and master’s degree (preferred) in any of the following fields of study: Information Technology, Computer Science, Cybersecurity or Information Security
• Languages:
  • English