Description:

Job Title: AVP Cyber Security

Function: Banking Operations / Cyber Security Governance, Risk, and Compliance (GRC)

Experience: 5 to 13 Years

Location: Mumbai

Role Summary

The AVP Cyber Security is a critical Middle Management role responsible for maintaining the bank's cyber security posture, governance framework, and regulatory compliance as a second line of defense.

This position requires a Self Motivated individual with deep expertise in the RBI Cybersecurity Framework, adept at performing risk assessments, monitoring Key Risk Indicators (KRIs), and driving the remediation of vulnerabilities and audit findings.

The incumbent will collaborate across IT and Business units to ensure the effective implementation of Information & Cyber Security controls.

Key Accountabilities & Responsibilities

Governance, Compliance & Control Assurance (2nd Line Defense):

- Serve as an assurance function to assess the Design & Operational effectiveness of Information-Cyber Security Controls, fulfilling the requirements of the effective second line of defense within the risk management framework.

- Collaborate strategically with IT, Business, and Support units to ensure the effective implementation of Information & Cyber Security controls in strict accordance with the groups security guidelines, industry standards (e.g., ISO 27001, NIST), and regulatory requirements (RBI Cybersecurity Framework).

- Ensure timely and complete compliance with all regulatory guidelines/advisory/circulars related to Information/Cyber security, overseeing and tracking the Audits remediation plan for Technology.

- Review correctness & completeness of data compiled for various regulatory submissions (w.r.t Info-Security) to ensure accuracy and integrity in filings.

Risk Assessment & Monitoring:

- Execute comprehensive, high-fidelity cyber security risk assessments, proactively integrating intelligence on latest technology developments (e.g., Public Cloud, APIs) and underlying emerging risks.

- Monitor Key Risk Indicators (KRIs) related to Cyber Security and Data protection on a periodic basis to assess and report the overall security posture and identify areas of heightened risk.

- Review Banks Information Security & Cyber Security Policy documentation periodically to maintain relevance, robustness, and operational effectiveness in collaboration with the Security Operations Team & Business Risk Management Team.

Operational Oversight & Assurance:

- Conduct technical review of the effectiveness of the Data Loss Protection (DLP) program and provide critical oversight on the timely investigation and closure of all DLP alerts.

- Review Cyber security advisories/alerts (e.g., CISA, CERT-In) as a core component of the Banks Vulnerabilities Management program, ensuring timely remediation tracking.

- Review (testing effectiveness of) half yearly technology & info-security risks controls self-assessment (RCSA) through validation and evidence inspection.

- Review cyber security controls for outsourced service providers (OSP) and provide risk sign-off for new product/process approvals (NPA), ensuring security-by-design.

Stakeholder Management & Reporting:

- Update Senior Management of Cyber security issues, emerging risks, strategic projects, security incidence response status, and detailed risk mitigation plans.

- Keep Business & Technology stakeholders aware of key regulatory compliance requirements and the specific operational impact of emerging risks.

- Conduct Information Security Committee meetings on a quarterly basis and meticulously track all resultant actionable items to closure via MoM.

- Attend operational risk forums (technology risk forums) to stay updated on areas of concern and provide expert advice as a Subject Matter Expert (SME).

Audit & Remediation:

- Assist in Internal & External Audit process (including 3rd party auditors) and ensure the timely remediation of IS Audit issues and the implementation of corrective actions.

- Evaluate the residual risks/deviation approvals sought by technology or business teams against security control standards, providing objective risk acceptance recommendations.

Security Culture & Advisory:

- Drive information security awareness amongst all staff/vendors via continuous user awareness program on Cyber security best practices.

- Maintain close working relationship with Technology teams as a trusted security advisor in technology initiatives and formal processes such as change management, incident management, patch management, security configuration, and vulnerability management.

- Guide the Security Operations team for the smooth and compliant implementation of Banks Info-Sec policies and regulatory guidelines.

Required Technical Skills

- RBI Cybersecurity Framework: Expert-level knowledge of the RBI Cybersecurity Framework and related circulars, with proven experience in compliance implementation and auditing within the Banking sector.

- Risk Assessment: Proven ability to perform complex cyber security risk assessments (e.g., threat modeling, quantitative risk analysis) and manage a GRC tool environment.

- Controls Testing: Hands-on experience testing the effectiveness of technology controls (RCSA) and interpreting results from vulnerability management and penetration testing.

- Policy & Governance: Deep understanding of Information Security Policies, control frameworks, and their operationalization across IT environments.

- DLP & Vulnerability Management: Strong understanding of Data Loss Protection programs and the lifecycle of vulnerabilities and security advisories.

- Cyber Security Audits: Extensive experience coordinating, managing, and technically remediating findings from Cyber Security Audits (internal, external, and regulatory).

Preferred Skills

- Professional certifications such as CISM, CISSP, CISA, or CRISC.

- Working knowledge of cloud security governance and architecture (e.g., Azure, AWS) and API security standards.

- Experience with governance tools for tracking KRIs and managing audit findings.

- Strong background in managing technology risk within core banking systems and payment infrastructure.

- Previous experience in a formal security advisory or quality management capacity