Key Responsibilities

1. Security Strategy & Governance

- Develop, implement, and continuously improve the enterprise-wide information security strategy.

- Define and enforce security policies, standards, and procedures aligned with business objectives and regulatory requirements (IT Act, GDPR, RBI/SEBI where applicable).

- Establish security governance frameworks and metrics to measure effectiveness.

- Drive organization-wide security awareness and culture-building initiatives.

2. Risk Management

- Conduct enterprise risk assessments, vulnerability assessments, and threat modeling.

- Identify, analyze, and mitigate information security risks with clear remediation plans.

- Maintain and regularly update the Information Security Risk Register.

- Present risk posture and mitigation status to senior management and stakeholders.

3. Security Operations & Incident Management

- Oversee Security Operations Center (SOC) activities (in-house or outsourced).

- Lead the incident response lifecycle: detection, containment, eradication, recovery, and post-incident review.

- Coordinate investigations of security incidents and breaches.

- Ensure corrective and preventive actions are implemented to avoid recurrence.

4. Identity & Access Management (IAM)

- Govern identity, authentication, authorization, and access control mechanisms.

- Define and enforce user access provisioning and de-provisioning processes.

- Ensure privileged access management (PAM) and role-based access controls (RBAC).

5. Compliance & Audit

- Ensure compliance with ISO 27001, PCI DSS, SOC 2, and applicable regulatory requirements (RBI, SEBI, Telecom regulations).

- Act as the single point of contact (SPOC) for internal and external security audits.

- Prepare audit documentation, respond to findings, and track closure of non-compliances.

6. Security Architecture & Controls

- Review and influence secure-by-design principles during architecture and solution reviews.

- Evaluate and recommend security technologies such as SIEM, DLP, MFA, EDR, IAM, and endpoint security tools.

- Work closely with network, cloud, application, and DevOps teams to embed security controls.

7. Vendor & Third-Party Security

- Conduct security assessments and due diligence of vendors, partners, and cloud service providers.

- Define security requirements in contracts, SLAs, and NDAs.

- Monitor third-party security posture and manage risk remediation.

8. Security Awareness & Training

- Design and deliver periodic security awareness and training programs for employees.

- Conduct phishing simulations and social engineering exercises.

- Measure training effectiveness and continuously improve programs.

9. Reporting, Leadership & Collaboration

- Prepare and present security posture reports, dashboards, and risk updates to senior leadership and management committees.

- Mentor, guide, and develop security analysts and engineers.

- Collaborate with cross-functional IT, telecom, and business teams to ensure secure delivery of services.