Spandana Sphoorty - Head - Information Security

Head-Information Security-Criss Financial Ltd-Subsidiary of Spandana Sphoorty Financial Ltd.

Designation- Head-Information Security

Reporting To: CRO

Location: Hyderabad

Qualification: Bachelor's in engineering, Computer Science, Math, Statistics, or related discipline.

MBA is good to have (Exempted for higher number of industry experience people) Experience: 8-10 Years

Certifications: CCSP, SSCP, CISM, CISA, CySA+, CEH, CISSP/CISM, CompTIA+, Security+ etc. Certification good to have.

Key Skills:

- Extensive experience in information security management, risk assessment, and compliance within the BFSI/NBFC sector.

- In-depth knowledge of relevant regulatory requirements, including RBI guidelines, SEBI regulations, and other applicable laws.

- Strong understanding of security technologies, such as firewalls, intrusion detection/prevention systems, DLP, Cloud Security, SIEM and endpoint security solutions, PAM, SSO.

- Broad familiarity with core infrastructure fundamentals (Data center Server, Storage, Network, etc), SOC, NOC

- Excellent communication and interpersonal skills, with the ability to effectively communicate complex security concepts to technical and non-technical stakeholders.

- Proven leadership abilities, with experience in leading security initiatives and driving cross-functional collaboration.

- Analytical mindset with the ability to think strategically and solve complex security challenges.

- Demonstrated commitment to continuous learning and professional development in the field of information security.

- Ability to understand and correlate the risk data from various sources and effectively use it to monitor/showcase risk to the firm

- Experience of overseeing BCP-DR Drills from IS point of view

- Knowledge of Cloud Security (AWS, Azure, Saleforce, GCP)

- Knowledge of WAF (Web application firewall)

- Ability to setup org level device policies, network security policies, application security policies, data access policies and ensure the compliance.

- Ability to manage different stakeholders on Information Security requirements.

Job Description:

- Develop, implement, and manage the organization's information security roadmap, policies, procedures, and standards which is future proof and is also in alignment with regulatory requirements and industry best practices.

- Conduct regular risk assessments and vulnerability scans to identify potential security weaknesses and develop mitigation strategies.

- Monitor and analyse security incidents, investigate security breaches, and recommend appropriate remedial actions to prevent future occurrences.

- Collaborate with cross-functional teams to ensure that security controls are integrated into all aspects of the organization's operations, including software development, IT infrastructure, and business processes.

- Provide guidance and support to IT and business stakeholders on security-related matters, including the implementation of security controls, incident response procedures, and employee awareness training.

- Stay abreast of emerging threats, vulnerabilities, and security technologies to proactively mitigate risks and enhance the organization's security posture.

- Liaise with regulatory authorities, auditors, and external vendors to ensure compliance with relevant regulations and standards, such as RBI guidelines, ISO 27001, DPDP and NIST, GDPR wherever applicable.

- Lead and participate in security audits, assessments, and certifications to demonstrate the effectiveness of the organization's security program.

- Develop and maintain incident response plans, business continuity strategies, and disaster recovery procedures to ensure the resilience of critical business operations.

- Foster a culture of security awareness and compliance among employees through training programs, awareness campaigns, and regular communication channels.

- Lead, Implement and Review Hardware, Network and Software Security Standards and Security Controls within the Organization, to protect systems, data and assets from both internal and external threats and prevent information and data loss/frauds.

- Identify and Implement Security Assessment and Testing Processes across the organization, including but not limited to Penetration Testing, Secure Software Development, Vulnerability Management etc.

- Identify Best Security Products/Tools for various purposes and implementation of same.

- Proactively Monitor and identify Security Issues and potential threats, new vulnerabilities/threats and continuously improve security standards within the organization.

- Provide strategic risk guidance and consultation for IT Projects, including security risk assessment of Implementation Architecture, technical standards, and protocols.

- Real-time analysis, investigations, and forensics, if a need arises and ensure to avoid and strengthen security measures.

- Developing strategies to handle security incidents and trigger investigation.

- Maintain organization level risk register and risk mitigation plans and proposals.

- Identify & internally escalate and potential red flags related to the engagement.

- Ensure compliance with engagement plans and internal quality & risk management procedures.

- Conducting a continuous assessment of current IT security practices and systems and identifying areas for improvement.

- Developing and implementing business continuity plans (BCP)

- Conduct all IT audits with regulators and internal and external IT-IS audits.

- Disseminate organisation's IT security goals and objectives to business units and senior management & Evaluate IT security goals and objectives against the benchmarks.

- Working with all business units to determine possible risks and risk management processes.

- Ensuring that newly-acquired technology complies with the IT security regulations.

- Place a review of cyber security risks/ arrangements/ preparedness before the Board/ RMCB/ ITSC at least on a quarterly basis