Aramco Digital Circular Logo

Cybersecurity GRC & Identity Governance Director

Aramco Digital Dammam, Saudi Arabia Posted: 04 Jul 2024


  • Estimate: $160k - $220k*
  • Zero income tax location


  • Office Only


  • Experience: Senior
  • English: Professional


About the job

The Cybersecurity GRC & Identity Governance Director oversees the development, implementation, and enforcement of cybersecurity & identity management policies, standards, and frameworks. The role will lead efforts to assess and mitigate cybersecurity risks, ensure compliance with regulatory requirements of the NCA (National Cybersecurity Authority) and standards set by the parent company and align security initiatives with business objectives. The role will establish GRC metrics to measure and monitor the organization's security posture and resilience. The role will collaborate with internal stakeholders and external partners to address cybersecurity challenges, promote a culture of security awareness, and drive continuous improvement in GRC practices. The role will also participate in CAB meetings to inject cybersecurity requirements and conduct pre-go live compliance checks for any new projects. The role will drive the adoption of advanced security technologies, such as AI-driven threat detection systems, and an increased focus on employee training and awareness programs.


  • Cybersecurity Governance: Work with senior leadership to understand compliance gaps or requirements, technical needs, and translate them to policy statements. Lead the establishing and maintaining of security policies, baselines, standards, checklists, and processes for Info. Security within the organization. Establish cybersecurity governance frameworks, committees, and reporting structures to facilitate decision-making and accountability.

  • Cybersecurity Compliance: Ensure compliance with data privacy and protection regulations by implementing appropriate safeguards, controls, and data management practices in accordance with NCA frameworks and guidelines as well as standards set by the parent organization. Establish a data protection compliance program. Responsible for identifying compliance gaps and recommending technical and procedural controls to provide regulatory compliance in the most reasonable and cost-effective manner. Participate in CAB meetings to inject cybersecurity requirements and conduct pre-go live compliance checks for any new projects.

  • Cybersecurity Risk Assessment: Oversee cybersecurity risk assessments and vulnerability scans to identify potential compliance risks, security threats, and gaps in controls. Prioritize identified risks based on their significance, criticality, and potential impact on the organization's operations, reputation, and strategic objectives. Develop risk mitigation strategies, control frameworks, and remediation plans to address identified risks and vulnerabilities proactively. Ensure that proper documentation on risk assessment findings, methodologies, assumptions, and recommendations through comprehensive risk assessment reports is carried out. Ensure that risk assessment activities align with regulatory requirements, industry standards, and compliance frameworks governing information security, privacy, and data protection. Conduct periodical phishing simulation exercises within the enterprise to assess cybersecurity compliance and risk.

  • Identity Governance: Define the digital identity strategy for employees of the organization. Ensure that identities are created, updated, and retired in accordance with organizational policies and procedures. Oversee the design of role-based access control (RBAC) mechanisms to define the roles and their access based on functions and responsibilities. Oversee the review process and remediation activities of excessive or inappropriate access privileges to reduce the risk of insider threats and data breaches.

  • Contract Reviews: Oversee the review of cybersecurity clauses in contracts to ensure vendors and service providers have implemented appropriate security controls, standards, and best practices to protect sensitive data and information assets. Ensure that contracts include provisions for data processing agreements and data protection impact assessments as required by privacy regulations. Evaluate contracts for provisions related to vendor security assessments, indemnification clauses, and liability limitations.

  • Cybersecurity Partner Identification: Guide the team in identifying partners with cybersecurity expertise, specialized skills, and capabilities in cybersecurity GRC, identity governance, access management, and compliance management. Drive the identification of firms, consultants, or legal advisors who have deep regulatory expertise and industry knowledge in cybersecurity, privacy, data protection, and regulatory compliance to develop a partnership.

  • Security Awareness and Training: Develop and implement security awareness and training programs to educate employees on cybersecurity best practices and promote a culture of security awareness.

Minimum qualifications:

  • Bachelor’s or master’s degree in computer science, information technology, cybersecurity, or a related field is required.
  • At least 15 years of experience in working in information security with deep experience in information security governance and compliance.
  • 4-5 years of experience in leading Cybersecurity GRC and Identity Governance.
  • Professional certifications such as CISSP, CISA, CISM, CGEIT, CRISC, CEH, etc.
Apply now

Jobs you might like   View all jobs

About Aramco Digital

Aramco Digital is the digital and technology subsidiary of Saudi Aramco. Committed to driving digital transformation and technological innovation across various sectors, Aramco Digital aims to create a thriving national digital ecosystem and spearhead AI and digital innovation worldwide.