The Cybersecurity GRC & Identity Governance Director oversees the development, implementation, and enforcement of cybersecurity & identity management policies, standards, and frameworks. The role will lead efforts to assess and mitigate cybersecurity risks, ensure compliance with regulatory requirements of the NCA (National Cybersecurity Authority) and standards set by the parent company and align security initiatives with business objectives. The role will establish GRC metrics to measure and monitor the organization's security posture and resilience. The role will collaborate with internal stakeholders and external partners to address cybersecurity challenges, promote a culture of security awareness, and drive continuous improvement in GRC practices. The role will also participate in CAB meetings to inject cybersecurity requirements and conduct pre-go live compliance checks for any new projects. The role will drive the adoption of advanced security technologies, such as AI-driven threat detection systems, and an increased focus on employee training and awareness programs.
-
Cybersecurity Governance: Work with senior leadership to understand compliance gaps or requirements, technical needs, and translate them to policy statements. Lead the establishing and maintaining of security policies, baselines, standards, checklists, and processes for Info. Security within the organization. Establish cybersecurity governance frameworks, committees, and reporting structures to facilitate decision-making and accountability.
-
Cybersecurity Compliance: Ensure compliance with data privacy and protection regulations by implementing appropriate safeguards, controls, and data management practices in accordance with NCA frameworks and guidelines as well as standards set by the parent organization. Establish a data protection compliance program. Responsible for identifying compliance gaps and recommending technical and procedural controls to provide regulatory compliance in the most reasonable and cost-effective manner. Participate in CAB meetings to inject cybersecurity requirements and conduct pre-go live compliance checks for any new projects.
-
Cybersecurity Risk Assessment: Oversee cybersecurity risk assessments and vulnerability scans to identify potential compliance risks, security threats, and gaps in controls. Prioritize identified risks based on their significance, criticality, and potential impact on the organization's operations, reputation, and strategic objectives. Develop risk mitigation strategies, control frameworks, and remediation plans to address identified risks and vulnerabilities proactively. Ensure that proper documentation on risk assessment findings, methodologies, assumptions, and recommendations through comprehensive risk assessment reports is carried out. Ensure that risk assessment activities align with regulatory requirements, industry standards, and compliance frameworks governing information security, privacy, and data protection. Conduct periodical phishing simulation exercises within the enterprise to assess cybersecurity compliance and risk.
-
Identity Governance: Define the digital identity strategy for employees of the organization. Ensure that identities are created, updated, and retired in accordance with organizational policies and procedures. Oversee the design of role-based access control (RBAC) mechanisms to define the roles and their access based on functions and responsibilities. Oversee the review process and remediation activities of excessive or inappropriate access privileges to reduce the risk of insider threats and data breaches.
-
Contract Reviews: Oversee the review of cybersecurity clauses in contracts to ensure vendors and service providers have implemented appropriate security controls, standards, and best practices to protect sensitive data and information assets. Ensure that contracts include provisions for data processing agreements and data protection impact assessments as required by privacy regulations. Evaluate contracts for provisions related to vendor security assessments, indemnification clauses, and liability limitations.
-
Cybersecurity Partner Identification: Guide the team in identifying partners with cybersecurity expertise, specialized skills, and capabilities in cybersecurity GRC, identity governance, access management, and compliance management. Drive the identification of firms, consultants, or legal advisors who have deep regulatory expertise and industry knowledge in cybersecurity, privacy, data protection, and regulatory compliance to develop a partnership.
-
Security Awareness and Training: Develop and implement security awareness and training programs to educate employees on cybersecurity best practices and promote a culture of security awareness.
