1. Key Roles & Responsibilities:
Shall be primarily involved in overseeing information security risks emanating from IT applications in steady-state across the enterprise covering all the business verticals, campuses & offices.
Prepare an annual assessment calendar and ensure adherence. Frequency shall be based on criticality of applications; wherein criticality is derived from the risk assessment exercise.
Ensure all reviews, assessments and audits are conducted in a formal and ethical manner.
On an annual basis or as and when there is a major change in the eco system, perform risk assessments, threat modelling and testing based on industry standard frameworks like ISO 31000.
On a quarterly basis:
Report violations of set processes and protocols by conducting periodic audits.
Carry out gap analysis of current state of IT security by proactively conducting Vulnerability Assessments and Penetration Testing (VAPT) for applications.
On a monthly basis, prepare a management dashboard of the outstanding risks exposures and implementation status of various mitigation initiatives along with the stakeholders.
Provide monthly update on new threats and mitigation strategies through industry studies and market intelligence.
As a proof of concept, conduct dipstick audits to demonstrate vulnerable exploits across the enterprise applications and suggest a mitigation strategy.
Develop in-house scripts and tools to exploit vulnerabilities relevant to RIL applications.
Develop big-data techniques and algorithms to detect and identify financial risk exposure arising out of application & database exploits and suggest mitigation techniques.
Assess and recommend controls based on industry standard frameworks including National Institute of Standards & Technology (NIST), Open Web Application Security Project (OWASP), Sys Admin, Audit, Networking, and Security (SANS), ISO 27001:2013, Control Objectives for Information and Related Technology (COBIT), Information Technology Infrastructure Library (ITIL), etc.
Be abreast with the latest technology solutions and evaluate options to upgrade the current technology solutions that are in use.
Contribute to knowledge development and on-going enhancements as part of Business Transformation (BT) initiative.
2. Experience & Qualifications:
5 to 8 years of enterprise level experience with an IT security background; minimum 5 years dealing specifically with risk management related to IT application security and information security.
Graduate in IT / Computer Science.
Security certifications (at least one) - Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP).
3. Skills & Competencies:
Must have excellent understanding of IT application architecture.
Should have conducted review of IT controls & information security audits.
Must have in-depth knowledge of application security vulnerabilities and controls.
Should have understanding of various technologies in programming languages and applications.
Should have understanding of local regulatory and statutory requirements.
Proven leader who creates energy, exhibits integrity, leads change, creates a vision, inspires people to achieve goals, and delivers results.
Ability to develop, promote and clearly communicate a concept and vision.
Excellent interpersonal skills (listening and communication) characterized by effective interactions with a diverse range of internal and external constituents, stakeholders and audiences.
Strong influencing and conflict resolution skills especially with senior management.
Proven ability to manage and mentor team members, lead and influence cross-functional working groups, manage project teams and achieve results.
Ability to develop knowledge objects, tools and intellectual capital to support the internal engagement assignments.