Job Summary:

The Security GRC Specialist will be responsible for developing, implementing, and managing the organization's security governance, risk, and compliance programs. This role requires a deep understanding of technical security controls, regulatory requirements, and risk management practices to ensure the protection of company assets, information, and systems. The ideal candidate will have extensive experience in risk assessments, compliance audits, security policy development, and the implementation of technical security measures. Also having enough experience in managing technical service providers from different domains.

Key Responsibilities:

1. Governance:
   • Policy Development: Develop, implement, and maintain comprehensive security policies, standards, and procedures.
   • Strategic Alignment: Ensure security initiatives are aligned with business objectives and regulatory requirements.
   • Policy Review: Conduct regular reviews and updates of security policies to ensure they remain current and effective.
   • Framework Implementation: Implement and maintain security frameworks such as NIST, ISO 27001, and COBIT.
2. Risk Management:
   • Risk Assessments: Conduct thorough risk assessments and vulnerability assessments to identify and prioritize security risks.
   • Risk Mitigation: Develop and manage risk mitigation plans, ensuring timely implementation of security controls.
   • Risk Monitoring: Continuously monitor and report on the effectiveness of risk management processes and controls.
   • Threat Modeling: Perform threat modeling to anticipate and address potential security threats.
3. Compliance:
   • Regulatory Compliance: Ensure compliance with relevant laws, regulations, and standards such as GDPR, PCI-DSS, SOX, and ISO 27001.
   • Audit Coordination: Coordinate and support internal and external audits, ensuring timely resolution of findings.
   • Compliance Programs: Develop, implement, and maintain compliance programs and initiatives.
   • Documentation: Maintain comprehensive documentation of compliance activities and audit findings.
   • User Access Review: Perform quarterly access review activities with Managed service partner for Infrastructure and applications.
4. Technical Security Controls:
   • Security Implementation: Help Implement and manage technical security controls such as firewalls, IDS/IPS, SIEM, DLP, and encryption solutions, etc.
   • Security Reviews: Conduct security reviews and penetration testing of applications, systems, and networks.
   • Vulnerability Management: Oversee the vulnerability management program, including regular scanning, patch management, and remediation efforts.
   • Cloud Security: Implement and manage security controls for cloud environments, ensuring compliance with best practices and regulatory requirements.
5. Incident Management (Supporting Role)t:
   • Incident Response Plan: Develop, maintain, and test the incident response plan.
   • Incident Handling: Lead and coordinate response efforts for security incidents, including detection, analysis, containment, eradication, and recovery.
   • Post-Incident Review: Conduct post-incident reviews to identify root causes and develop lessons learned reports.
   • Forensics: Perform digital forensics analysis to support incident investigations and response.
6. Training and Awareness:
   • Awareness Programs: Develop and deliver security awareness training programs for employees, contractors, and partners.
   • Security Culture: Promote a culture of security awareness and ensure that all employees understand their roles and responsibilities related to information security.
   • Phishing Simulations: Conduct regular phishing simulations with Managed Service partner to test and improve employee awareness and response to phishing attacks.
7. Documentation and Reporting:
   • Security Documentation: Maintain comprehensive documentation of all security activities, including policies, risk assessments, incident reports, and audit findings.
   • Management Reporting: Prepare regular reports on the status of the security program, risk management activities, and compliance initiatives for senior management and the board of directors.
   • Metrics and KPIs: Develop and track key performance indicators (KPIs) and metrics to measure the effectiveness of the security program.

Qualifications:

• Education:
  • Bachelor’s degree in Information Security, Computer Science, Information Technology, or a related field. A Master’s degree in a relevant discipline is preferred.
• Certifications:
  • Relevant certifications such as CISSP, CISM, CRISC, CISA, CEH, ISO 27001 Lead Auditor, or similar.
• Experience:
  • Minimum of 5 years of experience in information security, with a focus on governance, risk, and compliance.
  • Proven experience in performing risk assessments, managing compliance programs, and developing security policies.
  • Extensive hands-on experience with security technologies and controls.

Skills:

• Technical Proficiency:
  • In-depth knowledge of network security, application security, cloud security, and endpoint security.
  • Experience with security tools and technologies such as SIEM, firewalls, IDS/IPS, DLP, encryption, and endpoint protection solutions.
  • Strong understanding of security protocols, cryptographic technologies, and secure coding practices.
• Analytical and Problem-Solving:
  • Strong analytical skills to identify and assess security risks and develop appropriate mitigation strategies.
  • Ability to conduct root cause analysis and implement effective solutions for security incidents and vulnerabilities.
• Communication:
  • Excellent written and verbal communication skills, with the ability to present complex security concepts to non-technical stakeholders.
  • Strong report writing skills to document security activities, incidents, and compliance status.
• Project Management:
  • Strong organizational skills and the ability to manage multiple projects and initiatives simultaneously.
  • Experience in leading cross-functional teams and coordinating security projects.
• Interpersonal Skills:
  • Ability to work collaboratively with different departments and teams, fostering a culture of security awareness.
  • Strong leadership and influence skills to drive security initiatives and promote best practices across the organization.

Working Conditions:

• This position is primarily based in an office environment but may involve occasional on-site security assessments and audits.
• The Security GRC Specialist will work closely with various departments, including IT, Telco, legal, HR and executive management, to ensure the effectiveness of the security program.