Your mandate is to evolve governance, risk, and compliance (GRC) from a compliance-driven function into a risk-informed, decision-enabling discipline. You will establish frameworks that allow organisations to adopt new technologies with confidence, ensuring that security risk management is embedded across the full lifecycle of digital systems — from web and cloud platforms to critical Operational Technology (OT) environments.
Key Responsibilities
Enterprise Risk Governance & Management
- Dynamic Risk Registers: Establish and oversee enterprise-level security risk registers, ensuring they function as living tools that reflect real-time threat conditions, system changes, and project risk posture.
- Executive Risk Facilitation: Lead high-level risk discussions with senior management and technology leaders, translating complex technical exposures into clear business impact to support informed prioritisation and investment decisions.
- Risk Analysis Frameworks: Design and implement consistent risk assessment methodologies that enable informed risk-taking for innovation, rather than defaulting to risk avoidance.
- Standardised TRA Frameworks: Define and maintain enterprise-wide standards for conducting Threat Risk Assessments across cloud, web applications, enterprise IT, and OT / ICS environments.
- Critical Asset Identification: Develop SOPs to guide teams in identifying crown-jewel assets and mapping comprehensive threat scenarios and attack paths.
- Control Effectiveness Assurance: Establish common security configuration standards and ensure controls are technically effective in mitigating identified risks, not merely compliant with baseline requirements.
- Zero Trust Strategy: Lead the development of a Zero Trust roadmap, setting standards for identity-centric security, micro-segmentation, continuous verification, and modern access controls.
- Architecture Advisory: Provide governance and risk input during the design of high-impact systems to ensure secure-by-design principles and alignment with enterprise standards.
- Technology Evaluation: Assess and recommend security technologies that directly address identified risk scenarios, ensuring defensive capabilities remain effective against modern threat actors.
- Third-Party Risk Frameworks: Establish governance models for managing cybersecurity risks across vendors, service providers, and the software supply chain.
- Dependency Risk Management: Define standards for assessing third-party cyber resilience and managing risks arising from software dependencies, including open-source components.
- Continuous Audit Readiness: Shift audit posture from reactive preparation to continuous compliance and operational readiness.
- Root Cause Remediation: Oversee the closure of audit findings, ensuring remediation addresses underlying technical and process weaknesses rather than surface-level fixes.
- Systemic Risk Analysis: Analyse audit outcomes and risk trends to identify systemic weaknesses and drive enterprise-wide improvements.
- Risk Advocacy: Partner with senior stakeholders to promote a proactive, ownership-driven risk management culture.
- Threat & Technology Foresight: Monitor evolving attacker tactics, techniques, and procedures (TTPs) and emerging technologies, periodically assessing the continued relevance of existing controls and governance frameworks.
Experience
- Professional Background: 10–12 years of experience in cybersecurity governance, information security risk management, or security architecture.
- Domain Breadth: Proven experience managing risks across enterprise IT and cloud environments; exposure to OT / ICS environments is a strong advantage.
- Regulatory & Standards Knowledge: Strong familiarity with government or regulated-industry security frameworks and international standards such as NIST and ISO/IEC 27001.
- Risk Methodologies: Strong command of risk assessment methodologies (e.g. TVRA) with the ability to translate technical vulnerabilities into business-level risk.
- Security Architecture & Tooling: Broad technical understanding of Zero Trust Architecture components and cloud security technologies, including IAM, EDR, SIEM, CSPM, CWPP, CASB, firewalls, and secrets management.
- Threat Mapping: Ability to map security controls to adversary behaviours using recognised frameworks to ensure meaningful defensive coverage.
- Offensive Security Awareness: Solid understanding of offensive techniques and testing methodologies, enabling realistic assessment of control effectiveness.
- Certifications: Professional certifications such as CISM, CRISC, CISSP, OSCP, or OSWE are highly preferred.
- Strategic Influence: Ability to educate and persuade senior executives on the value of robust cybersecurity governance and risk-informed decision-making.
- Critical Analysis: Strong capability to look beyond checklist compliance to identify and remediate systemic weaknesses.
- Continuous Learning: Demonstrated commitment to staying current with evolving technologies and threat landscapes.
- Risk Translation: Exceptional ability to articulate complex technical issues — such as zero-day vulnerabilities or architectural weaknesses — in clear business and operational terms.
