Regional Chief Information Security Officer (CISO)

Role Title: Regional Chief Information Security Officer (CISO)

Department: Security (India)

Reports to: MD, VP - Security and IT

Location: Mumbai (Hybrid)

Role Purpose

Lead and mature the India cybersecurity program for our alternative payment’s platform—protecting customer data and transaction integrity, reducing operational and regulatory risk, and enabling compliant growth. The Regional CISO (India) partners closely with Group Security, Group GRC, local Compliance, and Operational Resilience (OpRes) to align policies and controls, uplift the India resilience programme, and drive the ongoing maturity of security capabilities

Key Responsibilities

Governance, Risk & Compliance (India)

• Establish and maintain a Board-approved information & cyber security policy and India risk appetite.
• Chair security governance forums; brief the India Board/Risk Committee quarterly on posture, incidents, and remediation status.
• Run security awareness programs, secure-by-design training for engineering, and executive tabletop exercises.
• Work in lockstep with Group Security and GRC to align policies, standards, control objectives, and risk taxonomies; coordinate with local Compliance to ensure country-specific obligations are embedded in the ISMS.

Regulatory compliance (India)

• Ensure compliance with applicable RBI expectations for payment system operators and PA/PG entities, including data localisation, digital payment security, outsourcing, incident reporting, and system audit requirements.
• Maintain an annual regulatory calendar; deliver all required filings, attestations, and audit artefacts on time.
• Serve as the primary security point of contact for regulatory queries, inspections and supervisory engagements.
• Partner with local Compliance to interpret new circulars and embed them into controls; collaborate with Group GRC to track compliance status and manage policy exceptions and dispensations.

Incident response & reporting (India)

• Define and maintain a 24×7 incident response capability in coordination with Group Security (people, playbooks, tooling, SLAs).
• Coordinate triage, contain/eradicate/recover, customer/merchant communications, RCA, corrective actions, and formal notifications to authorities when required.
• Track MTTD/MTTR/MTTRc and other resilience metrics, drive lessons-learned and continuous improvement across teams.
• Integrate crisis management and business continuity with Group reliance function; conduct appropriate tabletop exercises

Audit, assurance & continuous improvement

• Act as the cybersecurity point of contract to lead communication with internal and external auditors.
• Plan and deliver the annual system audit and independent assessments, track issues to sustainable closure with control owners.
• Maintain audit-ready evidence repositories; partner with Group to run an audit readiness and inspection preparation program.
• Define and enhance Cybersecurity dashboard and management reporting
• Lead the India Cybersecurity & IT Steering Committee, ensuring prioritised remediation, funding, and accountable ownership.
• Collaborate with Group Security on a multi-year capability roadmap and measure maturity against a recognised model.

Operational Resilience & Capability Maturity (India)

• Support the India resilience programme with Operational Resilience and Group Security
• Publish a security capability maturity plan for India, report progress to the Steering Committee and India Board.

Measures of Success

 Audit & Regulatory Compliance

• 100% on-time RBI/NPCI filings, attestations, and responses.
• Annual System Audit completed with 0 repeat findings; ≥95% of issues closed by agreed due dates (no >90-day aged items).
• Policy alignment: India ISMS fully aligned to Group standards; 0 unmanaged policy exceptions (all have owners/expiries).

 Regulatory Engagement & Inspections

• Inspection outcomes: No supervisory penalties or adverse observations; all regulatory queries answered within 5 business days (or per notice).
• Change readiness: New circulars assessed and embedded with evidence within 60 days (risk-based).

 Operational Resilience & BCP/DR

• RTO/RPO met in ≥99% of BCP/DR tests for critical payment flows.
• 2 executive tabletop exercises/year (one regulator-style, one customer-impact scenario).

 Third-Party & Outsourcing Risk

• 100% of critical vendors reviewed annually, medium risk on cycle.
• Contracts: Security clauses & right-to-audit in 100% of critical vendor contracts; exit/contingency plans documented.
• Issues: ≥90% vendor findings closed by due date; RBI outsourcing register current.

 Governance & Reporting

• Quarterly Board/Risk Committee packs delivered on schedule; top risks with trendlines and treatment plans.
• Risk posture: Reduction in Top-5 India risks severity or likelihood within 12 months; exception backlog reduced by ≥50% and all exceptions have time-bound dispensations.

Key Skills and Competencies 

• 12+ years in cyber security with 5+ years leading security for regulated financial services or payments in India.
• Comfortable engaging with boards, senior regulators, banks, and large enterprise merchants.
• Deep understanding of Indian payments ecosystems (e.g., UPI, cards, wallets) and the operating realities of PA/PGs.
• Proven track record engaging Boards, regulators, banks/card networks, and large enterprise merchants.
• Practical knowledge of RBI expectations for payment system operations and PA/PG entities
• Familiar with India data-localisation norms, outsourcing oversight, digital payment security controls, tokenisation, and system audit expectations.
• Experience preparing for and responding to regulatory inspections and audit queries; comfortable coordinating with CERT-In empanelled auditors.
• Excellent written and verbal communication; able to simplify complex risk.
• Willingness to travel for regulator and audit engagements (Mumbai)
• Clean regulatory record and high integrity.
• Clear, concise Board-level reporting and metrics; drives multi-year maturity roadmaps.
• Strong collaboration with Group Security, Group GRC, local Compliance, Operational Resilience, and Internal Audit

Nice to Have 

• Experience with UPI, card acquiring, wallets, or direct bank integrations.
• Exposure to SOC 2/ISO attestations and customer security due-diligence cycles.
• Familiarity with fraud risk, behavioural analytics, and payments risk engines

Qualifications 

• Bachelors in computer science/IT, Engineering or related field
• Relevant certifications: CISSP, CISM, CRISC, ISO/IEC 27001 / ISO 31000 risk management certification Lead Implementer/Lead Auditor, CCSP; plus role-relevant SANS GIAC (e.g., GCIH/GCIA/GMON).
• Cloud security certifications (e.g., AWS/Azure Security Specialty) and familiarity with PCI DSS (ISA/QSA exposure helpful).
• Equivalent risk credentials also welcome: IRM International Diploma/Certificate in Risk Management, ISACA, PMI-RMP