Chief Information Security Officer (CISO) - Indian BFSI - 15 years+

Job Title: Chief Information Security Officer (CISO)

Location: Mumbai - Work From Office

Reporting To: Chief Risk Officer (with dual reporting to Board Risk / Audit Committee)

Sector: General Insurance

Experience: 15+ years in Information Security with leadership exposure in BFSI, ideally Insurance or FinTech

Salary: 50LPA+ based on fitment

Role Overview

- The Chief Information Security Officer (CISO) will define and implement the company's end-to-end Information Security framework, ensuring secure design, regulatory readiness, and operational resilience as the company moves from 0 to 1.

- This is a strategic yet hands-on leadership role, ideal for someone who has managed security at scale in a regulated BFSI/Insurance environment, and now wants to build a secure-by-design foundation for a cloud-native, API-driven, AI-powered insurance platform.

- The CISO will anticipate and pre-empt risks by leveraging prior experience, ensuring that the company's technology-led innovation is always backed by enterprise-grade security and compliance discipline.

Key Responsibilities

1. Information Security Strategy & Governance

- Define and implement the enterprise-wide Information Security strategy, encompassing governance, risk management, data protection, and cybersecurity.

- Establish security policies, frameworks, and control baselines in alignment with IRDAI, CERT-In, ISO 27001, and DPDP Act.

- Build a scalable ISMS (Information Security Management System) from the ground up.

2. Cloud, Application & API Security

- Review and work with engineering teams to develop secure architecture design for cloud-native systems, APIs, and microservices.

- Review implemented automated controls for containerized and serverless environments.

- Ensure security by design is baked into engineering processes through DevSecOps practices and CI/CD pipelines.

3. Cybersecurity Operations & Threat Management

- Set up and oversee Security Operations (SOC), including SIEM, SOAR, and vulnerability management.

- Build detection and response capability tailored for API-driven, AI-heavy applications.

- Lead threat intelligence, incident response, and post-incident reviews.

4. AI & Data Security

- Develop frameworks for secure and responsible AI/ML model governance, including data lineage, model access control, and risk mitigation for bias and data leakage.

- Protect customer and training data in compliance with DPDP and data residency norms.

5. Regulatory & Compliance Management

- Ensure readiness for IRDAI cyber security and IT governance audits.

- Collaborate with Compliance and Legal teams for ongoing adherence to regulatory reporting and certifications (ISO 27001, SOC 2, etc.).

- Build documentation and audit trails for pre-emptive compliance.

6. Third-Party & Ecosystem Security

- Design and enforce Third-Party Risk Management (TPRM) framework for partners, TPAs, technology vendors, and data processors.

- Conduct due diligence and continuous monitoring of vendor security posture.

7. Business Continuity & Resilience

- Establish cloud-native BCP/DR plans, aligned with IRDAI requirements.

- Lead incident and crisis management drills to validate resilience under simulated failures.

8. Security Culture & Awareness

- Foster a security-first culture across engineering, product, and operations teams.

- Conduct awareness programs, red/blue team simulations, and executive security workshops.

9. Leadership & Board Engagement

- Advise leadership and Board Risk / Audit Committee on key threats, mitigation strategies, and regulatory posture.

- Build and mentor an internal security team capable of scaling with the business.

Desired Profile

- 15+ years in Information Security, with at least 5 years in senior InfoSec roles at Insurance, NBFC, Bank, or FinTech.

- Experience securing cloud-native, API-driven, or AI/ML-intensive platforms.

- Strong grasp of IRDAI, CERT-In, DPDP Act, and global security standards.

- Proven ability to design and operationalize security frameworks from zero, while ensuring future scalability.

- Strong collaboration with Product, Engineering, and Risk teams.

Qualifications / Certifications

- Bachelor's or Master's degree in Computer Science, Cybersecurity, or related field.

- Preferred certifications: CISSP, CISM, CCSP, ISO 27001 LA, AWS Security Specialty, CRISC.

- Familiarity with frameworks like NIST CSF, Zero Trust Architecture, and OWASP API Security Top 10.

Key Behavioural Attributes

- Strategic foresight backed by operational pragmatism.

- Startup agility with an enterprise governance mindset.

- Strong executive presence and regulatory confidence.

- Builder-leader who can set up from scratch yet think at scale.

- Ethical, transparent, and decisive under pressure.