Lead Information Security Officer (NBFC/Fintech/Bank Exp)

Role Overview

We are a digital-first NBFC being built from the ground up. As we prepare for go-live, we are looking for a hands-on Information Security Leader to establish and manage the company's cybersecurity, data protection, and IT governance framework.

This role will be responsible for designing, implementing, and continuously improving the organization's security posture across infrastructure, applications, cloud, data, and third-party ecosystems — in alignment with RBI guidelines and industry best practices.

This is an execution-oriented role suited for a high-potential professional who can build security architecture from scratch in a fast-paced environment.

Key Responsibilities

1. Security Framework & Governance

Establish and implement the Information Security Policy framework in line with RBI IT Governance Directions.

Develop and maintain policies covering:

Access control

Data protection & encryption

Incident response

Vulnerability management

Third-party security

Implement a structured risk assessment and control testing framework.

1. Cloud & Infrastructure Security

Design secure architecture for cloud environments (AWS/Azure/GCP).

Implement:

IAM controls

Network segmentation

Encryption (at rest & in transit)

Secure DevOps practices

Ensure production environments are hardened and monitored.

1. Application & Product Security

Work closely with Product and Engineering teams to:

Integrate security-by-design

Conduct code reviews and vulnerability scans

Perform VAPT (Vulnerability Assessment & Penetration Testing)

Ensure secure API architecture and integration practices.

1. Regulatory & Compliance Alignment

Ensure adherence to:

RBI IT Governance Guidelines

Data localization requirements

KYC/AML data protection norms

Support RBI inspections and provide required documentation.

Maintain compliance audit readiness at all times.

1. Monitoring & Incident Response

Establish Security Operations monitoring (SIEM or managed SOC).

Develop incident response playbooks.

Lead response to any cybersecurity incidents or breaches.

Conduct periodic tabletop exercises.

1. Vendor & Third-Party Risk Management

Conduct security due diligence for:

LOS/LMS vendors

Cloud providers

Collection partners

Outsourced service providers

Implement periodic third-party risk assessments.

1. Awareness & Culture

Drive organization-wide security awareness training.

Ensure access controls and user privileges follow least-privilege principles.

Promote a culture of cyber hygiene across teams.

Key Requirements:

Experience

7–10 years of experience in cybersecurity / information security.

Experience in fintech, NBFC, bank, or regulated technology environment preferred.

Hands-on exposure to:

Cloud security

Application security

SOC implementation

Vulnerability management

Experience working with auditors and regulatory bodies preferred.

Skills

Strong understanding of:

ISO 27001

NIST framework

RBI IT governance framework

Knowledge of cloud-native security tools.

Ability to work cross-functionally with Tech, Product, Risk, and Compliance.

High ownership mindset and execution orientation.

Education & Certifications

Bachelor's degree in Engineering / Computer Science.

Preferred certifications:

CISSP / CISM / CEH / ISO 27001 Lead Implementer.