Specialist, Information Security & Privacy

Job Snapshot

Mindtickle is hiring a Specialist, Information Security and Privacy to join our Information Security and Privacy team in Pune. This role sits at the intersection of compliance, technical security, and intelligent automation — and it is designed for someone who understands that good security is not just about policy, but about building systems that make compliance self-evident.

You will own the operational backbone of our compliance programme across SOC 2 Type II, ISO 27001, GDPR, and HIPAA — managing controls, preparing for audits, and working directly with engineering teams on vulnerability remediation. Alongside this, you will gradually build automated compliance workflows: Python-based applications and AI-assisted agents that collect audit evidence, surface control gaps, and keep stakeholders proactively informed — reducing manual effort and enabling the team to stay ahead of its obligations at scale.

If you are someone who is equally comfortable reading a security advisory as you are writing a Python script, and who believes that compliance should be a living, automated system rather than an annual scramble, this role offers rare breadth and long-term impact.

This role reports to the Senior Manager, Information Security and Privacy.

What's in it for you

Compliance operations and audit readiness

• Own and manage controls across SOC 2 Type II, ISO 27001, GDPR, and HIPAA frameworks, maintaining an up-to-date control landscape and evidence inventory.
• Coordinate and support external audits end-to-end — from audit scoping and evidence preparation to auditor walkthroughs and post-audit remediation tracking.
• Manage compliance tracking across Google Workspace (Sheets, Drive, Docs, Gmail) — maintaining structured control registers, evidence repositories, and policy documentation.
• Send and track corrective action communications to control owners, following up through resolution and maintaining a clear audit trail.
• Conduct periodic internal compliance reviews and produce structured reports for leadership.

Technical security and vulnerability management

• Participate in Vulnerability Assessment and Penetration Testing (VAPT) cycles — reviewing findings, contextualising them for engineering teams, and tracking remediation to closure.
• Monitor and triage security findings from external risk and rating platforms including SecurityScorecard, Panorays, UpGuard, Whistic, ProcessUnity, Qualys SSL Labs, and similar sources.
• Act as the liaison between the security team and engineering — translating security findings into actionable tickets in Jira, validating fixes post-sign-off, and gradually taking ownership of resolutions.
• Maintain a working knowledge of common vulnerability classes (OWASP Top 10), exploits, and secure architecture patterns relevant to cloud-hosted SaaS platforms.
• Support cloud security reviews and configuration assessments on AWS (primary) and GCP, with an understanding of IAM, network security groups, storage controls, and logging configurations.

Compliance automation and AI-assisted workflows

• Build and maintain Python-based automation scripts that collect compliance evidence from internal systems, APIs, and Google Workspace — reducing manual evidence gathering for external audits.
• Develop automated email workflows and scheduled reports that keep control owners, team leads, and leadership informed of compliance status, upcoming obligations, and open remediation items.
• Create and maintain compliance dashboards that provide a real-time view of control health, audit readiness, and key risk indicators.
• Progressively design and deploy AI-assisted internal audit workflows — acting as the orchestrator of agentic pipelines that perform control checks, generate evidence summaries, and flag anomalies for human review.
• Leverage AI-assisted coding tools such as Cursor and Claude Code to accelerate development of automation and internal tooling.

Cross-functional collaboration and programme hygiene

• Collaborate with Engineering, DevOps, Legal, and HR teams to ensure controls are implemented, tested, and documented in alignment with framework requirements.
• Maintain and periodically review information security policies, procedures, and standards in Google Docs, ensuring they remain current and aligned with framework controls.
• Coordinate access reviews, vendor security assessments, and third-party risk evaluations as part of the ongoing compliance calendar.
• Support onboarding and awareness initiatives by contributing to security training content and policy communications.

We'd love to hear from you, if you:

Experience and background

• 2–3 years of hands-on experience in information security, GRC (Governance, Risk and Compliance), or a security-adjacent technical role.
• Demonstrated experience working with at least one major compliance framework (SOC 2, ISO 27001, GDPR, or HIPAA) — including evidence collection, control testing, or audit support.
• 1+ year of programming experience, with practical Python skills for scripting, automation, or data processing tasks.
• Exposure to cloud platforms, with working knowledge of AWS services (IAM, S3, CloudTrail, Security Hub, or equivalent) and basic familiarity with GCP.

Technical security knowledge

• Understanding of common vulnerability classes, OWASP Top 10, and secure development principles sufficient to contextualise findings and communicate them to engineering teams.
• Familiarity with VAPT processes — including scoping, findings review, and remediation validation.
• Basic understanding of network security concepts: TLS/SSL, DNS, firewalls, VPNs, and cloud-native security controls.
• Working knowledge of authentication and identity concepts: SSO, OAuth 2.0, SAML, IAM, RBAC, and MFA.
• Ability to read and interpret security findings from external platforms such as SecurityScorecard, Qualys, or similar security rating and scanning tools.

Tooling and workflow

• Proficient in Google Workspace — comfortable using Sheets for control tracking and mapping, Drive and Docs for policy and evidence management, Gmail for formal communications and sign-offs, and Calendar for compliance scheduling.
• Experience using Jira for cross-functional issue tracking and Slack for team collaboration.
• Comfortable writing Python scripts for automation, data extraction, API integrations, or report generation.
• Exposure to or genuine curiosity about AI tooling, LLMs, and agent-based workflows.

Soft skills and working style

• Strong written communication skills — able to draft clear policy documents, corrective action notices, and executive summaries.
• Methodical and organised — able to manage multiple concurrent workstreams, deadlines, and stakeholders without losing detail.
• Comfortable with ambiguity and ad-hoc requests in a fast-paced SaaS environment.
• Proactive and self-driven — able to identify gaps, propose solutions, and execute independently once direction is set.

Good to have:

• Certifications: CISA, CISSP, CEH, CompTIA Security+, or any recognised AI / machine learning certification.
• Experience building or interacting with AI agents, LLM-based pipelines, or automation using frameworks such as LangChain or LangGraph.
• Hands-on experience with AI-assisted development tools such as Cursor or Claude Code.
• Familiarity with third-party risk and security rating platforms (SecurityScorecard, Panorays, UpGuard, Whistic, ProcessUnity).
• Prior experience with GCP services for development or workflow automation.
• Understanding of data privacy principles under GDPR and HIPAA, including data classification, retention policies, and subject rights processes.
• Exposure to SAST/DAST tooling, container security, or cloud security posture management (CSPM).