Job Title

Job Title: AVP – Information Security Governance, Risk and Compliance (IS GRC)Department: Information Security Group (ISG)Reporting To: Head – Information Security GRCJob Location: REMOTEDuration: 1 year,CONTRACTJob Purpose:The AVP – IS Governance, Risk and Compliance (IS GRC) is responsible for developing, managing, and executing Mashreq Bank’s Information Security GRC strategy to:Support the business and technology vision with secure and resilient service deliveryEnsure adherence to internal policies and global/regional information security regulationsStrengthen the bank’s cyber posture and drive a risk-aware, compliance-driven cultureSupport enterprise-wide governance initiatives as the Deputy to the Head of IS GRCThis role demands a T-shaped leader—deep expertise in one GRC domain and breadth across all others (Policy, Governance & Culture, Cyber Strategy & Program Management, Risk & Compliance).Key Responsibilities:1. Policy, Governance & CultureDesign and maintain information security frameworks, policies, and standards in line with ISO 27001, NIST, and other best practicesLead governance forums (e.g., IS Committee, BRC, ORC) and manage resulting actionsDefine and monitor KPIs and KRIs related to ISG effectivenessPromote cyber awareness programs, staff training, and cultural initiatives bank-wideCoordinate and support internal/external audits and regulatory inspectionsSupport global governance adherence and ESG (Environmental, Social, and Governance) alignment2. Cyber Strategy & Program ManagementSupport development and execution of the bank’s multi-year cybersecurity strategyOversee cyber program management, budgeting, and prioritization of strategic initiativesAlign cybersecurity workforce and capabilities to business objectivesDrive performance benchmarking and maturity assessments against peersPromote best practice sharing and embed a continuous improvement mindsetQuantify cyber risk impact using qualitative and quantitative methods3. Risk & ComplianceEstablish and operationalize the IS risk lifecycle aligned with ERM and ORMGovern Third-Party Risk Management (TPRM) and perform security due diligenceImplement and track RCSA and IS risk register in the GRC platformAct as the business owner of the IS GRC solution (e.g., Prism), ensuring automation, dashboards, and centralized governanceMaintain regulatory obligation registers, calendars, and ensure compliance with frameworks including:UAE NESA IASPCI-DSSSWIFT CSPHKMA-C-RAFDFS500FFIECLead cyber insurance and encryption key management initiativesGeneral Responsibilities:Maintain and update the GRC roadmap; report progress bi-monthly to the Head of IS GRCEnsure timely closure of legal, regulatory, and audit-related issues with high qualitySupport local CISOs and IS SPOCs with GRC enablement, issue tracking, and audit readinessDeliver RTB (Run the Bank) and CTB (Change the Bank) initiatives with strong governance and minimal operational surprisesKey Performance Indicators:Measurable reduction of IS and cyber risk exposureTimely and high-quality closure of audits, exceptions, and regulatory issuesImproved security awareness and behavior across the organizationOperationalization of automated governance dashboardsCompliance with all regulatory submissions and central bank directivesKey Working Relationships:Internal: Business Units (LOD-1), Tech GRC, IT, Compliance, Operational Risk, Fraud Prevention, Internal AuditExternal: Regional and International Regulators, Central Banks, Security Vendors, Audit PartnersDecision-Making Authority:Recommend and validate risk mitigation aligned with the bank’s risk appetiteLead implementation of controls and frameworks that align with global security standards and local regulationsEscalate and manage compliance or operational risk gaps proactivelyKnowledge, Skills, and Experience:Experience:15+ years in Information Security, with at least 2–3 years in a GRC leadership capacityDeep understanding of security frameworks: ISO 27001, NIST 800 series, SWIFT CSP, PCI-DSS, COBITExperience in regulatory compliance and cyber governance across international jurisdictionsProven track record managing large-scale enterprise security programs or GRC initiativesHands-on experience with GRC platforms (e.g., Archer, Prism, MetricStream)Education:Master’s degree in Information Security, IT, or a related disciplineCertifications (any of the following mandatory):CISACISSPPCI-QSASABSACRISCKey Attributes:Strategic thinking with operational execution capabilitiesAbility to influence and collaborate across business units and international geographiesStrong interpersonal, analytical, and risk-based decision-making skillsProactive, structured, and results-driven leaderCommitted to innovation, automation, and continuous improvement