Job Title

Job Title: AVP – Information Security Governance, Risk and Compliance (IS GRC) Department: Information Security Group (ISG) Reporting To: Head – Information Security GRC Job Location: REMOTE Duration: 1 year,CONTRACT Job Purpose: The AVP – IS Governance, Risk and Compliance (IS GRC) is responsible for developing, managing, and executing Mashreq Bank’s Information Security GRC strategy to: Support the business and technology vision with secure and resilient service delivery Ensure adherence to internal policies and global/regional information security regulations Strengthen the bank’s cyber posture and drive a risk-aware, compliance-driven culture Support enterprise-wide governance initiatives as the Deputy to the Head of IS GRC This role demands a T-shaped leader —deep expertise in one GRC domain and breadth across all others (Policy, Governance & Culture, Cyber Strategy & Program Management, Risk & Compliance) . Key Responsibilities: 1. Policy, Governance & Culture Design and maintain information security frameworks, policies, and standards in line with ISO 27001, NIST, and other best practices Lead governance forums (e.g., IS Committee, BRC, ORC) and manage resulting actions Define and monitor KPIs and KRIs related to ISG effectiveness Promote cyber awareness programs, staff training, and cultural initiatives bank-wide Coordinate and support internal/external audits and regulatory inspections Support global governance adherence and ESG (Environmental, Social, and Governance) alignment 2. Cyber Strategy & Program Management Support development and execution of the bank’s multi-year cybersecurity strategy Oversee cyber program management, budgeting, and prioritization of strategic initiatives Align cybersecurity workforce and capabilities to business objectives Drive performance benchmarking and maturity assessments against peers Promote best practice sharing and embed a continuous improvement mindset Quantify cyber risk impact using qualitative and quantitative methods 3. Risk & Compliance Establish and operationalize the IS risk lifecycle aligned with ERM and ORM Govern Third-Party Risk Management (TPRM) and perform security due diligence Implement and track RCSA and IS risk register in the GRC platform Act as the business owner of the IS GRC solution (e.g., Prism), ensuring automation, dashboards, and centralized governance Maintain regulatory obligation registers, calendars, and ensure compliance with frameworks including: UAE NESA IAS PCI-DSS SWIFT CSP HKMA-C-RAF DFS500 FFIEC Lead cyber insurance and encryption key management initiatives General Responsibilities: Maintain and update the GRC roadmap; report progress bi-monthly to the Head of IS GRC Ensure timely closure of legal, regulatory, and audit-related issues with high quality Support local CISOs and IS SPOCs with GRC enablement, issue tracking, and audit readiness Deliver RTB (Run the Bank) and CTB (Change the Bank) initiatives with strong governance and minimal operational surprises Key Performance Indicators: Measurable reduction of IS and cyber risk exposure Timely and high-quality closure of audits, exceptions, and regulatory issues Improved security awareness and behavior across the organization Operationalization of automated governance dashboards Compliance with all regulatory submissions and central bank directives Key Working Relationships: Internal: Business Units (LOD-1), Tech GRC, IT, Compliance, Operational Risk, Fraud Prevention, Internal Audit External: Regional and International Regulators, Central Banks, Security Vendors, Audit Partners Decision-Making Authority: Recommend and validate risk mitigation aligned with the bank’s risk appetite Lead implementation of controls and frameworks that align with global security standards and local regulations Escalate and manage compliance or operational risk gaps proactively Knowledge, Skills, and Experience: Experience: 15+ years in Information Security, with at least 2–3 years in a GRC leadership capacity Deep understanding of security frameworks: ISO 27001, NIST 800 series, SWIFT CSP, PCI-DSS, COBIT Experience in regulatory compliance and cyber governance across international jurisdictions Proven track record managing large-scale enterprise security programs or GRC initiatives Hands-on experience with GRC platforms (e.g., Archer, Prism, MetricStream) Education: Master’s degree in Information Security, IT, or a related discipline Certifications (any of the following mandatory): CISA CISSP PCI-QSA SABSA CRISC Key Attributes: Strategic thinking with operational execution capabilities Ability to influence and collaborate across business units and international geographies Strong interpersonal, analytical, and risk-based decision-making skills Proactive, structured, and results-driven leader Committed to innovation, automation, and continuous improvement