Practice Head - Data Security & Privacy

Location: Bengaluru

Head – Information Security, GRC & Data Privacy
Reporting To:
Chief Technology Officer (CTO)
Role Purpose
The Head – Information Security, GRC & Data Privacy will serve as the organization's custodian for cyber security governance, data privacy compliance, and technology risk management. The role is responsible for establishing and operating the security governance framework, driving compliance with the Digital Personal Data Protection Act (DPDPA), managing internal and external audits, ensuring regulatory compliance, and partnering with business and technology teams to embed security and privacy controls across all digital initiatives.

Key Responsibilities
1. Data Privacy & DPDPA Compliance
Lead the organization's DPDPA compliance program from a technology and process perspective.
Define and implement privacy-by-design principles across applications, customer journeys, and operational processes.
Establish consent management, data retention, data minimization, purpose limitation, and data subject rights processes.
Drive implementation of Data Protection Impact Assessments (DPIA).
Maintain data inventories, data flow maps, and personal data processing records.
2. Information Security Governance & Risk Management
Develop and maintain the enterprise information security governance framework.
Establish cyber risk assessment methodologies and periodic risk reviews.
Define and monitor security policies, standards, baselines, and control frameworks.
Maintain security risk registers and track mitigation plans.
3. IT GRC (Governance, Risk & Compliance)
Own the IT GRC program across applications, infrastructure, cloud, and third-party ecosystems.
Lead internal control assessments and compliance reviews.
Manage compliance against ISO 27001, SOC 2, NIST CSF, CIS Controls, and DPDPA requirements.
Track audit observations and ensure timely closure of corrective actions.
4. Cyber Security Assurance
Define organization-wide cyber security requirements and control standards.
Oversee vulnerability management, penetration testing, and security assessments.
Review security architecture for critical projects and technology deployments.
Monitor cyber security posture through KPIs and KRIs.
5. Third-Party & Vendor Security
Establish third-party cyber risk assessment processes.
Review security posture of technology vendors, SaaS platforms, partners, and outsourced service providers.
Define contractual security and privacy requirements.
6. Audit & Regulatory Compliance
Serve as the primary owner for technology audits.
Coordinate internal audit, external audit, customer audits, and regulatory assessments.
Drive closure of audit findings and monitor remediation plans.
7. Security Awareness & Culture
Build organization-wide security and privacy awareness programs.
Conduct periodic training on cyber security, privacy, phishing, and data handling practices.
Desired Experience
10–15 years of experience in Information Security, IT Risk, GRC, Privacy, or Cyber Security.
Experience leading ISO 27001, SOC, NIST, or equivalent compliance programs.
Hands-on experience with privacy regulations such as DPDPA, GDPR, or similar frameworks.
Experience managing technology audits and regulatory assessments.
Exposure to cloud security (AWS, Azure, GCP) and SaaS environments.
Prior experience in logistics, e-commerce, fintech, or high-volume digital businesses preferred.
Preferred Certifications
CISSP
CISM
CRISC
ISO 27001 Lead Implementer / Lead Auditor
CDPSE
DPO Certification
CISA
Success Metrics
DPDPA compliance maturity score
Number of unresolved audit findings
Security risk closure SLA adherence
Vendor security assessment coverage
Compliance certification status
Vulnerability remediation effectiveness
Reduction in high-risk security findings
Regulatory and customer audit outcomes
Data privacy incident metrics