Manager -Cybersecurity GRC-Saudi National

Overview

The cybersecurity GRC manager helps run the governance, risk, and compliance program across AEW and AEW-served companies. The role is expected to drive policy lifecycle, assessments, audits, exceptions, third‑party risk, and regulatory alignment. Role is expected to coordinate remediation with AEW Digital Services/IT and counterparts at serviced entities.

• Maintain AEW's cybersecurity policy/standard/procedure library; run annual review cycle; map to ECC-2:2024 and other applicable NCA controls (OTCC/CSCC/OSMACC) and relevant international baselines (e.g., ISO 27001)
• Publish and track mandatory control exceptions with end dates and risk acceptance

• Plan and run internal assessments for AEW and serviced entities; prepare for external inspections; maintain evidence library
• Use the NCA ECC-2 Assessment & Compliance Tool when applicable; produce gap analyses and remediation plans

• Maintain the cyber risk register; facilitate business‑owned risk decisions; integrate with enterprise risk
• Run control design/effectiveness reviews ahead of audits

• Ensure enforcement of third‑party cybersecurity controls in line with ECC-2:2024 "third‑party and cloud computing" domain
• Coordinate with Procurement and Legal

• Define compliance‑focused awareness training plan and track completion

• Provide monthly KPI packs to the Head of Digital Services and Cybersecurity Steering Committee

• Bachelor's degree. 3‑7 years in cybersecurity GRC or audit
• Proven work with NCA frameworks (ECC-2:2024; plus OTCC/CSCC/OSMACC as applicable to entity scope)
• Strong policy writing, audit, and risk facilitation skills;
  Arabic and English business proficiency
• Preferred: ISO/IEC 27001 LA/LI, CISM, CRISC (or equivalent)

Regular travel within Saudi Arabia and other relevant countries as required by the business.