Key Responsibilities
- Design, implement, and continuously improve GRC frameworks, processes, and tools to support enterprise-wide risk and compliance objectives.
- Lead the development, review, and enforcement of information security policies, standards, and procedures, ensuring alignment with business goals and regulatory requirements.
- Own and execute the end-to-end risk assessment process, including third-party risk, operational risk, and technology risk, while recommending and tracking remediation plans.
- Partner with cross-functional teams (IT, Legal, Internal Audit, Business Units) to ensure compliance with ISO 27001, NIST CSF, SAMA, NCA, and other relevant standards.
- Manage the documentation lifecycle of controls, risks, and compliance evidence, ensuring audit readiness at all times.
- Lead or co-lead internal and external audits, including scoping, evidence collection, stakeholder coordination, and driving findings to closure with corrective action plans.
- Define and monitor key risk and performance indicators (KRIs/KPIs) for security controls, producing executive-level dashboards and risk reports.
- Proactively track regulatory and industry changes (local and international), assess their impact, and drive necessary policy or control updates.
- Lead or significantly contribute to security awareness and training initiatives, mentoring junior team members and fostering a risk-aware culture.
- Serve as a subject matter expert (SME) on GRC matters, advising management and project teams on risk-based decision making.
Requirements
- Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field. A Master's degree is a plus.
- 3–6 years of progressive experience in GRC, Information Security, or IT Risk Management, with at least 1–2 years operating at a mid-to-senior level.
- Deep, hands-on expertise in ISO 27001, NIST (preferably NIST CSF or 800-53), and common risk assessment methodologies (e.g., FAIR, OCTAVE, or qualitative/quantitative methods).
- Proven experience leading audit engagements (internal or external) and managing remediation lifecycles independently.
- Strong ability to translate complex regulatory and security requirements into practical, business-friendly controls and processes.
- Exceptional written and verbal communication skills, including the ability to present risk findings to senior leadership and non-technical stakeholders.
- Advanced analytical and problem-solving skills, with high attention to detail and a proactive, ownership mindset.
- Experience working in Saudi Arabia or the broader Middle East region, with familiarity of local regulations (e.g., NCA, SAMA, CST, PDPL) strongly preferred.
- Relevant certifications are highly preferred, such as:
- ISO 27001 Lead Implementer or Lead Auditor
- CISM, CRISC, CISA, or CISSP
- GRC-specific certifications (e.g., GRCP, GRCA) are a plus.
Preferred Attributes (Nice to Have)
- Experience with GRC platforms (e.g., ServiceNow GRC, Archer, MetricStream, or similar).
- Prior experience mentoring or guiding junior analysts or interns.
- Ability to write and test business continuity, disaster recovery, or incident response plans from a compliance perspective.