GRC Specialist

As a GRC Specialist, you will play a critical role in establishing and maintaining an effective Information Security GRC framework. Your mission will be to align security initiatives with business goals, minimize risk exposure, and ensure compliance with local and international standards such as ISO 27001, PCI-DSS, QCB, and NIA regulations.

Key Responsibilities:

Governance:

• Develop, maintain, and enforce information security policies, procedures, and security standards aligned with best practices (e.g., ISO 27001).
• Design and implement a robust security governance framework that ensures organizational accountability and structured oversight.
• Provide regular reporting and risk posture updates to senior leadership (CISO, CIO, and Board) to drive strategic security initiatives.

Risk Management:

• Conduct enterprise-wide risk assessments, including threat modeling, vulnerability assessments, and impact analysis.
• Identify, document, and track security risks using a centralized Security Risk Register, with a focus on mitigating high-priority threats.
• Develop and implement risk mitigation strategies, and manage risk acceptance processes by evaluating deviations and maintaining formal approvals.
• Ensure continuous monitoring of the evolving threat landscape, especially within telecom and digital finance ecosystems.

Compliance:

• Ensure compliance with applicable regulations, including QCB, National Information Assurance (NIA), PCI-DSS, and ISO standards.
• Lead the development of compliance tracking programs, ensuring security controls and processes meet external and internal audit requirements.
• Coordinate internal and external security audits and certifications, manage evidence collection, track findings, and ensure timely remediation.
• Define and track Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to monitor control effectiveness and compliance.

Policy & Documentation:

• Maintain up-to-date documentation for all security policies, processes, and governance artifacts in alignment with standards.
• Lead policy reviews and updates periodically to reflect new threats, technologies, or regulatory changes.

Security Awareness & Culture:

• Design and roll out a Security Awareness Program to educate users on phishing, social engineering, and best practices in cybersecurity hygiene.
• Foster a security-first culture by engaging employees across departments in ongoing awareness campaigns and training sessions.

Identity & Access Management (IAM):

• Support User Access Reviews (UARs) by coordinating with business units to ensure least privilege access, prevent toxic combinations, and enhance IAM compliance.
• Collaborate on access control reviews, cleanup activities, and audit readiness.

✅ Qualifications & Skills:

Minimum Requirements:

• 10+ years in Information Security, GRC, or Risk Management roles
• 5+ years of experience in the Telecommunications or similar high-risk domain
• Bachelor’s in Information Technology, Computer Science, or Engineering

Preferred Certifications:

• CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, CCSP