Manager/Senior Manager : Governance, Risk and Compliance (GRC)

The Manage/Senior Manager Governance, Risk, and Compliance (GRC) plays a critical role in ensuring the secure and compliant operation of the airport's information systems. Reporting to the General Manager of Information Security, this role is responsible for developing, implementing, and maintaining the governance, risk management, and compliance framework to safeguard the airport's critical infrastructure, sensitive data, and IT operations.

The Manage/Senior Manager will drive alignment with regulatory requirements, international standards, and organizational objectives, while proactively identifying and mitigating security risks. This position involves overseeing compliance with aviation, cybersecurity, and data protection regulations, leading audits, and ensuring the organization adheres to best practices for risk management and information security governance.

Role & responsibilities :

Establish and Maintain a Robust GRC Framework to Support the Airports Mission-Critical Operations

• Develop, implement, and continuously improve the governance, risk, and compliance framework, ensuring alignment with organizational objectives and industry best practices.
• Establish policies, procedures, and standards for information and data security, risk management, and compliance, ensuring they are adopted across internal teams and outsourced partners.
• Conduct regular reviews of the GRC framework to accommodate changes in regulations, business priorities, and emerging threats.
• Participate in process design reviews and provide inputs on process changes based on industry best practices to ensure that processes are aligned to the GRC framework.
• Review and provide guidance on the changes to the ICT processes based on the regulatory changes.
• Monitor the performance of the IT strategic partner and MSSP against agreed SLAs and ensure their adherence to BIALs GRC requirements.
• Participate in governance meetings across ICT department and review the state of compliance to various GRC requirements.
• Provide regular updates to the General Manager of Information Security on the GRC programs effectiveness and areas for improvement.
• Escalate process compliance issues to senior leadership along with suggestion on remediation plan.

Ensure Compliance with Regulatory Standards

• Lead compliance initiatives for aviation-specific regulations (e.g., ICAO Annex 17, IATA guidelines) and data protection laws such as DPDP Act, IT Act 2000 (and its various amendments and guidelines), sectorial regulations (e.g., MoCA, BCAS, CISF, MeITY, etc.) and PCI DSS.
• Work with the IT strategic partner to ensure IT systems and applications meet compliance standards during deployment and operations.
• Collaborate with the MSSP to ensure security operations comply with regulatory requirements, including log management, incident response, and data retention policies.
• Manage audits and assessments by regulatory bodies, ensuring timely and accurate responses to findings.
• Maintain a compliance calendar and ensure adherence to deadlines for reporting and certifications.

Management of Information Security Risks

• Facilitate enterprise-wide risk assessments, including the identification and prioritization of information security risks related to IT and OT systems.
• Partner with the IT strategic partner to identify risks in infrastructure and application deployments and recommend mitigations.
• Work with the MSSP to continuously monitor, assess, and address risks related to security incidents, vulnerabilities, and threat intelligence.
• Develop and maintain a risk register, ensuring risks are documented, mitigations are tracked, and residual risks are communicated to stakeholders.
• Lead risk management workshops and awareness sessions for internal teams and outsourced partners.

Provide Leadership in Internal and External Audits, Regulatory Assessments, and Security Certifications

• Oversee internal and external audits for compliance, security, and risk, ensuring alignment with standards such as ISO 27001 and other relevant certifications.
• Act as the primary point of contact for auditors and regulatory assessors, coordinating with both internal teams and outsourced partners to provide evidence and responses.
• Oversee the drafting, review, and finalization of contracts within GRC purview, ensuring that all agreements are clear, comprehensive, with all necessary clauses including the non-functional requirements of ICT processes, termination clauses, governance cadence, etc.
• Work with the MSSP to ensure audit readiness for security operations, including incident response, threat detection, and log management.
• Monitor and evaluate audit/ assessment partner performance, addressing any issues related to quality, cost, or delivery.
• Record, track, validate and monitor D&Os, KPIs and SLAs across audit/ assessment partners and vendors.
• Develop post-audit action plans and ensure timely closure of findings by coordinating with all stakeholders.
• Maintain documentation and evidence repositories to streamline future audits and assessments.
• Maintain accurate and up-to-date records of all communications, amendments, and performance evaluations.

Security Awareness and Accountability

• Design and lead information security awareness programs tailored for employees, contractors, and outsourced partners.
• Collaborate with the IT strategic partner and MSSP to integrate security awareness into operational processes and onboarding activities.
• Develop campaigns, training sessions, and communication plans to reinforce security best practices and regulatory compliance.
• Establish metrics to measure the effectiveness of awareness programs and make data-driven adjustments.
• Recognize and reward positive security behaviors to encourage accountability and ownership among employees and partners.

Strategic Leadership

• Provide strategic direction and leadership to the Information Security team, fostering a culture of excellence and continuous improvement.
• Drive innovation in GRC practices, ensuring the organization remains competitive and forward-looking.
• Act as a key advisor to senior management on GRC matters, contributing to strategic decision-making.

DIMENSIONS

Financial

• Provide relevant inputs from GRC perspective to help Head Information Security to determine the Annual Budget and periodic forecasting.

Non-Financial

• Approximately 5 indirect reports including small and large vendor resources providing audit/ assessment/ operational services and security products.

Preferred candidate profile

• Strong understanding of GRC frameworks (e.g., COBIT, ISO 27001, NIST CSF).
• Experience in developing and implementing information security policies, standards, and procedures.
• Expertise in conducting risk assessments, audits, and compliance reviews.
• Proficiency in regulatory compliance for information security and data protection (e.g., Cert-In, NCIIPC, DPDP, PCI DSS) and aviation-specific regulations (e.g., MoCA, BCAS, CISF, ICAO Annex 17, IATA standards).
• Familiarity with security operations, including incident response, threat monitoring, and vulnerability management.
• Hands-on knowledge of working with Managed Security Service Providers (MSSPs).
• Expertise in handling risks and compliance issues for both IT and OT systems (e.g., SCADA, PLCs).
• Experience integrating IT and OT security practices in complex environments like airports.
• Proven experience in managing internal and external audits for certifications like ISO 27001, SOC 2, and other relevant standards.
• Familiarity with certification processes and audit preparation/ documentation.
• Ability to assess complex risks and propose actionable mitigation plans.
• Skilled in analyzing data from various sources, including risk registers, security logs, and compliance tools.
• Strong written and verbal communication skills for engaging with cross-functional teams, regulatory bodies, and outsourced partners.
• Ability to present risk and compliance reports effectively to senior management and stakeholders.
• Proven skills in stakeholder management, particularly when working with IT strategic partners and MSSPs.
• Ability to lead GRC initiatives, ensuring collaboration across internal teams and external partners.
• Project management skills to coordinate multiple compliance, risk, and audit activities simultaneously.
• Familiarity with GRC tools and platforms (e.g., Archer, ServiceNow GRC, RiskWatch).
• Basic understanding of cloud platforms (e.g., AWS, Azure) and associated compliance challenges.
• Knowledge of security technologies such as SIEM, endpoint protection, and firewalls.
• Precision in documenting compliance findings, audit outcomes, and risk reports.
• Strong focus on ensuring no gaps in policies, procedures, or controls.
• Knowledge of enterprise risk management (ERM) concepts and methodologies.
• Understanding of risk quantification techniques and prioritization frameworks.
• Knowledge of managing vendor compliance and security SLAs, especially with IT strategic partners and MSSPs.
• Awareness of third-party risk management processes and tools.
• Preferred Governance and Risk Certifications include Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Implementer or Lead Auditor, ITIL Foundation or higher OR Cloud Certifications
• Experience working with or managing outsourced partners, such as IT strategic partners and MSSPs.
• Hands-on experience in regulatory audits and implementing compliance programs for large-scale organizations.
• Ability to build and maintain relationships with internal teams, partners, and external vendors.

If your profile matches the criteria, please share your resumes to nataraj.s@bialairport.com