Head of Information Security & Compliance

Sri Lanka·Colomboexecutive

OtherInformation Security

0 views0 saves0 applied

Apply Now

Quick Summary

Overview

Develop, maintain, and continuously improve the Bank's information security governance framework Define and manage the hierarchy of security policies, standards, procedures, baselines, and guidelines Ensure governance documentation is aligned with regulatory, legal, business, and technology…

Requirements Summary

Bachelor's degree in Information Security, Computer Science, Information Systems, Engineering, or related field Postgraduate qualification is preferred Professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Implementer or Lead…

Technical Tools

stakeholder-management

Develop, maintain, and continuously improve the Bank's information security governance framework
Define and manage the hierarchy of security policies, standards, procedures, baselines, and guidelines
Ensure governance documentation is aligned with regulatory, legal, business, and technology requirements
Manage policy approval, review cycles, exceptions, communication, and compliance tracking processes
Support CISO in preparing governance reports, dashboards, papers, and updates for committees and Board-level forums
Design and operate the enterprise cyber risk management framework aligned with overall risk management practices
Maintain the cyber risk register and ensure risks are tracked, treated, escalated, and reported appropriately
Assess information security risks across projects, digital initiatives, cloud adoption, outsourcing, and third-party engagements
Define key risk indicators and reporting metrics to support executive and Board-level oversight
Manage risk acceptance and exception processes ensuring proper escalation and governance approval
Lead and operate the Information Security Management System aligned with ISO/IEC 27001:2022
Maintain ISMS scope, risk methodology, control mapping, and Statement of Applicability
Coordinate internal reviews, external audits, certification activities, and corrective action tracking
Ensure ISMS is effectively embedded into operational processes and not limited to documentation compliance
Maintain a register of regulatory, legal, contractual, and standards-based security obligations
Translate compliance requirements into actionable control expectations and implementation guidance
Coordinate PCI DSS compliance activities including scope management, vendor oversight, and evidence readiness
Manage responses to regulatory audits, inspections, supervisory reviews, and compliance inquiries
Establish and maintain third-party security governance frameworks for vendors, cloud providers, and outsourced partners
Define security requirements for vendor contracts including audit rights, incident reporting, and data protection clauses
Oversee third-party security assessments and ensure remediation of identified risks and gaps
Coordinate with procurement, legal, and business units on third-party risk governance
Lead coordination of internal and external audits, regulatory assessments, and certification exercises
Maintain audit findings register and track remediation progress to closure
Validate adequacy and quality of remediation actions and supporting evidence from control owners
Escalate unresolved or overdue audit and compliance issues to governance forums
Lead enterprise-wide security awareness and culture programs across all employee levels
Design awareness initiatives for general staff, technical teams, privileged users, and senior management
Track participation, effectiveness, and behavioral improvement in security awareness programs
Promote strong security culture and policy adherence across the organization
Prepare executive-level reporting on cyber risk, compliance posture, audit status, third-party risk, and remediation progress
Support CISO reporting to Board committees, including ISC, BIRMC, and other governance forums

Requirements

~1 min read

Bachelor's degree in Information Security, Computer Science, Information Systems, Engineering, or related field
Postgraduate qualification is preferred
Professional certifications such as CISSP, CISM, CRISC, ISO 27001
Lead Implementer or Lead Auditor are preferred
PCI DSS-related or compliance-focused certifications are an advantage
15–20 years of experience in information security, IT risk, governance, compliance, audit, or enterprise risk roles
At least 8–10 years of experience in banking or highly regulated industries
Strong experience in cyber risk management, ISMS implementation, audit coordination, and security governance
Strong exposure to regulatory engagement, compliance frameworks, and third-party risk management
Strong ability to work with auditors, regulators, senior management, and technical teams
Strong governance mindset with structured thinking and attention to detail
Strong communication and report writing skills for executive and Board-level audiences
Strong stakeholder management and ability to influence without direct authority
High professional judgment, credibility, and integrity in decision-making