Head of Information Security & Compliance

  • Colombo, Sri Lanka
  • Full-Time
  • On-Site
Apply now Refer
Job Description:
  • Develop, maintain, and continuously improve the Bank's information security governance framework
  • Define and manage the hierarchy of security policies, standards, procedures, baselines, and guidelines
  • Ensure governance documentation is aligned with regulatory, legal, business, and technology requirements
  • Manage policy approval, review cycles, exceptions, communication, and compliance tracking processes
  • Support CISO in preparing governance reports, dashboards, papers, and updates for committees and Board-level forums
  • Design and operate the enterprise cyber risk management framework aligned with overall risk management practices
  • Maintain the cyber risk register and ensure risks are tracked, treated, escalated, and reported appropriately
  • Assess information security risks across projects, digital initiatives, cloud adoption, outsourcing, and third-party engagements
  • Define key risk indicators and reporting metrics to support executive and Board-level oversight
  • Manage risk acceptance and exception processes ensuring proper escalation and governance approval
  • Lead and operate the Information Security Management System aligned with ISO/IEC 27001:2022
  • Maintain ISMS scope, risk methodology, control mapping, and Statement of Applicability
  • Coordinate internal reviews, external audits, certification activities, and corrective action tracking
  • Ensure ISMS is effectively embedded into operational processes and not limited to documentation compliance
  • Maintain a register of regulatory, legal, contractual, and standards-based security obligations
  • Translate compliance requirements into actionable control expectations and implementation guidance
  • Coordinate PCI DSS compliance activities including scope management, vendor oversight, and evidence readiness
  • Manage responses to regulatory audits, inspections, supervisory reviews, and compliance inquiries
  • Establish and maintain third-party security governance frameworks for vendors, cloud providers, and outsourced partners
  • Define security requirements for vendor contracts including audit rights, incident reporting, and data protection clauses
  • Oversee third-party security assessments and ensure remediation of identified risks and gaps
  • Coordinate with procurement, legal, and business units on third-party risk governance
  • Lead coordination of internal and external audits, regulatory assessments, and certification exercises
  • Maintain audit findings register and track remediation progress to closure
  • Validate adequacy and quality of remediation actions and supporting evidence from control owners
  • Escalate unresolved or overdue audit and compliance issues to governance forums
  • Lead enterprise-wide security awareness and culture programs across all employee levels
  • Design awareness initiatives for general staff, technical teams, privileged users, and senior management
  • Track participation, effectiveness, and behavioral improvement in security awareness programs
  • Promote strong security culture and policy adherence across the organization
  • Prepare executive-level reporting on cyber risk, compliance posture, audit status, third-party risk, and remediation progress
  • Support CISO reporting to Board committees, including ISC, BIRMC, and other governance forums

Requirements

  • Bachelor's degree in Information Security, Computer Science, Information Systems, Engineering, or related field
  • Postgraduate qualification is preferred
  • Professional certifications such as CISSP, CISM, CRISC, ISO 27001
  • Lead Implementer or Lead Auditor are preferred
  • PCI DSS-related or compliance-focused certifications are an advantage
  • 15–20 years of experience in information security, IT risk, governance, compliance, audit, or enterprise risk roles
  • At least 8–10 years of experience in banking or highly regulated industries
  • Strong experience in cyber risk management, ISMS implementation, audit coordination, and security governance
  • Strong exposure to regulatory engagement, compliance frameworks, and third-party risk management
  • Strong ability to work with auditors, regulators, senior management, and technical teams
  • Strong governance mindset with structured thinking and attention to detail
  • Strong communication and report writing skills for executive and Board-level audiences
  • Strong stakeholder management and ability to influence without direct authority
  • High professional judgment, credibility, and integrity in decision-making