Role Summary

The Security Governance Lead designs, implements, and oversees the organization’s security governance framework—ensuring policies, standards, and controls are effective, measurable, and continuously improved. This role drives compliance with frameworks like ISO/IEC 27001:2022, SOC 2, PCI DSS, NIST CSF/800-53, and local privacy laws (e.g., PH Data Privacy Act). Working closely with IT, Legal, HR, and Business Units, the Security Governance Lead fosters risk-based decision-making, audit readiness, and consistent control adoption across the enterprise.

Key Responsibilities

1. Governance Framework & Strategy

• Define and maintain the Information Security Governance model, charters, and decision rights.
• Translate regulatory and business needs into security policies, standards, and baselines.
• Establish OKRs/KPIs and continuous-improvement roadmaps aligned to risk appetite.

2. Policy, Standards & Awareness

• Manage the full lifecycle of policies and standards—drafting, approval, communication, and retirement.
• Ensure acknowledgment, awareness, and compliance through training and campaigns.
• Maintain secure configuration baselines across systems, networks, and cloud environments.

3. Risk Management & Control Assurance

• Operate the enterprise security risk process: identify, assess, and track risks and exceptions.
• Conduct control testing and self-assessments for design and operating effectiveness.
• Oversee risk acceptance and compensating control procedures.

4. Compliance & Audit Readiness

• Ensure readiness for ISO 27001, SOC 2, PCI DSS, and client/regulatory audits.
• Manage evidence collection, corrective actions, and the Statement of Applicability (SoA).
• Coordinate external surveillance and recertification audits.

5. Third-Party & Supply Chain Governance

• Lead Third-Party Risk Management (TPRM): due diligence, assessments, and contract compliance.
• Maintain supply chain risk registers, vendor access governance, and compliance checks (SSO/MFA, ZTNA, PAM).

6. Metrics, Reporting & Stakeholder Engagement

• Produce dashboards on risks, control health, and audit status.
• Present reports to leadership; facilitate decisions and remediation tracking.
• Maintain documentation integrity and traceability across governance elements.

7. Incident, Change & Continuity Governance

• Integrate governance with Incident Response, BCP/DR, and Change Management.
• Review root cause analyses (RCA) and drive systemic improvements.

8. People Leadership & Operating Model

• Lead a small team or governance champions network; provide coaching and quality reviews.
• Foster a service-oriented culture with clear SLAs and efficient intake processes.

Qualifications

• 6–10+ years in information security, risk, audit, or GRC; 3+ years in governance leadership.
• Deep understanding of ISO 27001, SOC 2, PCI DSS, NIST CSF/800-53, and privacy regulations.
• Proven experience in policy frameworks, risk registers, and control assurance.
• Strong communication, stakeholder management, and documentation skills.

Preferred

• Certifications: ISO 27001 LI/LA, CISA, CISM, CRISC, CISSP, PCIP/ISA, ITIL.
• Experience in BPO, fintech, or regulated industries.
• Familiarity with cloud governance (AWS/Azure/GCP) and SaaS environments.

Tools & Technologies

• GRC/IRM: ServiceNow GRC, Archer, OneTrust, Drata, Tugboat.
• Collaboration: SharePoint, Confluence, Jira, ServiceNow.
• Security Ops Interface: SIEM tools.