Incred-Chief Information Security Officer (CISO)

Job Description: Chief Information

Security Officer (CISO)

Location: Mumbai/Bengaluru

Reporting to: Chief Risk Officer (CRO)

Experience Required: 15+ years in Information Security (Financial Services preferred)

1. Role Purpose

The CISO will be the principal architect of the NBFC's security posture as it prepares for an Initial Public Offering (IPO). Reporting to the CRO, you will be responsible for ensuring that our security framework is not only technically impenetrable but also strictly compliant with RBI Master Directions on IT Governance and Cyber Security. You will bridge the gap between technical defense and enterprise risk management, ensuring that "security" is a business enabler, not a bottleneck.

2. Key Responsibilities

Strategic Leadership & IPO Readiness

● Strategy & Roadmap: Define and execute a 3-year information security roadmap with a "futuristic vision" to support the IPO transition.

● Board & Regulator Liaison: Act as the primary interface with the RBI, CERT-In, and other regulatory bodies.

● Governance: Lead the Information Security Committee (ISC) and provide quarterly updates to the Board on the cyber risk posture.

Technical Security & Operations

● Security Architecture: Design and oversee a secure technology landscape, including cloud security (AWS), lending platforms including web & mobile, and API integrations.

● Policies & SOPs: Establish and maintain Information security policies, standards and SOPs.

● DevSecOps Operation: Drive secure by design and DevSecOps practice.

● CSOC & SIEM: Lead the Cyber Security Operations Center (CSOC) to ensure 24/7 monitoring, threat hunting, and automated incident response.

● Technical Testing: Oversee rigorous VAPT (Vulnerability Assessment and Penetration Testing) and Red Teaming exercises for all critical systems.

● Infrastructure Hardening: Ensure technical controls, including hardware, network, and software security standards, are implemented to prevent data loss or fraud.

Risk & Compliance Management

● RBI Compliance: Ensure 100% adherence to RBI's "Master Direction on Information Technology Governance, Risk, Control and Assurance.

● Third-Party Risk: Manage technical due diligence and security audits for all IT vendors as per RBI outsourcing guidelines.

● Data Privacy: Implement data protection strategies in line with the DPDP Act and international standards like ISO 27001.

● Risk Management: Identify, assess, conduct and mitigate cyber technology and data risks.

3. Behavioral Aspects & Leadership Skills

● Strategic Influence: Ability to translate complex technical vulnerabilities into business risk language for the Board and C-suite.

● Composure Under Pressure: Ability to lead teams calmly during critical security incidents or high-stakes regulatory audits.

● Demonstrated ability to work within global matrix structures and implement standardized security protocols across diverse business units.

● Integrity & Accountability: Unwavering professional ethics, acting as the "conscience of the organization" regarding data security.

Evaluation Criteria:

IPO & Regulatory "Execution Excellence"

As an NBFC moving toward IPO with an AA- rating, InCred requires a "best amongst peers" risk performance.

● RBI/SEBI Mastery: Proven track record of navigating RBI Master Directions and SEBI CSCRF compliance to ensure no hurdles during the IPO filing process.

● Audit Readiness: Ability to maintain a digital audit trail (Hindsighting) that showcases appropriate controls to regulators without slowing down the business.

● Third-Party Risk (Partnerships): Experience securing a "Partnerships" business where InCred acts as the balance sheet for other FinTechs via deep API integrations. Leadership & Culture Fit (The "Likeability" Test) In line with InCred's interview philosophy, we are looking for a leader we would "be OK working for".

● Bias for Action: Does the candidate have the "grit and resilience" to fix root causes of problems rather than just managing symptoms?

● Hire and Develop the Best: A track record of mentoring high-performance teams and coaching them to "raise the bar" on product/security discipline.

● Intellectual Agility: Comfort with the ambiguity of a fast-paced environment and the curiosity to stay ahead of emerging cyber threats.

Category Evaluation Criteria

Technical Depth Proven hands-on experience in Security Architecture, Cloud

Security, and Application Security (DevSecOps).

Regulatory

Mastery

Comprehensive understanding of RBI Cyber Security

Framework, Master Directions, SEBI and incident reporting

norms.

Preferred

Certifications

CISSP or CISM. CISA, CCISO, or ISO 27001 Lead Auditor.

Incident

Response

Track record of managing significant cyber incidents, including

discovery-to-remediation within RBI's -6 hour reporting window.

Project

Leadership

Experience leading large-scale security transformations in a

fast-paced BFSI or MNC environment.

The InCred DNA: Who You Are

● Risk-First Approach: In lending, risk is paramount. You prioritize sustainable,

calculated growth over reckless expansion.

● Ownership Mentality: You act on behalf of the entire company. You never say "that's

not my job."

● Bias for Action: You believe speed matters. You encourage your team to run towards

challenges and make reversible decisions quickly.

● Customer Obsessed: You build a culture that values user research. You ensure your

team understands the role our product plays in users' financial lives.