Cybersecurity Risk & Governance Expert

Role : Cybersecurity risk & governance expert

Location : Hyderabad

Our Team:

Our Governance, Risk & Compliance team, reporting directly to the CISO alongside the Security Architecture and Security Operations & SOC teams, plays a pivotal role in safeguarding the organization's assets and ensuring regulatory compliance. Under the leadership of the Governance, Risk & Compliance Lead, this team ensures our organization's technological infrastructure is secure, compliant, and resilient against evolving cyber threats.

Main responsibilities:

The Governance & Risk FTE, reporting to the GRC Lead, will play a pivotal role in ensuring robust risk management and governance within the Governance, Risk & Compliance team. This role focuses on orchestrating risk appetite decisions, conducting thorough risk assessments and penetration testing, managing third-party risks, supporting governance-driven activities, and overseeing data privacy initiatives. Key responsibilities include:

• Risk appetite & management
  • Orchestrate decisions on cyber risk appetite for the organisation in collaboration with the broader business
  • Define and deliver risk reporting plans and key indicators
  • Assess risk and govern the process of updating risk appetite at least every 12 months in coordination with other teams
  • Monitor compliance to cyber policies across the organisation (incl. policies & tech standards, DLP, IAM)
• Risk assessment & pen testing
  • Conduct risk assessments at least every 6 months across all environments
  • Conduct penetration testing at least every 3-6 months across most (>75%) on-premise and cloud environments
  • Prepare vulnerability disclosure reports on outward facing systems (in the future)
• Third party management support
  • Design, review and update supplier risk assessment frameworks (incl. criteria for tiering of vendors)
  • Communicate cyber policies to strategic vendors, assess their cybersecurity risk and compliance at least every 12 months and based on need, and drive remediation/mitigation of risks
  • Review the cybersecurity risk posed by the supply chain of all strategic vendors at least every 12 months
  • Monitor deployed 3rd party HW/SW for vulnerabilities and ensure compliance
• Support GRC-driven activities
  • Support the definition of cybersecurity-related enterprise standards, policies and controls
  • Support audits covering risk-centric assessments (incl. follow up findings with corrective measures), provide inputs to regulatory and compliance teams on cybersecurity risk; support the deployment of corporate compliance programs
• Data privacy
  • Define data privacy policies and standards and monitor compliance across the organisation from legal/regulatory perspective
  • Support of Global Data Privacy program (e.g., managing requests across regions, mapping of data and specific regulations, coordination with Global GBS)
  • Management of data process agreements (incl. review of contracts, annual assessment re-evaluation)

About you

• Experience:
  • 5-10 years of professional experience (equivalent combination of experience and education accepted)
  • Previous experience in implementing ISO27001 and NIS-2
  • Previous work in an international environment.
  • Demonstrated experience in working within cybersecurity teams, particularly in governance and risk.
  • Proven track record of contributing to the design and implementation of governance and risk solutions aligned with organizational goals and regulatory requirements.
  • Experience collaborating with Security Architect and Operations teams in a feedback loop.
  • Ability to develop and communicate policies based on feedback from the Security Architect team.
• Soft skills:
  • Broad experience in working in large digital teams, with an understanding of how digital and business processes are linked.
  • Stakeholder management and communication skills, especially when interacting with senior leadership.
  • Skilled problem solver and self-starter.
  • A hands-on pragmatic attitude to driving change.
  • Positive, "can-do" attitude.
• Technical skills:
  • Experience with AGILE or similar project management frameworks.
  • Working knowledge of common information security management frameworks (ISO/IEC 27001, ITIL, NIST, NISD, CISSP/CCSP, QxP, CIS20).
• Education:
  • Bachelor’s and master’s degree (preferred) in any of the following fields of study: Information Technology, Computer Science, Cybersecurity or Information Security
• Languages:
  • English

Pursue progress, discover extraordinary

Better is out there. Better medications, better outcomes, better science. But progress doesn’t happen without people – people from different backgrounds, in different locations, doing different roles, all united by one thing: a desire to make miracles happen. So, let’s be those people.

At Sanofi, we provide equal opportunities to all regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, or gender identity.

Watch our ALL IN video and check out our Diversity Equity and Inclusion actions at sanofi.com!

Better is out there. Better medications, better outcomes, better science. But progress doesn’t happen without people – people from different backgrounds, in different locations, doing different roles, all united by one thing: a desire to make miracles happen. So, let’s be those people.

At Sanofi, we provide equal opportunities to all regardless of race, colour, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, ability or gender identity.

Watch our ALL IN video and check out our Diversity Equity and Inclusion actions at sanofi.com!