About Globals:
Globals has drastically grown from a small home office to a globally recognized enterprise offering world-class quality solutions on Cybersecurity, Cyberwarfare, ERP Systems, AI, and Enterprise Application Development for various industries including Defence, Education, Government, Financial Services and Transport Industries. Globals has enabled its customers to be game-changers in their industry through its disruptive and innovative solutions.
Globals is certified as a "Great Place to Work" organization for its laudable work culture that helps its team members manage work-life, have dedicated hours to upskill and reskill themselves, and most important to ensure that the projects that they are working on are always unique, challenging their status quo every time. Our unique work culture has made us one of the world’s fastest-growing technology companies as recognized and featured by The Economist.
Our excellence in technical stewardship and service-offering expertise has facilitated our clients ranging from individual entrepreneurs to Fortune Global 500 – to explore new business opportunities, reduce their operational costs significantly and boost their revenues. Today, Globals enjoys a strong position in the industry as a high-performing leader through its technology innovation and remarkable domain expertise. Globals is a CMMI Level 5 certified company.
About the Role:
The Team Lead – Cybersecurity Compliance, GRC & VAPT Audit Management will serve as the primary owner of Globals' external-facing cybersecurity audit and compliance practice. This is a leadership role with dual accountability: managing and mentoring a VAPT-capable audit team, and owning the end-to-end delivery of Information Security audits, GRC engagements, and regulatory compliance assessments for clients spanning enterprise IT, BFSI, defence supply chain, and critical information infrastructure sectors.
The role requires deep fluency in Indian regulatory frameworks — including the IT Act 2000, CERT-In Directions, and NCIIPC guidelines — alongside hands-on proficiency in ISO/IEC 27001 audit execution. The ideal candidate is not expected to personally conduct VAPT assessments but must be capable of interpreting VAPT findings, translating them into boardroom-ready compliance reports, and directing the technical team's audit workflow with authority.
Responsibilities:
A. ISO 27001 Audit Leadership
-
Plan, manage, and close end-to-end ISO/IEC 27001 external and internal audit engagements — covering scope definition, Statement of Applicability (SoA) review, control testing, evidence evaluation, and audit report preparation.
-
Conduct gap assessments, risk treatment plan reviews, and readiness evaluations aligned to ISO/IEC 27001:2022 Annex A controls.
-
Lead Stage 1 (Documentation Review) and Stage 2 (Implementation Audit) activities, coordinating with client stakeholders and certification bodies.
-
Prepare and issue Non-Conformance Reports (NCRs), Observations, and Corrective Action Plans (CAPAs) with clear remediation guidance.
-
Maintain audit programme documentation including audit plans, checklists, working papers, and formal audit reports to professional CB-grade standards.
B. GRC – Governance, Risk & Compliance Engagements
-
Lead IT Security Posture Assessments (ISPA) and risk-based control evaluations for enterprise clients, producing structured GRC reports with risk registers and treatment roadmaps.
-
Design and implement GRC control frameworks tailored to client operating environments — covering policy governance, asset management, access control, incident management, and vendor risk.
-
Coordinate compliance gap analyses against multiple frameworks simultaneously — ISO 27001, SOC 2, GDPR, HIPAA, and sector-specific mandates — and produce consolidated compliance dashboards.
-
Manage compliance automation tool workflows (Sprinto, Drata, Vanta, OneTrust, or equivalent) to track evidence collection, control status, and audit readiness.
C. CERT-In & Regulatory Reporting (India-Specific)
-
Own the end-to-end process for CERT-In incident reporting for clients under the CERT-In Directions 2022 — including 6-hour and 24-hour mandatory reporting workflows, log retention compliance, and NTP synchronisation advisory.
-
Prepare and submit structured incident reports, vulnerability disclosures, and advisory responses to CERT-In on behalf of clients as authorised representative.
-
Advise clients on NCIIPC compliance obligations under the National Cyber Security Policy for operators of Critical Information Infrastructure (CII) — including sector-specific security guidelines for Power, Telecom, Finance, and Government.
-
Conduct compliance readiness reviews against the IT Act 2000, IT (Amendment) Act 2008, and associated Rules including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
-
Support DPDP Act 2023 (Digital Personal Data Protection Act) compliance advisory as it pertains to client data handling and security obligations.
-
Liaise with regulatory bodies including CERT-In, NCIIPC, MEITY, RBI CISO advisories, and SEBI cybersecurity circulars where applicable.
D. VAPT Team Management & Report Oversight
-
Lead and manage a team of VAPT engineers and security analysts — assigning engagements, reviewing scope documents, and ensuring delivery quality and timeliness.
-
Review and validate VAPT reports (Network PT, Web App PT, API Security Testing, Thick Client, Wireless, and Cloud Security Reviews) for technical accuracy, risk rating calibration (CVSS), and narrative clarity before client submission.
-
Translate complex technical VAPT findings into executive-level security risk summaries suitable for client CISOs, Boards, and Audit Committees.
-
Define and enforce engagement-specific Rules of Engagement (RoE), scoping documents, and test plans in coordination with the client and technical team.
-
Drive remediation verification cycles — scheduling re-testing post-fix and issuing closure certificates with updated report revisions.
-
Maintain quality assurance over deliverables — ensuring OWASP, PTES, OSSTMM, and NIST SP 800-115 methodology alignment where applicable.
E. Client & Stakeholder Management
-
Act as the primary client-facing point of contact for all cybersecurity audit and compliance engagements — managing expectations, presenting findings, and driving closure.
-
Conduct executive debrief sessions, boardroom presentations, and risk workshops with client leadership including CISOs, CTOs, Compliance Officers, and Legal teams.
-
Manage multi-client engagement calendars, coordinating internal VAPT team bandwidth with client timelines and regulatory deadlines.
-
Build long-term client relationships, identifying opportunities to expand compliance and security advisory scope.
Regulatory & Compliance Knowledge
-
Thorough working knowledge of the Indian IT Act 2000 and IT (Amendment) Act 2008, including provisions on cybersecurity obligations, SPDI Rules, and intermediary liability.
-
Demonstrated experience preparing and submitting CERT-In incident reports under the CERT-In Directions 2022 (mandatory reporting timelines, log formats, and compliance obligations).
-
Familiarity with NCIIPC's guidelines for Critical Information Infrastructure operators and sector-specific advisories from MeitY, RBI, and SEBI.
-
Sound understanding of DPDP Act 2023 implications for cybersecurity and data handling compliance.
ISO 27001 Audit Expertise
-
Minimum 2 years of hands-on ISO/IEC 27001 audit experience — either as a lead auditor, internal auditor, or consulting engagement lead.
-
Ability to independently plan, execute, and close ISO 27001 audit cycles including evidence review, control testing, NCR issuance, and formal report writing.
-
Working knowledge of ISO/IEC 27001:2022 changes (new Annex A structure, Clause 6.3 planning of changes, etc.).
-
ISO 27001 Lead Auditor certification (IRCA/PECB/BSI or equivalent) is mandatory.
GRC & Report Writing Skills
-
Proven ability to produce high-quality, structured audit and compliance reports suitable for regulatory submission, Board review, and certification body assessment.
-
Experience designing GRC frameworks, risk registers, control matrices, and compliance dashboards for enterprise clients.
-
Proficiency with at least one compliance automation platform (Sprinto, Drata, Vanta, OneTrust, Cypago, CyberSierra, or equivalent).
VAPT Management Skills
-
Ability to review, critique, and sign off on VAPT reports across domains — without necessarily conducting the assessments personally.
-
Sufficient technical understanding of common vulnerability classes (OWASP Top 10, CVEs, CVSS scoring, network attack surfaces) to validate findings and challenge assumptions.
-
Experience managing or coordinating a team of penetration testers or security analysts in a delivery context.
Preferred Qualification
- ISO/IEC 42001 (AI Management System) awareness or audit experience is a strong advantage, given Globals ITES's AI governance practice.
-
Additional certifications valued: ISC2 CC, CISA, CISSP, CEH, CompTIA Security+, ISO 27701 Lead Auditor, or ISO 9001 Lead Auditor.
-
Experience with other frameworks: SOC 2 Type II, HIPAA, GDPR, PCI-DSS, or NIST CSF.
-
Familiarity with OT/ICS security frameworks (IEC 62443, NERC CIP) is a plus, given Globals' defence and critical infrastructure client base.
-
Prior exposure to government or defence sector compliance engagements in India (e.g. DRDO, DPSUs, PSUs) is advantageous.
-
B.Tech / B.E. in Computer Science, Information Technology, or a related discipline. MBA or post-graduate qualification in Information Security Management is a bonus.
-
Leadership role in a fast-growing cybersecurity practice with defence, national security, and enterprise clientele.
-
Exposure to cutting-edge domains including AI-driven security, offensive and defensive cyber capabilities, and SOC operations.
-
Opportunity to build and shape a compliance and audit practice from the ground up, with direct input on service line strategy.
-
Meritocratic growth path into a CISO advisory or Practice Head role.
-
International exposure through Globals' operations in the Middle East and Europe, including The Hague, Netherlands.
-
Work in a Great Place to Work® certified organisation with a strong people-first culture.
-
Competitive compensation commensurate with experience and certifications.
