Chief Information Security Officer

Are you ready to grow and be part of a dynamic asset management company and part of its Compliance team as Chief information Security Officer ?

About Carnelian:

We are a fast-growing Asset Management firm headquartered in Mumbai having multiple offices in the country and managing over USD 1.7 bn in assets across several PMS & AIFs with presence in over 10 cities and in the process of seeking Mutual Fund presence too. Our head office is at Lower Parel, Mumbai. We are urgently looking for a self-driven & ambitious person to take care of compliance function of the proposed mutual fund being setup at Mumbai.

Key Responsibilities

Cybersecurity Strategy & Governance

• Define and own the enterprise-wide Information Security & Cyber Resilience Strategy for the AMC.
• Establish security governance, risk appetite, and control frameworks aligned with SEBI, ISO 27001, and NIST.
• Act as the primary security advisor to the Board Technology Committee and senior leadership.

Regulatory Compliance & Risk Management

• Ensure full compliance with SEBI Master Circulars, CSCRF, DPDP Act, and applicable IT regulations.
• Lead enterprise and application-level risk assessments, threat modelling, and control effectiveness reviews.
• Manage regulatory audits, supervisory reviews, and cybersecurity inspections.

Security Operations & Incident Management

• Oversee SOC operations, real-time monitoring, SIEM, threat intelligence, and incident response.
• Lead cyber incident management, root cause analysis, regulatory reporting, and remediation.
• Own the Cyber Incident Response Plan and lead response during security incidents and data breaches.
• Conduct and govern VAPT, red teaming, and security testing for all internet-facing platforms.

Application, Cloud & Data Security

• Ensure secure-by-design practices across SDLC, cloud platforms, APIs, mobile apps, and investor portals.
• Enforce strong data protection controls including encryption, masking, key management, and DLP.
• Safeguard investor, personal, and sensitive data across its lifecycle.

Access Control & Identity Security

• Govern Identity and Access Management, privileged access management, authentication, and cryptographic controls.
• Ensure secure onboarding/offboarding and third-party access management.

Third-Party & Vendor Security

• Define and enforce security requirements for vendors, fintech partners, RTAs, and service providers.
• Conduct vendor risk assessments and ongoing monitoring.

Cyber Awareness & Culture

• Build a strong security-first culture through awareness programs, simulations, and role-based training.
• Educate employees, contractors, and partners on cyber hygiene and regulatory obligations.

Business Continuity & Cyber Resilience

• Support and validate BCP/DR and cyber resilience testing in line with SEBI expectations.

Ensure preparedness against cyber disruptions and operational risk