Chalhoub Group
Director of Information Security - GRC
- Permanent
- Dubai, United Arab Emirates
- Experience 10 - 15 yrs
Job expiry date: 02/05/2026
Job overview
Date posted
18/03/2026
Location
Dubai, United Arab Emirates
Salary
AED 50,000 - 60,000 per month
Compensation
Job description
The Director of Information Security - GRC (Governance, Risk & Compliance) is a senior leadership role responsible for governing and institutionalizing cybersecurity risk, regulatory compliance, and control frameworks across global operations within a luxury retail environment. The role leads the design, implementation, and continuous enhancement of enterprise-wide GRC programs to enable risk-informed decision-making, regulatory confidence, and security accountability across all business units. It involves defining and executing the Information Security GRC strategy aligned with corporate risk management, technology transformation, and global expansion, including operating model design, team structure, and KPIs. The position develops and maintains Group-wide security policies, standards, and procedures aligned with ISO 27001, NIST CSF, COBIT, and integrates governance with HR, Legal, and IT service management. It owns the Information Security Risk Management Framework (ISRMF), covering identification, assessment, prioritization, treatment, and monitoring of risks, leveraging risk quantification models such as FAIR and GRC platforms. The role ensures compliance with global and regional regulations including UAE PDPL, KSA PDPL, EU GDPR, PCI-DSS, ISO 27001/22301, and leads internal and external audits, ISO certification efforts, regulatory inspections, and audit evidence management. It oversees Third-Party Cybersecurity Risk Management (TPCRM), including due diligence, onboarding controls, contract clauses, and reassessments, working with Procurement and Legal. Additionally, it manages GRC technology and automation, integrating GRC systems with ITSM, Risk Registers, and Incident Management platforms, while driving workflow automation, dashboards, and metrics. The role also leads cybersecurity awareness programs including simulated phishing and executive training, partnering with Legal, Internal Audit, Data Privacy, Procurement, HR, Retail Operations, and Technology to embed policies and ensure adherence to global and regional standards.
Required skills
Key responsibilities
- Design and execute the Information Security GRC strategy aligned with corporate risk management, technology transformation, and global expansion, including defining operating model, team structure, and KPIs
- Develop, maintain, and enforce Group-wide security policies, standards, and procedures aligned with ISO 27001, NIST CSF, COBIT, and integrate governance across HR, Legal, and IT service management
- Own and manage the Information Security Risk Management Framework (ISRMF) including risk identification, assessment, prioritization, treatment, monitoring, and implementation of FAIR-based risk quantification models and GRC platforms
- Ensure regulatory compliance with UAE PDPL, KSA PDPL, EU GDPR, PCI-DSS, ISO 27001/22301 and lead internal and external audits, ISO certification efforts, regulatory inspections, and audit evidence repository management
- Lead Third-Party Cybersecurity Risk Management (TPCRM) including onboarding requirements, due diligence controls, contract clauses, and periodic reassessments in collaboration with Procurement and Legal
- Manage GRC technology platforms and integrate with ITSM, Risk Registers, and Incident Management platforms while enhancing dashboards, metrics, and workflow automation
- Drive cybersecurity awareness and compliance training programs including campaigns, simulated phishing, and executive education tailored across departments and regions
Experience & skills
- Obtain a Bachelor’s or Master’s degree in Cybersecurity, Information Assurance, Law, Risk Management, or a related field, ensuring a strong academic foundation in governance, compliance, risk frameworks, and regulatory environments that directly support enterprise-wide Information Security GRC functions within complex global organizations.
- Hold and maintain industry-recognized certifications such as CISM, CRISC, CGEIT, CISSP, ISO 27001 Lead Auditor, ITIL or equivalent, demonstrating validated expertise in information security management, risk governance, enterprise IT governance, audit practices, and service management frameworks aligned with global best practices.
- Demonstrate a minimum of 12+ years of progressive professional experience in cybersecurity, information security, or technology risk management, including at least 5+ years in a senior GRC leadership role where responsibilities included enterprise-scale governance, regulatory compliance, and risk oversight across multiple business units or geographies.
- Possess deep expertise in implementing and managing Information Security Risk Management Frameworks (ISRMF), including hands-on experience with risk identification, assessment, prioritization, treatment, monitoring, and reporting using structured methodologies and quantitative models such as FAIR within GRC platforms.
- Exhibit comprehensive knowledge of international and regional regulatory frameworks and standards including UAE PDPL, KSA PDPL, EU GDPR, PCI-DSS, ISO 27001, and ISO 22301, with the ability to interpret, operationalize, and ensure ongoing compliance across cross-border environments and multi-jurisdictional operations.
- Demonstrate proven experience leading internal and external audits, including ISO certification processes, regulatory inspections, and customer security assessments, while managing audit evidence repositories, coordinating with Internal Audit and Legal teams, and ensuring timely remediation of findings and recommendations.
- Show strong capability in managing Third-Party Cybersecurity Risk Management (TPCRM) programs, including defining due diligence processes, onboarding controls, contractual security clauses, and continuous reassessment of vendor risk in collaboration with Procurement and Legal throughout the partner lifecycle.
- Demonstrate experience integrating and managing GRC technology ecosystems, including GRC platforms, ITSM systems, Risk Registers, and Incident Management platforms, with a focus on automation, dashboard reporting, workflow optimization, and scalable governance processes that support enterprise risk visibility and decision-making