Associate Lead - Security Compliance Officer

Job Summary

Join our team as a Senior Security Risk and Compliance Officer. This role involves conducting in-depth security research, guiding secure development, and promoting security best practices. You will be the organization's trusted subject matter expert in security risk and compliance.

Our global security professionals support WSO2 customers (both internal and external) and partners in over 90 countries. We provide cybersecurity guidance, act as trusted advisors to our engineers and developers, and establish industry-leading strategies for secure open source software development. The Security Risk and Compliance Information Team drives cybersecurity, data protection, governance, and risk and compliance across all company regions. This position is for an accomplished security professional with proven industry experience.

Responsibilities and Duties

Risk and Compliance

• Support the implementation, maintenance, and continuous improvement of the Information Security Management System (ISMS).
• Coordinate and support external audits, certifications, and customer security assessments. This includes coordinating audits end to end by managing communications with auditors and internal teams, scheduling and attending audit meetings, and serving as the primary point of contact.
• Intake audit evidence requests, assign and track tasks in GitHub, provide references to prior-year evidence, manage centralized evidence repositories, and monitor progress through reporting and escalation.
• Track audit findings, non-conformities, and corrective action plans (CAPs) to closure by communicating auditor feedback and participating in clarification and status calls,
• Maintain compliance documentation including policies, procedures, risk assessments, and control evidence.
• Collaborate with IT, Engineering, Legal, and Business teams to ensure controls are correctly designed and implemented. Perform control effectiveness reviews and gap assessments.
• Support risk assessments, vendor security reviews, and data protection initiatives.
• Assist with security awareness and compliance training for internal stakeholders.
• Identify trends and changes in cybersecurity for compliance, legal, regulatory, and operational activities. Determine applicable risks and collaboratively implement effective mitigation strategies across the organization.
• Assist the Data Protection Officer (DPO) by continuously monitoring data security, aligning policies with data protection requirements and fulfilling data requests from customers and regulators.
• Collaborate with security teams, product teams, customers, regulators, and senior leadership on  incident management. You will be a key player in our efforts to detect, protect, and defend.
• Build strategy to verify that the mandated security and compliance checks, controls, procedures, and best practice guidelines are effectively executed and validated for completeness/accuracy.
• Collect, validate, and maintain evidence artifacts (policies, audit reports, control descriptions) to support RFIs, RFPs, and customer due-diligence questionnaires.
• Work closely with Sales, Legal, Product, Engineering, and IT teams to clarify technical and compliance-related queries.

Technical

• Research vulnerabilities, threats, and technologies to assess their impact on WSO2 cloud platforms, products, and services. Develop and execute a risk mitigation strategy that builds and maintains customer confidence.
• Evaluate and implement cloud security features (Azure, AWS, GCP) within WSO2 environments. Provide subject matter expertise on design and architecture to achieve strategic cybersecurity and compliance advantages for our customers.
• Explore new security technologies and determine integration strategy into WSO2 processes. Participate in code and design reviews of products/solutions developed by other teams.
• Automate security and compliance processes for efficiency,  consistency, more effective compliance results,  and reporting.
• Review security testing/scanning reports, customer/prospect inquiries, and legal regulatory standards/requirements and provide guidance and direction.
• Proactively identify, communicate, and mitigate issues and risks to protect deadlines and deliverables.

Teamwork and Leadership

• Provide support and governance to help teams manage security incidents. Engage as an active member of the investigation, lead leadership communications, and provide strategic support.
• Effectively break down complex tasks, delegate responsibilities, and ensure successful delivery through collaborative follow-up and coordination. This role requires strong project management skills, technical acumen, and leadership to manage expectations and ensure on-budget, on-schedule execution.
• Maintain effective professional relationships with extended teams (Product Engineering, Pre-sales, Marketing, Sales, Legal, and Infrastructure) on security initiatives. Coordinate unplanned group efforts, manage conflicts professionally, and drive resolutions.
• Ability to give timely and helpful (positive as well negative) feedback to interns, peers, and seniors (e.g., 360 feedback). Provide leadership in terms of educating and providing guidance in areas of expertise.
• Ability to provide technical leadership, mentoring, direction, and feedback to junior members across the organization. Drive team and/or individual motivation and performance.

Skills and Qualifications

• BsC/MsC in Computer Science, Engineering, Security, Information Systems, or equivalent.
• 6+ years hands-on experience in IT auditing, cybersecurity, datacenter, security operations, risk and compliance frameworks/methodology, and IT frameworks (e.g., SDLC, ITIL, and COBIT).
• 5+ years of project management experience, demonstrated by successfully driving projects to completion, measuring results, and leading cross-functional teams.
• Certifications in one or more of the following: CISA, CISSP, OSCP, and OSWE. Cloud certifications (Azure, AWS, and GCP) are also highly valued.
• Experienced implementing and operating regulatory/industry standard certifications for data privacy and security and compliance  is required (GDPR, HIPAA, SOC 2 Type 2, ISO, PCI, DORA, CRA, etc.).
• Demonstrated ability to develop a global strategy into an action plan/roadmap that is deployed across the organization. Perform complex reviews, interpreting the results and understanding cost impacts.
• Self-motivated with the ability to work with little supervision. Have a strong analytical focus, solid judgment under pressure, and business decision-making skills.
• Detail-oriented, organized, and comfortable with multi-tasking in a fast-paced, highly dynamic environment. Ability to prioritize project work based on resources, capabilities, time, and team focus.
• Excellent communication and interpersonal skills. Ability to negotiate with customers, peers, and partners to achieve a win-win solution.