Senior IT Security Risk & GRC Specialist

Overview

The Senior IT Security Risk & GRC Specialist will strengthen the organization's governance, risk, and compliance (GRC) capabilities as part of the Central CISO Office — a centralized function responsible for enterprise-wide cybersecurity, data protection, and technology risk governance. This role translates security frameworks into practical controls and ensures risk management is effectively embedded across business operations, digital platforms, and emerging technologies.

The role works closely with IT, Security Engineering, Data, and Business teams to align security requirements, regulatory expectations, and business objectives — including governance of AI and third-party risk as emerging areas of focus.

Scope of Work

Security Risk & Compliance:

• Conduct information security risk assessments across systems, applications, and infrastructure.
• Evaluate and enhance security controls aligned with standards such as ISO 27001, NIST, and PCI-DSS.
• Identify control gaps, monitor remediation, and ensure risk is reduced to acceptable levels.

GRC Framework & Control Management:

• Design, implement, and maintain GRC frameworks, policies, and procedures.
• Monitor control effectiveness and compliance through metrics, dashboards, and reporting.
• Support implementation and usage of GRC tools and platforms.

Third-Party & Vendor Risk:

• Assess security risks of vendors, partners, and external service providers.
• Ensure third-party compliance with internal security and data protection standards.
• Collaborate with procurement and business teams on vendor onboarding and evaluation.

AI Security & Emerging Technology Risk:

• Support governance and risk assessment for AI systems and data-driven technologies.
• Identify risks related to data usage, model behavior, and system exposure.
• Work with data and engineering teams to ensure secure and responsible AI adoption.

Incident, Audit & Continuous Improvement:

• Support internal and external security audits and compliance reviews.
• Analyze incidents, vulnerabilities, and control gaps to improve security posture.
• Provide remediation recommendations and track progress.

Stakeholder Engagement:

• Work cross-functionally with IT, Security, Data, and Business Units.
• Communicate risks and recommendations clearly to both technical and non-technical stakeholders.
• Provide practical security advisory aligned with business needs.

Qualifications

• Bachelor's degree in Computer Science, Information Security, IT, or related field.
• Minimum 5 years of experience in IT Security, Risk Management, or GRC.
• Strong understanding of information security principles and risk management practices.
• Hands-on experience with security frameworks such as ISO 27001, NIST, or PCI-DSS.
• Experience in risk assessment, control evaluation, and compliance monitoring.
• Exposure to third-party/vendor risk management.
• Strong analytical, problem-solving, and communication skills.

Preferred Qualifications

• Experience with GRC tools and platforms (e.g., ServiceNow GRC, Archer, OneTrust).
• Certifications such as CISSP, CISM, CISA, or ISO 27001 Lead Auditor.
• Exposure to AI security, cloud security, or data security domains.
• Experience working in large enterprises or regulated environments.

Why Join Us?

At Central CISO Office, you will be at the center of enterprise-wide cybersecurity — protecting one of Thailand's most complex retail and digital ecosystems. You'll operate from a state-of-the-art CSOC with 24/7 capabilities, work alongside senior security practitioners, and gain direct exposure to cutting-edge risk domains including AI governance and third-party risk. This is a high-visibility role with real cross-functional influence — backed by the resources and scale of Central Group. If you are driven by impact, governance excellence, and want your work to matter at scale — we want you on this team.