Manager- IT Infrastructure

About Us

Varun Beverages Limited (VBL) is part of the RJ Corp group, a diversified business conglomerate with interests in beverages, quick-service restaurants, ice-creams, and healthcare. VBL is one of the largest franchisees of PepsiCo in the world (outside USA); with over 3 decades of association with PepsiCo. In India, VBL is a key player in the beverage industry in India with presence in 27 states & 7 union territories. Our overseas operations span across Indian subcontinent (Nepal & Sri-Lanka) and Africa.

Purpose of the Job

The Information Security Manager will play a pivotal role in defining, implementing, and managing the information security strategy for RJ Corp. This individual will lead a dedicated team and collaborate with cross-functional stakeholders to ensure the confidentiality, integrity, and availability of our information assets. The Information Security Manager will be instrumental in establishing and maintaining a robust security posture that aligns with industry standards, regulatory requirements, and the unique needs of our organization.

Details of the Job

Key Accountabilities

1. **Strategic Information Security Planning:**
- *Develop and Implement Comprehensive Strategy:* Create a detailed information security strategy that aligns with organizational goals, considering emerging threats and technologies.
- *Risk Assessment and Mitigation:* Conduct regular risk assessments, collaborating with executive leadership to define risk tolerance levels and implement effective risk mitigation strategies.
- *Roadmap Development:* Establish and maintain a roadmap for continuous improvement, outlining key initiatives, milestones, and resource requirements.

2. **Policy and Compliance Management:**
- *Policy Development and Enforcement:* Develop, maintain, and enforce information security policies, standards, and procedures in alignment with industry best practices and compliance requirements.
- *Regulatory Compliance:* Ensure compliance with relevant regulations, standards (e.g., ISO 27001), and contractual obligations, regularly updating policies to reflect changes in the regulatory landscape.
- *Internal Audits:* Conduct periodic internal audits to assess adherence to security policies, providing actionable recommendations for improvement.

3. **Security Awareness and Training:**
- *Program Design and Implementation:* Develop and implement a comprehensive security awareness program, incorporating a variety of training methods to educate employees on security best practices.
- *Training Sessions:* Conduct regular training sessions to enhance the organization's overallsecurity awareness, covering topics such as phishing awareness, data protection, and incident reporting.\
- *Program Evaluation:* Regularly assess the effectiveness of awareness programs, adjusting strategies based on feedback and evolving threat landscapes.

4. **Incident Response and Management:**
- *Incident Response Plan:* Develop, maintain, and regularly test an incident response plan, ensuring the organization is well-prepared to respond to security incidents.
- *Leadership in Incident Response:* Lead incident response efforts, coordinating with internal teams and external experts when necessary, with a focus on minimizing impact and learning from each incident.
- *Post-Incident Reviews:* Conduct thorough post-incident reviews to identify root causes, vulnerabilities, and areas for improvement, facilitating continuous enhancement of incident response capabilities.

Key Accountabilities (Contd)

5. **Security Architecture and Engineering:**
- *Integration with System Architecture:* Collaborate with the IT team to integrate security into the overall system architecture and software development life cycle.
- *Technology Recommendations:* Evaluate and recommend security technologies and solutions that align with organizational goals, enhancing the overall security posture.
- *Control Implementation:* Oversee the design and implementation of security controls for networks, systems, and applications, ensuring they are effective and aligned with best practices.

6. **Vendor and Third-Party Risk Management:**
- *Risk Assessment:* Assess the security posture of vendors and third-party partners, ensuring they meet information security standards.
- *Contractual Security Requirements:* Collaborate with procurement and legal teams to include comprehensive security requirements in vendor contracts.
- *Risk Management Program:* Establish and maintain a robust vendor risk management program, regularly reviewing and updating assessments as necessary.

7. **Security Incident Reporting and Communication:**
- *Incident Reporting Structure:* Develop and maintain a robust reporting structure for security incidents, providing clear and concise communication to executive leadership and relevant stakeholders.
- *Effective Communication:* Communicate security risks, incidents, and mitigation strategies effectively to both technical and non-technical audiences, fostering transparency and understanding.
- *Periodic Reporting:* Prepare and present periodic reports on the state of information security to senior management, highlighting key metrics, incidents, and trends.

8. **Security Metrics and Key Performance Indicators (KPIs):**
- *Metric Definition:* Define and track security metrics and key performance indicators (KPIs) that measure the effectiveness of security controls and initiatives.
- *Performance Reporting:* Regularly report on security performance to leadership, presenting meaningful insights into the organization's security posture.
- *Continuous Improvement:* Use metrics and KPIs to identify areas for improvement and success, driving continuous enhancement of the information security program.

Education & Experience

Qualification: 
- Bachelor's or Master's degree in Information Security, Computer Science, or a related field
Experience: 

- 14 years of progressive experience in information security management
- Strong understanding of cybersecurity principles, risk management, and compliance
- Industry-recognized certifications such as CISSP, CISM, or CISA are highly desirable

Competencies

Skills Required

- In-depth understanding of security frameworks (e.g., NIST, ISO 27001, CIS Controls, ISo 27000) and regulatory compliance requirements (e.g., DPDP, GDPR, HIPAA, PCI-DSS) to design, implement, and monitor robust security programs.
- Expertise in managing security incidents, from identification to recovery, including conducting post-incident analysis, root cause analysis, and digital forensics.
- Ability to conduct risk assessments and threat modeling, identifying potential vulnerabilities and their impact on business operations. Proficiency in risk management frameworks
- Deep understanding of IAM principles, including user authentication, authorization, privilege management, and Single Sign-On (SSO) technologies. Experience with tools such as Okta, Azure AD, and Active Directory
- Strong grasp of network security design principles, including secure network topology, firewalls, intrusion detection/prevention systems (IDS/IPS), VPNs, and network segmentation. Experience with tools like Palo Alto, Fortinet
- Expertise in securing cloud environments (e.g., AWS, Azure, GCP), including understanding of shared responsibility models, cloud access security brokers (CASBs), and cloud-native security services
- Proficiency in conducting vulnerability assessments, penetration testing, and security audits using tools like Metasploit, Nessus, and Burp Suite. Ability to manage patch management and vulnerability remediation processes
- Extensive experience with SIEM platforms (e.g., Splunk, ArcSight, QRadar) for log collection, real-time monitoring, alerting, and incident detection. Ability to analyze and respond to security events proactively