Manager -Cybersecurity GRC-Saudi National

Overview

The cybersecurity GRC manager helps run the governance, risk, and compliance program across AEW and AEW-served companies. The role is expected to drive policy lifecycle, assessments, audits, exceptions, third-party risk, and regulatory alignment. Role is expected to coordinate remediation with AEW Digital Services/IT and counterparts at serviced entities.

Key Responsibilities

Governance & Policy

• Maintain AEW’s cybersecurity policy/standard/procedure library; run annual review cycle; map to ECC-2:2024 and other applicable NCA controls (OTCC/CSCC/OSMACC) and relevant international baselines (e.g., ISO 27001).
• Publish and track mandatory control exceptions with end dates and risk acceptance.

Compliance & Assurance

• Plan and run internal assessments for AEW and serviced entities; prepare for external inspections; maintain evidence library.
• Use the NCA ECC-2 Assessment & Compliance Tool when applicable; produce gap analyses and remediation plans.

Risk Management

• Maintain the cyber risk register; facilitate business-owned risk decisions; integrate with enterprise risk.
• Run control design/effectiveness reviews ahead of audits.

Third-Party & Cloud

• Ensure enforcement of third party cybersecurity controls in line with ECC-2:2024 “third-party and cloud computing” domain.
• Coordinate with Procurement and Legal.

Awareness & Training

• Define compliance-focused awareness training plan and track completion.

Reporting & Governance

• Provide monthly KPI packs to the Head of Digital Services and Cybersecurity Steering Committee.

Qualifications & Skill Sets

• Bachelor’s degree. 3–7 years in cybersecurity GRC or audit.
• Proven work with NCA frameworks (ECC-2:2024; plus OTCC/CSCC/OSMACC as applicable to entity scope).
• Strong policy writing, audit, and risk facilitation skills; Arabic and English business proficiency.
• Preferred: ISO/IEC 27001 LA/LI, CISM, CRISC (or equivalent).

Travel

Regular travel within Saudi Arabia and other relevant countries as required by the business.