Suraj Nair

Administered cybersecurity and privacy governance initiatives for a major client across diverse sectors, including IT/ITES, Banking, Construction, and Automobile. This endeavor involved assisting the group company in establishing cybersecurity operating models, formulating policies, procedures, and frameworks. Accomplished cybersecurity risk management framework for organizations and led the risk assessment activities. Supervised varied compliance assessments for organizations, ensuring alignment with regulatory standards such as GDPR, KSA PDPL, NDMO, ISO 27001 :2013, NCA ECC, NCA CCC, CITC-CRF, and SAMA. Crafted cybersecurity performance framework for organizations to systematically monitor and track cybersecurity status over time. Created transition strategy plans and implementation roadmaps aimed at attaining predetermined cybersecurity objectives to move from current to desired state. Delivered comprehensive training and awareness sessions on regulatory requirements including NCA, ISO, SAMA, and CITC-CRF for organizations. Collaborated with clients to identify risks related to cloud governance and recommended controls to mitigate these risks to an acceptable level. Executed numerous cloud security assessments in the region, gaining expertise in evaluating cloud security measures and managing governance within cloud environments. Additionally, contributed to projects involving the evaluation of cloud service providers and the review of contractual agreements, including analysis of SOC 2 reports. Evaluated and assessed Cloud Strategy and Framework, examining existing cloud security controls and elucidating the shared responsibility model between Cloud Service Provider (CSP) and the Enterprise. Proficient in developing policies and procedures tailored to the cloud environment, and conducting risk assessments for various service models, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Supported a B2B bank in Bahrain to achieve compliance with the Personal Data Protection Law of Bahrain, including assessing PDPL applicability, identifying gaps, and creating a compliance plan.

Data Security and Privacy Practice
Data Security Projects:
• Executed and Led ISMS/Cybersecurity Compliance Assessment Program for a Leading client in
the IT/ITES sector. The engagement involves creating policies and procedures, carrying out risk assessments, conducting application risk assessments, data security reviews for multiple domains.
• Executed project on application security for a Global Leader in Product Development. The
Program involved integrating information security requirements, specifically ISO with existing
technology and developed products such as end user facing applications and network and
security devices and also involved development of toolkits to help projects/ departments within
the company in preparing data inventories, performing data classification, identifying applicable security controls and ensuring compliance to company’s data protection framework.
• Executed and led multiple ISMS framework development, implementation support and
certification assistance engagements for global companies in the Banking, Financial and IT/ITES
sector.
• Development of Implementation roadmap, internal audits and ISO 27001 certification assistance
(Phase 1 &2).
• Executed an Information Security Risk assessment and strategy planning for a national telecom
development Entity provider in the Telecom Sector for Saudi Arabia. The engagement involved
an risk based assessment of their Information Security and Data protection practices against
industry standards including ISO27001:2013, CIS benchmarks and NIST 800-53r4 and
developing a roadmap highlighting key security initiatives for the Organization. Also,
implementation of ISMS framework for all the metropolitan locations.
• Assisted team in developing cyber security framework based on CRF-CITC, SAMA and NCA’s
ECC standards.
• Developed KPIs for ME based clients on cyber security standards such as ECC and SAMA in
order to measure cyber security resilience within the organization.
• Part of Business Continuity Management team for leading French based Banking and Financial
Institutions. The scope included:
• Perform the impact analysis and validate the scope and the participants of the ITDR exercise
• Update with management on preparation of ITDR exercise
• Coordinate with various BCM Regional Point of contacts to achieve BCP readiness
• Testing the effectiveness of the Business continuity plans and Disaster recovery plan
• Consolidate and report to management on BCM overall summary activities of global region.
• Conducted risk assessment of third-party service providers on the basis of material business
information shared with the
• Vendors as part of the agreement and implemented security controls as applicable to protect the
CIA of the information from misuse/leakage.
Data Privacy Projects:
• Led a GDPR implementation project for a large construction company situated in Dubai. One of
the key activities within the engagement involved supporting the IT senior management in
conducting vendor/ technology evaluations for key areas.
• Executed and Led PDPL Compliance Assessment Program for a Leading bank in Bahrain. The
engagement involves supporting the group company in conducting data flow mapping,
developing Article 30 registers, carrying out data privacy risk assessments, conducting
application risk assessments, data security reviews for multiple domains including infrastructure
security, network security, data protection, security monitoring etc.
• Currently executing a data privacy implementation program for a government organization based
in Saudi Arabia, specializing in multiple sectors including property management, user risk
profiling and credit score analysis.

Assessed risks throughout the design, testing/QA, and implementation stages of systems and upgrades by reviewing policies and procedures. Compiled audit scopes, reported findings, and presented recommendations to bolster cybersecurity measures. Implemented and managed an annual internal compliance assessment program for the DNB (Den Norske Bank) environment during its development phase. Conducted multiple internal assessments to ensure adherence to standards. Developed and implemented a Cybersecurity Strategy to align with organizational goals, enhancing governance and strategic alignment. Conducted risk evaluations for critical infrastructure services, providing bi annual assessments to the Chief Risk Officer (CRO) for review and potential improvement discussions. Delivered L1 and L2 support for SOC programs, ensuring ongoing monitoring and swift resolution of security threats or vulnerabilities within client environments.

Project Details-
1. Indo-Japanese Automobile

Developed strategies for organization in order to meet cybersecurity requirements in-line to applicable cybersecurity standards and regulations. Supervised regular reviews and updates of all ISMS documents in accordance with client requirements and ISO 27001:2013 standards, aligning with security directives from clients management. Create and administer security awareness training course materials via Learning Management System (LMS) for end-users. Advocated and provided governance support to address findings from vulnerability assessments and application security evaluations. Coordinate and supervise Web Application Security Assessments (WASA) and Vulnerability Assessments (VA) at the project management level to ensure timely milestone achievement. Assist in conducting a comprehensive review of the ISMS framework effectiveness prior to ISO 27001 certification or external audits by certification agencies. Guided clients in responding to inquiries from certification agencies and advise on resolving outstanding issues before external surveillance audits. Identify and establish metrics to assess information security effectiveness on a quarterly basis. Adjust metrics for adoption as Key Performance Indicators (KPIs) as required.

Performed the following activities within the organization for an Oil refinery Client (USA based) Reviewing the security & physical controls for the infrastructure readiness Preparing reports formats for the internal & external audit report and reviews. Performing vulnerability management for the infrastructure.

From June 2006 to March 2009
Worked in Domestic & Global Security Operation Center as a Level 1 and Level 2 engineer managing and monitoring customers infrastructure.

From August 2011 to July 2014
Worked for Singapore Exchange project as GRC consultant, taking care off all cybersecurity related activities such as:
goverining the Cybersecurity approval for the IT and technology projects, change approvals
Compliance Assessment for applicable standards and regulations
Conducting annual and adhoc risk management activities for the business units.

From 2014- 2016
Heading the migration and implementation activities of infrastructure assets based on the controls of ISO
27001 and client agreed requirements.
• IT Policies Compliance review: Identified and evaluated risks during review and analysis of
System Development Life Cycle (SDLC), including design, testing/QA, and implementation of
systems and upgrades. Prepared audit scopes, reported findings, and presented recommendations
for improving data integrity and operations.
• Compliance Management: Internal Audit for the build phase of the DNB environment to check
if BOM requested details and needs are met. Identify IT related risks throughout development
phases. Areas include networks, operating systems, security, and disaster recovery.
• Risk Assessment: Also performing risk assessment for the asset of the infrastructure.
Conducting bi-annual risk assessment of the infrastructure and share the same to the CRO (Chief
Risk Officer) for discussion and improvement if requires.
• Governance: Perform general controls oversight and review to verify compliance with
professional standards. Accesses patch management and vulnerability assessment. Preparing
monthly, bi- annual reports for the same.
• Information System Audit: Assist in ISAE 3402 type 1 and type 2 audits conducted for the
project. Ensure audit tasks are completed accurately and within established timeframes.
Coordinated with various departments to create remediation plans for deficiencies found during
audit. Liaise between in-house managers/IT department and external operational auditors.
• Information Security Management: Head the information security team which was
responsible to track down any security breach occurs in the infrastructure. Finding the RCA for
the security breach and share the report to client with the implemented controls for the security
breach and participate in meetings around the security breach with client for further
implementation of controls if required any.