About
My shorthand: technology risk governance + assurance, built for regulated reality.
Positioning
Cybersecurity governance, audit, and risk leader with 25+ years in regulated financial services across banking, insurance, and asset management. I lead enterprise-scale assurance and remediation validation programs across cloud and infrastructure risk, identity and privileged access, third-party risk, and resilience — aligned to ISO 27001 and NIST CSF expectations.
Personal site. Views are my own.
At a glance
- Regulated delivery mindset: defensible evidence, repeatable testing, clear ownership.
- Leadership + hands-on: build teams, set operating cadence, and still get deep into controls and data.
- Focus areas: cloud/infrastructure, IAM & PAM, DevOps/change, third-party risk, resilience, AI governance.
Current lane
Principal Audit Manager (Technology Validations): run centralized remediation testing at scale, standardize validation protocols, and improve closure confidence. I care about one thing: controls that actually work — and evidence that proves it.
Signature capabilities
What I’m consistently pulled into when the stakes are high.
Audit leadership & remediation validation
Make closure decisions defensible: protocols, quality criteria, evidence expectations, and repeatable testing.
Cloud, infrastructure & identity risk
Risk-based oversight and assurance across Microsoft 365, cloud controls, IAM/PAM, and production platform resilience.
Third-party & vendor assurance
SOC reports, pen-test deep dives, obligation mapping, and remediation tracking that doesn’t collapse at audit time.
Security program delivery
DLP/endpoint protection rollouts, SOC service governance, vulnerability and perimeter security governance — built for real operating cadence.
Career snapshot
The roles that shaped my operating style.
Technology validations + infrastructure audit leadership; building cross-border teams and standardizing closure protocols.
Regional information security & technology risk across 11 APAC countries; DLP/endpoint rollout; cloud CRM security coordination.
Information systems audit leadership; audits, data migration reviews, and incident investigations.
Built and led India information risk practice; PCI-DSS and controls testing at scale.
Head of IS audit; security control frameworks and vendor governance for DR/BCP.
Certifications
CISSP • CISSP-ISSAP • CISA • CEH • ECSA • PCI-DSS ASV
Education
MBA (IIM Indore) • Chartered Accountant (ICAI) • B.Com (University of Mumbai)
What you’ll find on this site
Short notes on assurance, cyber risk governance, third-party risk, and AI controls.
Control automationA deeper dive on policy-as-code, evidence pipelines, and control execution patterns.
Python EncountersSmall scripts and utilities with context and use-cases.
LabsExperiments and modules (Prompt Engineering OS and adjacent work).
Resume snapshot
A concise snapshot of my work across technology risk, assurance, and resilience—focused on scope, outcomes, and how I work.
- Technology risk & assurance leader across regulated financial services (global scope).
- Built and led cross‑border validation and remediation testing across cloud, IAM, infrastructure, DevOps and third‑party risk.
- Translate technical risk into board‑ready narratives aligned to NIST / ISO 27001 expectations, with evidence-first execution.
Experience highlights
- Tier‑1 Global Bank (UK/Singapore) — Technology audit & validations leadership (2018–present): global validation program, closure confidence, thematic risk insights, and senior stakeholder engagement.
- APAC Asset Manager — Information security & technology risk (2015–2017): DLP/endpoint controls, perimeter governance, cloud risk approvals and vendor assurance.
- Earlier roles (India/Singapore) — technology, security and risk leadership across enterprise environments (pre‑2015).
Credentials
CISSP • ISSAP • CISA (plus extensive NIST/ISO/FFIEC/MAS TRM/NYDFS exposure).
Selected writing + builds
Connect
Email is best: grcguy@rtapulse.com • LinkedIn
I don’t run a mailing list. No tracking. No cookies by default.