Manager, Governance Risk & Compliance (GRC)

I. Job Summary

The Manager of Governance, Risk and Compliance (GRC) is a leadership role, responsible for leading and overseeing the Security organization's GRC program. As a highly visible leader within the Security team, responsible for overseeing the compliance activities, risk management practices and vendor security management to ensure trust and confidence aligns with the organization’s goals and consumer promises. This role will play an important part in helping set the technical direction for security, managing multiple complex technical projects, and partnering with other groups within the organization to deliver services that align with our security roadmaps as well as be responsible for managing and mentoring a small team of analysts.

II. Essential Job Functions | Accountabilities, Actions and Expected Measurable Results

Governance, Risk and Compliance:

• Develop and maintain a robust GRC framework that aligns with industry standards (e.g. NIST Cybersecurity Framework and PCI-DSS) and regulatory requirements (SOX).

• Identify, assess, and mitigate security risks across the organization, ensuring alignment with business objectives and regulatory requirements.

• Ensure compliance with relevant laws, regulations, and industry standards related to information security, data protection, and privacy.

• Develop and maintain policies, procedures, and guidelines for security governance, ensuring that they are aligned with organizational goals and objectives.

• Participate in incident response efforts, providing guidance on containment, eradication, recovery, and post-incident activities.

Third Party Security Management

• Oversee third-party and vendor risk as an integral part of the organization’s risk management strategy.

• Serve as the primary liaison with audit parties, ensuring successful audit outcomes.

• Facilitate business responses to external parties through third-party security assessments.

• Ensure third-party compliance with organizational data security requirements.

Team Leadership:

• Build a cohesive team with developed technical skills and abilities to support future information security needs.

• Foster a culture of collaboration and continuous improvement within the team.

• Stay current with industry initiatives, participate in leadership discussions, and provide strategic direction.

Collaboration and Communication:

• Collaborate with business stakeholders, technical teams, legal, audit, and other departments to integrate security considerations into business decisions and operations.

• Develop metrics to measure GRC program effectiveness and report regularly to senior leadership.

• Communicate security risks and recommendations to senior management and stakeholders.

• Develop and deliver training programs to educate employees and contingent workers on security practices, policies, and procedures.

III. Minimum Qualifications and Job Requirements | All must be met to be considered.

Education: Bachelor's degree in Computer Science, Information Security, or a related field or equivalent experience. ; Master’s degree, CRISC, CGRC, CISA, CISSP preferred.

Experience:

• Minimum of 7 years of experience in security, with a minimum of 3 years focus on governance, risk management and compliance.
• Experience with direct management of people and team leadership.
• Proven track record of developing and implementing effective GRC programs.
• Strong knowledge of industry standards (e.g., NIST Cybersecurity Framework, ISO 27001) and regulatory requirements (e.g., SOX, PCI-DSS, GDPR/CCPA).
• Excellent communication, collaboration, and project management skills.
• Ability to analyze complex security risks and develop mitigation strategies.
• Experience with audit and compliance reporting, including the development of audit plans and reports.

Specific Knowledge, Skills and Abilities:

Leadership: Strong leadership experience and an ability to lead a team from a foundation of transparency and trust.

GRC: Experience with GRC practices, tooling and cloud computing and SaaS GRC, including:

• Continuous automated control analysis and reporting

• Cloud security configuration validation

• Resiliency and data protection

Risk Management: Operational risk analysis of technical security risks.

Regulatory Knowledge: Strong understanding of data protection, data governance and privacy regulations.

Adaptability: Ability to adapt to changing business and work environments, manage multiple priorities, and work independently in a fast-paced environment.

Soft skills: Excellent leadership, decisioning, communication, interpersonal, organizational, time management, teamwork, and independence skills.

Additional requirements: Occasional travel and on-call availability.