Position Overview
We are seeking an experienced Security GRC (Governance, Risk & Compliance) Lead to own and drive our Risk Management Program. This role will be responsible for defining, implementing, and maturing enterprise-wide information security risk management practices, aligning them with business strategy, regulatory requirements, and industry frameworks.
Key Responsibilities
Risk Management Leadership
- Lead the design, implementation, and continuous improvement of the Information Security Risk Management framework.
- Conduct regular risk assessments, control evaluations, and threat modeling across systems, vendors, and business processes.
- Maintain and continuously enhance the Risk Register, ensuring timely reporting and mitigation tracking.
- Partner with business and technical stakeholders to drive risk treatment plans and ensure accountability for risk reduction.
Governance & Frameworks
- Develop, refine, and maintain security policies, standards, and procedures aligned with frameworks such as ISO 27001, NIST CSF, SOC 2, and CIS Controls.
- Facilitate risk governance committees and ensure effective communication of risk posture to senior management and the Board.
- Support strategic initiatives related to compliance, audit readiness, and third-party risk management.
Metrics & Reporting
- Define and deliver Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to measure the maturity and effectiveness of security controls.
- Prepare and present risk reports, dashboards, and heatmaps to executive leadership and audit committees.
Collaboration & Influence
- Partner with business stakeholders to ensure alignment with regulatory requirements (e.g., GDPR, HIPAA, SOX, PCI-DSS).
- Serve as a trusted advisor to technology and business teams, helping them make risk-informed decisions.
- Champion a risk-aware culture through education, communication, and continuous engagement.
Qualifications
Required:
- Bachelor’s degree in Information Security, Computer Science, Risk Management, or related field.
- 7+ years of experience in Information Security, GRC, or Risk Management, with at least 3 years in a lead or senior role.
- Strong understanding of information security principles, risk assessment methodologies, and governance frameworks (ISO 27001, NIST, COSO, etc.).
- Experience with risk management tools (e.g., Archer, ServiceNow GRC, OneTrust, or similar).
- Exceptional communication skills—able to translate complex risk topics into actionable insights for executives and business partners.
Preferred
- Professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Implementer, or CGEIT.
- Experience in cloud risk management (AWS, Azure, GCP).
- Background in regulatory compliance and third-party risk.
