Overview

The Director, Governance, Risk & Compliance is responsible for the strategy, leadership, governance and innovation of technical security risk management and compliance initiatives across the organization globally. This person will develop proactive and forward-thinking security risk management initiatives that assist the organization in the identification, evaluation, and appropriate mitigation and management of the organizations risk.

This position demands one to stay current with emerging technologies, while managing cross-team dynamics. Attributes we will look for in our candidates include excellent technical and analytical skills, communication and flexibility, innovative thinking and problem solving.

Responsibilities

• Ensures appropriate treatment of security risk and assurance from internal and external perspectives.
• Recognize threats, vulnerabilities and develop and execute risk management processes, including steps and methods for assessing risk in systems to analyze cyber threats; conduct trend analysis and oversees the implementation of preventative measures.
• Leverage technical risk management processes to identify and report impact of residual risk on the organizational mission and provides recommendations to organizational leadership.
• Recommend security system controls and risk countermeasures to mitigate/correct security deficiencies.
• Recalculating priority for risks that decrease due to exploitability limitations and threats.
• Understand asset values to the organization (e.g., revenue generating, supporting critical business functions).
• Understand assets criminal value and criminally magnetic properties (e.g., data or process has a criminal value).
• Understand the liabilities and lateral exposure of a potentially breached asset with an arbitrary vulnerability.
• Trigger remediation plan and interim mitigation/detection process (e.g., set urgency, alert security operations centers, notify operations teams for priority resolution, provide executive awareness and external status reporting).
• Calculation of inherent and residual risk based on quantitative data (i.e., asset value, expert input on certainty of loss and loss probability ranges over a period of time, running MonteCarlo simulations, risk tolerance, loss exceedance curves, cost to mitigate, transference to insurance).
• Liaise with management to understand, prioritize, and coordinate risk mitigation activities.
• Document and or enhance policies, standards, procedures, processes, work instructions and/or any documentation required as part of the security program.
• Identify regulatory, legislative, and industry specific compliance requirements and define the required controls that effectively meet the requirements.
• Develop the organizations compliance strategy.
• Reviews and performs assessments to ensure that security risk and compliance issues are appropriately mitigated, remediated, and resolved.
• Leads internal and external audits and assessments. Discusses findings with stakeholders and assists in the development of appropriate plans of action and remediation milestones.
• Promotes organizational understanding of all security and compliance risk management strategies and approaches.
• Develop security posture management and reports executive leadership.
• Develop, maintain, and enhance the security program frameworks, policies, standards, processes, procedures, and response plans.
• Evaluate the GRC practices of third-party partners and vendors.
• Identify regulatory, legislative, and industry specific compliance requirements and define the required controls that effectively meet the requirements.
• Develop the organizations compliance strategy.
• Reviews and performs assessments to ensure that security risk and compliance issues are appropriately mitigated, remediated, and resolved.
• Leads internal and external audits and assessments. Discusses findings with stakeholders and assists in the development of appropriate plans of action and remediation milestones.
• Promotes organizational understanding of all security and compliance risk management strategies and approaches.
• Develop security posture management and reports executive leadership.
• Develop, maintain, and enhance the security program frameworks, policies, standards, processes, procedures, and response plans.
• Evaluate the GRC practices of third-party partners and vendors.

Qualifications

• Quantitative risk assessment experience
• Factor Analysis of Information Risk (FAIR) experience
• CRISC, Open FAIR
• Running MonteCarlo simulations, risk tolerance, and loss exceedance curves
• Experience with enterprise Integrated risk management tools (e.g., Archer, LogicGate, OneTrust, RegScale, Resolver, ServiceNow GRC, etc.)

Education and Experience Requirements:

• Master’s degree in Information Systems Security, Assurance, or related field required.
• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified in Risk and Information Systems Control (CRISC), or relevant security certification(s)
• 8 years of experience in a similar role with a proven record of successful development and management of security risk management.
• Prior leadership experience is required.
• Deep understanding of security control frameworks and standards (e.g., PCI, IS02700x, NIST 800-53, CIS, SCF, etc.)
• Experience with security risk assessments across cloud environments (e.g., Microsoft Azure, and Amazon Web Services (AWS), Google Cloud Platform (GCP))
• Strong project management skills with inherent ability to drive multiple programs, stakeholders, and teams towards organizational goals.
• GRC and VRM experience preferred.
• Experience developing frameworks and processes to drive a risk-based approach to incorporating standard frameworks such as FAIR, ISO, and NIST into an enterprise risk management process.
• Experience with security policy, standards, processes, and control development.
• Capable of establishing and maintaining an effective program structure that emphasizes the coordination of resources across projects, managing deliverables between projects, and the overall costs and risks of the compliance programs.
• Experience with the development of formal written reports to communicate security assessment results and recommendations to management and business stakeholders.
• Excellent verbal and written communication.
• Ability to facilitate productive meetings and work successfully in a team-oriented environment.

#IndeedSHRSS

#LI-Hybrid

#zipcorporate