Assistant Director of GRC

Job Summary

The Assistant Director, Governance, Risk & Compliance ( GRC ) provides operational leadership for the organization’s information security program – including governance, risk management, assurance, compliance, and security awareness. Reporting to the CISO , this role is responsible for developing, implementing, and continually improving policies, standards, risk processes, and compliance activities that align with regulatory requirements, industry frameworks, and organizational risk appetite.

This role serves as a key advisor to executive leadership, business partners, and technology teams, translating regulatory and security requirements into practical, scalable, and measurable programs that protect the organization while enabling business objectives.

Minimum Qualifications

• Bachelor’s degree or relevant experience.
• Seven (7) years of progressive experience in information security, GRC , audit, risk, or compliance roles.
• Two (2) years of management or people leadership experience.
• CISSP or CISM required.
• Extensive knowledge of and experience in information security and risk management.
  
  

Preferred Qualifications

• Master’s degree in a related field.
• Additional certifications such as CRISC , CISA , or ISO 27001 Lead Implementer/Auditor.
• Experience supporting executive leadership or Board‑level risk reporting.
• Experience in higher education. Experience in Texas State government.
  
  

Essential Duties And Responsibilities

• Leadership & Collaboration -
• Lead the day-to-day functions of the Information Security department under the leadership of the CISO .
• Leads and supports managers and individual contributors under their purview.
• Lead, mentor, and develop GRC team members and managers, fostering a high-performing and collaborative culture. Represent the Information Security Office in cross-functional initiatives and enterprise programs.
• Acts as delegated authority for the CISO as appropriate.
• Assists CISO in departmental office functions, i.e. budget and approvals as needed.
• Governance & Policy Management-
• Lead the development, maintenance, and lifecycle management of enterprise information security policies, standards, procedures, and supporting documentation.
• Ensure alignment with recognized security frameworks.
• Establish governance processes to ensure consistent policy adoption and exception management across the organization.
• Enterprise Security Risk Management -
• Direct the information security risk management program, including risk identification, assessment, treatment, and monitoring.
• Oversee third-party/vendor security risk assessments and third-party continuous monitoring.
• Develop risk dashboards and executive-level reporting for the CISO , executive leadership, and governance committees.
• Evaluate and improve control design, implementation, and effectiveness across the security program.
• Security Awareness & Training -
• Accountable for the enterprise cybersecurity awareness and training program.
• Define annual and role‑based training requirements.
• Establish training metrics, reporting, and performance standards.
• Ensure audit‑ready maintenance of training records and evidence.
• Program Management, Projects & Metrics -
• Establish and monitor GRC program KPIs and KRIs to measure effectiveness, maturity, and risk posture.
• Drive continuous improvement through maturity assessments and benchmarking.
• Ensure accurate and timely reporting to the CISO and senior leadership.
• Oversee projects and initiatives for the Information Security Office.
• Develop and maintain Information Security Office’s business processes.
• Compliance & Cyber Security Oversight -
• Lead compliance efforts related to applicable laws, regulations, and contractual obligations.
• Coordinate and manage independent security-related audits and assessments for compliance.
• Provide oversight of core cybersecurity programs including, but not limited to, vulnerability management, incident response and threat management for effectiveness and compliance.
• Perform risk-based, limited control validation to independently confirm that key cybersecurity controls operate as described.