Summary: Reporting directly to the Chief Information Security Officer, the Head of Security Governance, Risk, and Compliance (GRC) plays an instrumental role in guiding the company's GRC strategies and processes. As the primary GRC authority, this leader ensures the alignment of the company's risk management framework with its business objectives and regulatory requirements. A vital addition to the team, the Head of Security GRC significantly contributes to the company's overall strategy and goals by establishing robust compliance mechanisms and effective risk mitigation measures.
The successful candidate will possess a balanced combination of profound technical expertise and an established background in GRC. This role demands comprehensive and extensive knowledge, particularly in the areas of corporate governance, risk management, regulatory compliance, and the creation of enterprise wide GRC policies. The Head of Security GRC should be equipped to identify and address potential vulnerabilities, while proactively enhancing the company's overall GRC posture.

Responsibilities

• Strategy Development: Define, develop, and oversee the implementation of the GRC strategy aligned with the company's business goals and legal requirements.
• Policy & Procedure Management: Develop, maintain, and oversee GRC policies and procedures to ensure they are in accordance with applicable laws, regulations, and industry standards, including but not limited those governed by SEC, Client, OCC, NFA, FCA, MAS, and other global financial regulators.
• Risk Management: Identify, assess, and monitor enterprise risks, including strategic, operational, financial, privacy, and cybersecurity risks. Implement risk mitigation strategies and mechanisms to address identified risks and potential non-compliance.
• Data Privacy: Ensure compliance with global data privacy and protection regulations, including GDPR in Europe and CCPA in California, through the creation and maintenance of robust data handling and privacy policies.
• Regulatory Compliance: Maintain a current understanding of relevant laws and regulations to ensure the organization achieves and sustains compliance. Proactively monitor and respond to regulatory changes and updates.
• Client Engagement: Primary point of contact responding to Client Due Diligence and RFPs.
• GRC Reporting: Create comprehensive GRC reports for the executive leadership and board of directors that provide clear insights into the company's risk profile, compliance status, and governance effectiveness.
• Training & Awareness: Oversee the creation and implementation of a GRC awareness and training program to ensure that employees are aware of the role they play in maintaining good governance and compliance.
• Third-party Management: Manage and monitor the GRC aspects of third-party relationships to ensure that vendors and partners are adhering to the company's GRC policies and relevant regulations.
• Audit Management: Coordinate with internal and external auditors to facilitate audits, with the goal of assuring compliance and address potential issues proactively.
• Incident Response: Develop and implement an incident response plan to handle GRC-related incidents effectively, including data breaches or non-compliance events. Coordinate annual incident response table-top exercises.
• Continuous Improvement: Regularly review and refine the company's GRC practices, leveraging technology and industry best practices to drive efficiency and effectiveness.

Qualifications

• Bachelors of Science Degree in Information Security or related field, or equivalent years of experience
• CISSP, CISA, Security , CED, CIH or related certification in security operations and engineering
• Ten or more years of experience in Information Security, working with GRC tools and methodology
• In-depth Knowledge of Relevant Laws and Regulations: This includes an understanding of data protection laws such as GDPR and CCPA, as well as other regulatory frameworks relevant to the specific industry and location of the business.
• Risk Management Skills: Ability to identify, analyze, and effectively mitigate or manage enterprise risks. Familiarity with risk management frameworks and methodologies is essential.
• Strategic Thinking and Leadership: Strong ability to lead and manage the GRC function, develop and execute strategic plans, and guide the organization towards its GRC objectives.
• Communication and Presentation Skills: Excellent written and verbal communication skills, with the ability to present complex GRC issues and strategies clearly to various stakeholders, including the executive team and board of directors.
• Analytical Skills: Strong ability to analyze complex data, interpret compliance requirements, and develop effective solutions.
• Project Management Skills: Proficiency in planning, executing, and monitoring multiple projects simultaneously to ensure they are completed on time and within budget.
• Negotiation and Influencing Skills: Ability to negotiate with, influence, and secure buy-in from various stakeholders, both internal and external, to achieve GRC objectives.
• IT Proficiency: Familiarity with the use of GRC technology solutions, as well as a broad understanding of information security principles and best practices.
• Continuous Learning: A commitment to keeping up to date with the latest developments in the GRC field, including evolving laws and regulations, emerging risks, and best practices in GRC management.