Information Security Director – Governance – Risk – And Compliance

Information Security Director – Governance – Risk – And Compliance

Requirements

• BA/BS degree in Computer Information Systems, Computer Science or equivalent experience is required.
• 10+ years of experience in information security, with 5+ years in a leadership role within GRC.
• Strong knowledge of information security and risk management frameworks (e.g., NIST, ISO, COBIT, CIS).
• Proven track record of establishing and managing issue lifecycle management.
• Demonstrated experience building and operating RCSA programs and control testing frameworks.
• Experience managing the policy lifecycle and coordinating enterprise-wide policy governance.
• Proven success in managing audit and regulatory interactions.

Responsibilities

• Lead the strategic direction and execution of the enterprise-wide Information Security Governance, Risk, and Compliance (GRC) program.
• Lead enterprise-wide information security risk assessments, including risk identification, evaluation, and prioritization, to support informed decision-making and resource allocation.
• Collaborate with business units and technology teams to assess the impact and likelihood of cybersecurity threats, integrating findings into broader risk management and mitigation strategy.
• Manage the full issue lifecycle, including issue identification, root cause analysis, remediation planning, tracking, validation, and closure, ensuring timely and effective resolution of risk and compliance gaps.
• Provide subject matter expertise and guidance for Information Security policies and standards.
• Drive policy governance, including the creation, review, approval, and maintenance of security policies, standards, and procedures to ensure alignment with business objectives and regulatory expectations.
• Develop, implement, and mature a robust Risk and Control Self-Assessment (RCSA) program to identify, assess, and mitigate cybersecurity risks across business units.
• Oversee security assurance activities, including control design evaluations, walkthroughs, and control effectiveness testing aligned with regulatory and framework requirements (e.g., NIST CSF, ISO 27001, SOX, SOC2, FFIEC CAT).
• Direct the testing of security controls, including coordination with internal audit, external assessors, and business stakeholders.
• Advise management on the design and implementation of control activities that reduce risk, add value, and mature the control environment.
• Provide leadership and subject matter expertise during regulatory examinations, internal audits, and third-party assessments.
• Collaborate with business and IT stakeholders to integrate GRC practices into key business and technology initiatives.
• Leverage GRC tools (e.g., Archer, ServiceNow GRC, LogicGate) to automate risk management workflows and enhance reporting capabilities.
• Support KPI/KRI’s to facilitate risk prioritization and articulation for the enterprise and senior leadership reporting.
• Develop and present executive-level reporting and dashboards to senior leadership and board committees on risk posture, control effectiveness, and compliance status.
• Stay current on emerging threats, industry trends, and regulatory changes to proactively adjust GRC strategies.
• Provide excellent customer service in support of program activities.
• Manages technical professionals (typically skilled exempt level employees) who have responsibility for operations and project outcomes. Provides direct and indirect supervision of teams.
• Sets priorities on daily operations, provides input to, and administers cost center spending, participates in long-range departmental planning, recommends control methodologies and frameworks.
• Sets objectives and priorities and ensures the effective allocation and use of department resources.
• Develops long-range plan for the department and is a key participant in strategic planning for the Information Security function. Translates strategic goals and priorities into technical strategies and objectives for his/her department.
• Introduces best practices and ensures the timeliness, quality, and consistency of his/her department’s delivery of products and services.
• Writes and conducts performance reviews, provides ongoing performance feedback. Establishes salary budget and approves salary increases. Makes hiring decisions.
• Frequently interfaces with executives inside and outside the company to make operational and project-related decisions, to resolve critical issues, to gather industry and competitive information and to foster a productive professional network.
• Required to perform duties outside of normal work hours based on business needs.

Preferred Qualifications

• Training courses, seminars, certifications, or other security related education experience preferred.
• Certifications such as CISM, CRISC, CISSP, or CGEIT preferred.
• Familiarity with GRC platforms and data analytics tools for risk management.