This position focuses on the role of Information Security Governance, Risk and Compliance (GRC). This position is responsible for leading the coordination of security compliance efforts that are required for security access, audit response, policy and security exception oversight, security awareness and training, risk management and the development and implementation of information security policies, procedures, guidelines and standards.
- Internal (to IT): GITRS: Regional / Value Chain (VC) Security Directors, Security SSC teams – GRC, PMO, Architecture, Operations CTDO) and Security services
- IT: Infrastructure, Applications Development, IT Governance, IT Shared Services
- External (to IT): Internal Controllers, Audit, cyber insurance, any external regulators and 3rd party vendors.
- Manages the establishment and implementation of IT Security policies, procedures and standards.
- Manages and implements security awareness and training efforts and educates employees and business partners on security policy and practices and best standards.
- Conducts IT systems security assessment and reviews for compliance with established security standards, policies, procedures and guidelines. Oversees the facilitation of information security risk assessment methodologies and manages information security risk assessments and mitigation practices
- Responsible for communicating various security related topics to leadership.
- Accountable for the response, follow through and monitoring of any information security responses to audits. Collaborate with corporate compliance regarding regulatory changes to compliance standards as they relate to company data assets or other business regulations related to Information Security. Perform self-assessments as required by regulatory and industry compliance initiatives, as well as internal best practices needs.
- Develop strategy & program for Risk Governance and Compliance within the Global Risk and Security program
- Manage and lead staff – mentoring, recruiting and retaining. Planning.
- Implement management reporting and metrics for security compliance. E.g., Key Risk Indicators. This includes metrics development and reporting of security incidents and security awareness training. Implement process and tracking to monitor compliance to policies and standards. Work with subject matter experts to ensure policies and standards are comprehensive, current and appropriate to meet regulatory and security requirements
- Collaborate with corporate compliance regarding regulatory changes to compliance standards as they relate to company data assets or other business regulations related to Information Security. Working with corporate create communications plan and process to communicate on a regular and emergency basis, e.g. announce a phishing campaign against the company informing audience on the threat and who to handle.
- Additional projects/responsibilities as business demands.
- Bachelor’s degree in Computer science or related field. Master’s degree or higher is desired.
- Certification in one of the following: CRISC (preferred), CISSP, CISA, and/or CISM
- 8+ years IT Risk Management and security experience
- 5+ years in IT leadership positions of expanding responsibility
- Strong competency in IT Risk Management
- Must have the proven ability to lead the development, planning, coordination, and monitoring of information security risk management-related process, technology and operations, and be a key part of the team’s leadership for operational aspects of information security. Must be able to communicate effectively regarding security, privacy, risk, and compliance to senior business leaders and fellow team members
- Strong verbal and written communication skills; ability to communicate effectively
- Good analytical, decision-making, problem solving and organizational skills and ability to work with minimal supervision.
- Ability to prioritize and manage a variety of tasks simultaneously.
- Knowledge of regulatory standards such as COSO, SOX, and ISO 27001.
- Must have a broad knowledge of information security and technology trends.
- Experience with policy and standards development, implementation and compliance.
- High level of integrity and ethics in dealing with confidential information.
- Experience with implementing a training and awareness program.
- Excellent analytical, organizational, verbal and written communication skills.
- Comprehensive knowledge of and experience leading complex enterprise wide IT risk management programs.
- Vision and capabilities to define a cyber risk strategy & implementation plans across a complex enterprise taking into consideration business, financial and technical objectives.
- Strong program management skills. Ability to manage complex transformation plans across internal and external teams, delivering expected results, while leading the identification and mitigation of business and technical risks.
- Organizational change management skills. Ability to lead through influence.
- Strong leadership and team building experience and skills to maintain a well operating organization. Attracting, retaining and mentoring.
Ability to communicate with senior business leaders and Board members, summarizing complex technical information, and to be able to speak about business risks, implications and financials at their level.