Assistant Director of GRC

About The Position

Requirements

• Bachelor’s degree or relevant experience.
• Seven (7) years of progressive experience in information security, GRC, audit, risk, or compliance roles.
• Two (2) years of management or people leadership experience.
• CISSP or CISM required.
• Extensive knowledge of and experience in information security and risk management.

Nice To Haves

• Master’s degree in a related field.
• Additional certifications such as CRISC, CISA, or ISO 27001 Lead Implementer/Auditor.
• Experience supporting executive leadership or Board‑level risk reporting.
• Experience in higher education.
• Experience in Texas State government.

Responsibilities

• Lead the day-to-day functions of the Information Security department under the leadership of the CISO.
• Leads and supports managers and individual contributors under their purview.
• Lead, mentor, and develop GRC team members and managers, fostering a high-performing and collaborative culture.
• Represent the Information Security Office in cross-functional initiatives and enterprise programs.
• Acts as delegated authority for the CISO as appropriate.
• Assists CISO in departmental office functions, i.e. budget and approvals as needed.
• Lead the development, maintenance, and lifecycle management of enterprise information security policies, standards, procedures, and supporting documentation.
• Ensure alignment with recognized security frameworks.
• Establish governance processes to ensure consistent policy adoption and exception management across the organization.
• Direct the information security risk management program, including risk identification, assessment, treatment, and monitoring.
• Oversee third-party/vendor security risk assessments and third-party continuous monitoring.
• Develop risk dashboards and executive-level reporting for the CISO, executive leadership, and governance committees.
• Evaluate and improve control design, implementation, and effectiveness across the security program.
• Accountable for the enterprise cybersecurity awareness and training program.
• Define annual and role‑based training requirements.
• Establish training metrics, reporting, and performance standards.
• Ensure audit‑ready maintenance of training records and evidence.
• Establish and monitor GRC program KPIs and KRIs to measure effectiveness, maturity, and risk posture.
• Drive continuous improvement through maturity assessments and benchmarking.
• Ensure accurate and timely reporting to the CISO and senior leadership.
• Oversee projects and initiatives for the Information Security Office.
• Develop and maintain Information Security Office’s business processes.
• Lead compliance efforts related to applicable laws, regulations, and contractual obligations.
• Coordinate and manage independent security-related audits and assessments for compliance.
• Provide oversight of core cybersecurity programs including, but not limited to, vulnerability management, incident response and threat management for effectiveness and compliance.
• Perform risk-based, limited control validation to independently confirm that key cybersecurity controls operate as described.