Cybersecurity GRC Manager, FCH - IT - SECURITY

About The Position

Requirements

• A minimum of six year experience in a related field.
• A Bachelors degree is required.
• In-depth knowledge of cybersecurity frameworks including but not limited to NIST CF, HITRUST CSF, ISO 27001.
• Experience in managing or leading security organizations responsible for GRC, Cybersecurity, Medical Device Security, Security Operations Centers.
• Understanding of general security concepts including but not limited to cryptography, DLP, Security Operations Center, Security Managed Services, SEM, FW, Audit.
• Demonstrated record of managing third party security services, preferably with the cloud providers.
• Ability to communicate and represent IT Security organization with all business partners and third party vendors.
• Strong oral, presentation, writing skills. and demonstrated record to deliver results.
• Ability to build relationships with business stakeholders of the IT Security program
• Familiarity with HIPAA Privacy and Security Rules and their operational implications for a large health system
• Ability to develop and present executive-level risk reporting that communicates risk in business impact terms
• Comfort operating in a matrixed environment with multiple stakeholder groups including Legal, HR, IT, Clinical Operations, and executive leadership

Nice To Haves

• Prefer 3+ years leading or managing a team in a GRC, compliance, or risk management capacity
• Prefer experience in a healthcare or other highly regulated industry, with direct exposure to HIPAA compliance obligations
• Demonstrated experience managing a third-party risk program, including vendor assessments and risk tiering
• Prefer prior experience building or significantly maturing a GRC program, not just maintaining one
• Prefer experience managing external audits or assessments (SOC 2, HITRUST, OCR, internal audit, etc.)
• Bachelors in Computer Science or similar degree is preferred.
• Experience in Healthcare industry is preferred.
• Prefer CISSP, CISM, CRISC, HCISPP, or equivalent certification
• Prefer Certified in Healthcare Privacy and Security (CHPS) or equivalent

Responsibilities

• Lead, mentor, and grow a team of 5+ GRC analysts and specialists across compliance, risk, policy, and awareness domains
• Establish clear role expectations, development pathways, and performance standards for each team member
• Foster a team culture that balances rigor with pragmatism — we care about outcomes, not just documentation
• Serve as the organization’s functional lead for HIPAA Privacy and Security Rule compliance, including ongoing gap assessment and remediation tracking
• Coordinate with Legal, Privacy, and Clinical Operations to ensure compliance obligations are understood and operationalized across the enterprise
• Oversee preparation for and response to regulatory inquiries, OCR investigations, and audit activity
• Own the enterprise cybersecurity risk register, ensuring risks are identified, assessed, prioritized, and tracked to resolution
• Lead the third-party risk management program, including vendor onboarding assessments, ongoing monitoring, and risk-tiering across the supply chain
• Develop risk reporting for executive and board audiences, translating technical risk into business impact language
• Own the cybersecurity policy lifecycle: authorship, review cadence, version control, approval workflows, and exception management
• Maintain alignment to NIST CSF, managing control mapping, evidence collection, and control effectiveness measurement
• Drive continuous improvement of the controls environment based on assessment findings, threat intelligence inputs, and regulatory changes
• Serve as the primary point of contact and program lead for internal and external cybersecurity audits and assessments
• Coordinate evidence collection, manage stakeholder readiness, and oversee finding remediation tracking through to closure
• Develop and maintain audit-ready documentation across all GRC domains
• Own the enterprise security awareness program, including curriculum development, delivery scheduling, and effectiveness measurement
• Manage the phishing simulation program end-to-end: scenario design, cadence, metrics, and targeted follow-up training for at-risk populations
• Tailor awareness content for diverse audiences — from clinical staff to executive leadership — with a voice that educates rather than shames

Benefits

• Paid time off
• Growth opportunity- Career Pathways & Career Tuition Assistance, CEU opportunities
• Academic Partnership with the Medical College of Wisconsin
• Referral bonuses
• Retirement plan - 403b
• Medical, Dental, Vision, Life Insurance, Short & Long Term Disability, Free Workplace Clinics
• Employee Assistance Programs, Adoption Assistance, Healthy Contributions, Care@Work, Moving Assistance, Discounts on gym memberships, travel and other work life benefits available