Cybersecurity GRC Program Lead

About The Position

Requirements

• 7+ years in cybersecurity GRC, security risk, audit readiness, compliance operations, or related functions, with clear experience building or maturing governance operating models
• Strong experience operationalizing NIST CSF and translating controls across frameworks such as ISO 27001, SOX, SOC 2, or similar frameworks
• Experience building or maturing security governance programs in complex enterprise environments with multiple technical stakeholders
• Experience with risk assessments, control design reviews, exception management, and remediation tracking
• Strong understanding of third-party risk, supplier security reviews, security questionnaires, and governance workflows that scale beyond one-off reviews
• Experience partnering with technical teams to influence architecture, engineering, and operations outcomes in a practical, technically credible way
• Ability to turn policy and framework language into concrete operating practices, ownership expectations, and measurable evidence
• Strong writing, stakeholder management, and executive communication skills

Nice To Haves

• Experience supporting SOC 2, ISO 27001, CTPAT, SOX or similar audit/readiness efforts
• Experience with evidence management, control testing, internal audit coordination, or related assurance processes
• Experience with continuous compliance platforms, including evidence automation, control monitoring, and audit readiness workflows
• Experience managing a trust center or similar customer assurance portal and keeping security documentation current and reusable
• Familiarity with enterprise technology environments spanning cloud, identity, endpoint, network, and application security domains

Responsibilities

• Lead selection, adoption, and operationalization of Echo’s primary cybersecurity framework and related standards structure, with NIST CSF 2.0 as the likely management layer
• Build and maintain a control ownership model across Technology, Engineering, Platform, Network, EUC, Asset, Data, Integrations, and Security
• Translate existing policies into measurable operating practices, control expectations, evidence requirements, review cadences, and exception workflows
• Partner with security architecture, engineering, and operations teams to ensure that governance expectations are practical, technically grounded, and enforceable
• Drive enterprise risk and control assessments, including facilitating discussions on control design, effectiveness, and remediation priorities
• Build an evidence library structure while defining repeatable collection, review, reuse, and freshness cadences
• Improve security questionnaire workflows through standardized responses, evidence reuse, service-level expectations, and clearer ownership
• Coordinate third-party security intake and help define tiering, minimum security requirements, documentation expectations, and escalation paths
• Partner with Internal Audit and business stakeholders on readiness efforts, compliance reviews, and operational audit support
• Track policy exceptions, control gaps, remediation commitments, and overdue actions through closure, including clear owners and time bounds
• Provide security governance input on supplier security requirements, contractual obligations, and ongoing review expectations
• Produce reporting for leadership on framework maturity, control ownership, policy currency, evidence readiness, exception status, and risk trends
• Lead the evolution to and support of continuous compliance capabilities to improve control visibility, evidence freshness, and audit readiness
• Manage and evolve the organization’s trust center, including published security documentation, customer-facing assurance materials, and the processes that keep content current and supportable

Benefits

• Bonus that is based on a combination of personal and business performance