Director, Cybersecurity Compliance

About The Position

Requirements

• 8+ years of experience in information security, security risk management, compliance, or related fields within a regulated or technology-driven environment, including 3+ years in a leadership or program management capacity.
• Demonstrated experience in assessing, mitigating, and tracking security risks across systems, infrastructure, and third-party vendors, with proven success in driving remediation and program maturity.
• Strong understanding of information security risk frameworks and methodologies, including the Cyber Risk Institute (CRI) Profile, NIST Cybersecurity Framework (CSF), CIS-CSC, and PCI DSS, with hands-on experience applying these standards to projects, systems, and infrastructure.
• Experience developing or enhancing risk management processes, including risk and control matrix development, risk scoring models, control evaluation criteria, and integrating governance workflows with enterprise risk management (ERM) practices.
• Proven ability to collaborate across diverse stakeholders, including IT, Enterprise Risk Management, Legal, Compliance, business units, and external partners, to embed security requirements, align with project objectives, and inform decision-making.
• Familiarity with GRC or security compliance platforms (e.g. Archer, ServiceNow, Auditboard) and reporting mechanisms for documenting and tracking risk, remediation, and control testing results.
• Bachelor’s or master’s degree in information security, Information Technology, Risk Management, or a related field preferred.
• Strategic and hands-on cybersecurity risk leader with a proven ability to design, implement, and mature enterprise-wide risk management programs.
• Deep understanding of information security risk frameworks (NIST CSF, CRI Profile, PCI DSS, CIS Controls, etc.) and enterprise risk management principles, with practical experience applying them across systems, processes, and third-party vendors.
• Demonstrated success in leading and mentoring small teams, fostering capability growth, and scaling risk management functions to meet enterprise needs.
• Strong analytical and problem-solving skills, adept at evaluating threats, assessing process and control effectiveness, addressing gaps, and translating risks into business-relevant insights.
• Skilled at delivering on and coordinating multiple efforts across IT, business, compliance, and ERM teams, influencing decisions, and driving risk-informed outcomes while maintaining accountability and transparency.
• Excellent communication and interpersonal skills (via email, chat, in-person, and virtual) to engage effectively with technical teams, executives, and non-technical stakeholders.
• High level of attention to detail and organization, ensuring accurate, timely, and complete documentation and reporting.
• Recognized as a trusted advisor and credible authority, capable of balancing strategic oversight with hands-on execution in a dynamic and evolving environment.
• Self-motivated and collaborative, with a strong commitment to continuous improvement, accountability, operational excellence, and promoting a culture of proactive security risk management across the organization.

Nice To Haves

• Preferred certifications: CRISC, CISM, CISSP, or CISA.

Responsibilities

• Lead, mature, and operationalize the organization’s information security risk management and vendor security assessment programs.
• Provide strategic and hands-on leadership for a small team and/or third-party resources responsible for executing assessments, managing risk registers, and maintaining program processes.
• Develop and maintain consistent methodologies, templates, and workflows for risk assessments and vendor reviews.
• Partner with Enterprise Risk Management to ensure cybersecurity risks are integrated into enterprise risk registers, prioritized appropriately, and aligned with enterprise issue management and escalation processes.
• Oversee and perform security risk assessments for applications, infrastructure, and business processes to identify threats, vulnerabilities, control weaknesses, and business impacts.
• Mature risk scoring methodologies to prioritize risks based on likelihood and business impact.
• Identify opportunities to streamline assessment workflows, automate evidence collection, and enhance tool integration across GRC, IT, and security systems.
• Lead vendor security reviews, evaluating SOC 2 reports, ISO 27001 certifications, PCI AOCs, and penetration test results to assess vendor control maturity.
• Collaborate with Procurement, Legal, and Third-Party Risk Management (TPRM) teams to embed security requirements into contracts, onboarding, and ongoing vendor oversight.
• Track and manage vendor-related security issues, ensuring timely remediation, escalation, and closure consistent with SLAs and enterprise issue management processes.
• Develop and maintain vendor risk dashboards and KRIs to provide visibility into supply-chain risk exposure and remediation progress.
• Define, track, and report cybersecurity risk metrics, dashboards, and assessment outcomes for senior leadership.
• Ensure data quality, consistency, evidence integrity, and traceability across GRC platforms and supporting tools
• Drive program improvements through automation, analytics, risk trend analysis, and lessons learned from incidents, audits, and assessments.
• Promote a culture of transparency, accountability, and proactive cyber risk management throughout the organization.

Benefits

• Competitive Pay, including a Bonus Target or Variable Pay Incentive Program
• Benefits Package -Medical, Dental, and Vision (plus much more)
• 401(k) Plan with Company Match
• Short- & Long-Term Disability
• Wellness Programs
• Group Life and AD&D Insurance
• Paid Vacation, Sick Days and bank Holidays
• Employee Engagement Activities including Employee Appreciation Day, DEI Employee Resource Groups, Corporate Social Responsibility, Service Recognition