Director Governance, Risk, and Compliance

Ball•Westminster, CO

1d•$143,000 - $209,060•Hybrid

About The Position

The Director of Cybersecurity Governance, Risk, and Compliance (GRC) is accountable for enterprise-wide cyber risk governance, regulatory compliance strategy, and board-level risk reporting for Ball Corporation’s global manufacturing and supply-chain-driven business. This role sets the enterprise cyber risk posture, translates business risk appetite into enforceable governance mechanisms, and ensures cybersecurity risk is measured, reported, and managed as a business risk and not a purely technical concern. The Director serves as Ball’s primary authority on cybersecurity risk governance, regulatory alignment, and assurance, and acts as a trusted advisor to the CISO, executive leadership, Legal, Internal Audit, and the Board. The role owns and governs all Security GRC sub-capabilities: 1) Security Governance & Program Management, 2) Security Risk Management, 3) Security Assessments & Compliance Management, 4) Cyber-Supply Chain Risk Management, 5) Business Continuity Planning (cyber integration), 6) Security Training & Awareness, 7) Cyber Metrics and Reporting.

Requirements

Bachelor’s degree in Information Security, Computer Science, Risk Management, Business Administration, or a related discipline required.
Minimum of 15 years of progressive experience in cybersecurity, technology risk, or enterprise risk management, including 7+ years leading enterprise-scale GRC, risk, or compliance functions within complex, global organizations.
Demonstrated experience operating in regulated, asset-intensive, or manufacturing-centric environments.
CISSP or CISM certification required.

Nice To Haves

Master’s degree (e.g., MBA, MS in Information Security or Risk Management) strongly preferred.
CRISC, CGEIT, or equivalent risk-focused certification strongly preferred.
Executive-level communication skills with the ability to translate complex cybersecurity risk into clear business and financial impact.
Strong leadership and people-management capabilities, with experience building and scaling governance or risk teams.
Proven ability to influence without authority and drive alignment across technology, legal, finance, operations, and executive stakeholders.
Analytical and strategic thinking skills, with the ability to prioritize risk based on probability, impact, and business criticality.
Sound judgment under pressure, particularly in high-visibility risk, audit, or incident scenarios.
Ability to balance regulatory rigor with business enablement and operational practicality.
Deep knowledge of cybersecurity governance, risk, and compliance frameworks and practices (e.g., NIST CSF, ISO 27001/31000, SOX ITGC, data protection regulations).
Strong understanding of cybersecurity risks impacting global manufacturing, operational technology, and supply-chain ecosystems.
Familiarity with regulatory expectations related to cybersecurity disclosures, audits, and assurance.
Working knowledge of incident response, business continuity, and crisis management from a governance and oversight perspective.
Understanding of how cybersecurity risk intersects with safety, operational resilience, financial performance, and brand trust.

Responsibilities

Establish and maintain the enterprise cybersecurity governance framework, including policies, standards, risk taxonomy, and accountability models.
Define and operationalize the enterprise cyber risk management program, including risk identification, assessment, prioritization, escalation, and reporting.
Own executive- and Board-level cybersecurity risk & metrics reporting, ensuring alignment to business impact, materiality, and risk tolerance.
Lead the global cybersecurity compliance strategy, ensuring alignment with applicable regulatory, legal, and contractual requirements.
Provide senior oversight of cybersecurity audits, assessments, and assurance activities; ensure consistent and defensible outcomes.
Govern cyber supply-chain and third-party risk management, embedding security risk considerations into vendor lifecycle processes.
Ensure cybersecurity risk is integrated into business continuity, crisis management, and enterprise resilience planning.
Lead, develop, and mentor the Security GRC leadership team and establish clear interfaces with other cybersecurity and business functions.
Ensure cybersecurity governance and compliance requirements are appropriately tailored to regional regulatory, legal, and operational realities while maintaining global consistency.
Partner with regional business and technology leaders to address localized cyber risk scenarios, including manufacturing, operational technology (OT), and supply-chain considerations.
Oversee regional regulatory compliance obligations (e.g., data protection, critical infrastructure, export controls) and support regulatory inquiries or audits as required.
Enable effective risk communication and escalation between regions and corporate leadership, ensuring timely visibility of material risks.