Director Governance, Risk & Compliance (GRC)

About The Position

Requirements

• Bachelor's Degree or 4 years of work experience above the minimum qualification
• 5 years of experience
• Proven experience leading complex consulting engagements, including CIO/CISO engagements-driving all phases of the client engagement lifecycle (project kickoff, interviews, document reviews, analysis, deliverable creation, executive briefing, and closeout).
• Strong leadership and program management skills; able to interface with client leadership teams and provide direction to internal, client, and vendor teams.
• Strong communication skills, including the ability to lead executive-level deliverable presentations and briefings.
• Develop high-quality deliverables, such as reports, presentations, policies, procedures, and architectural diagrams.
• In-depth knowledge of cybersecurity frameworks (e.g., NIST CSF, ISO 27001, COBIT).
• Strong understanding of network protocols, operating systems, cloud platforms (Azure, GCP), and security technologies (SIEM, EDR, firewalls, WAFs).
• Expertise in one or more of the following cybersecurity domains (or related): Cyber Risk Management, Incident Response, Data Protection, OT Security, Vulnerability Management, Identity and Access Management, Cyber Resilience.
• Experience with risk management methodologies and tools.
• Familiarity with regulatory compliance standards (e.g., GDPR, HIPAA, PCI DSS, SOC 2)

Nice To Haves

• Bachelor's degree in a relevant field such as Healthcare Administration, Information Security, Law, Business Administration, or a related field.
• Minimum of 5-10 years of experience in healthcare privacy, risk management, or compliance roles, with a focus on information security, privacy, and regulatory compliance.
• CISSP, CISM, or equivalent certifications preferred.
• In-depth knowledge of healthcare regulations and frameworks (e.g., HIPAA, NIST).
• Experience conducting audits, risk assessments, and regulatory reporting in a healthcare environment.

Responsibilities

• Developing and maintaining the organization's GRC framework, including policies, standards, and procedures for risk management, compliance, and information security. (e.g., NIST CSF, HITRUST).
• Providing guidance and leadership to ensure that business objectives are met within the established governance framework.
• Leading the identification, assessment, and mitigation of enterprise-wide risks, including operational, financial, reputational, legal, cybersecurity, and patient safety risks.
• Developing and implementing risk assessment methodologies, mitigation strategies, and action plans.
• Maintaining and reporting on the organization's risk register, tracking remediation activities, and providing insights to leadership.
• Conducting vendor risk assessments and ensuring third-party compliance with security and privacy standards.
• Ensuring compliance with all applicable healthcare laws, regulations, and industry standards (e.g., HIPAA, HITECH, NIST).
• Developing and delivering compliance training programs to staff and leadership to promote awareness and adherence to ethical standards.
• Overseeing internal and external audits, coordinating responses, and managing remediation efforts.
• Staying current on evolving regulatory environments, security threats, and compliance best practices, and updating policies and procedures accordingly.
• Collaborating with quality and safety teams to integrate GRC into patient care delivery, focusing on preventing avoidable harm and improving patient outcomes.
• Supporting the development and implementation of patient safety initiatives.