DIRECTOR, INFORMATION SECURITY GOVERNANCE - HYBRID

About The Position

Requirements

• University degree in Computer Science or equivalent.
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Business Continuity Professional (CBCP)
• Minimum of 10 years leadership role operating in enterprise IT, Risk, Regulatory, Audit and compliance environments
• Strong leadership capabilities to motivate, build, develop and lead effective teams to achieve results.
• Verbal and written communication with a spectrum of senior management, executives, users, other technical teams, external customers, to enable and influence business outcomes.
• Strong problem-solving abilities and ability to work effectively under pressure.
• An accomplished facilitator with excellent interpersonal and communications skills that support working effectively in multi-disciplinary and multiple location team environments.
• Experience in partnering with technology, product, risk, internal audit, compliance and sales.
• Highly developed planning, organizing and negotiating skills; can manage multiple tasks, meet tight deadlines and respond to changing priorities.
• Proficiency in English is required for this position. As part of this role, you will be required to communicate with colleagues or customers who use English as their primary language. By requiring English proficiency for this position, we aim to ensure that our employees can excel in their roles, collaborate, and communicate effectively, and contribute to the success of our organization.

Responsibilities

• Design and oversee a comprehensive cybersecurity awareness and testing program covering onboarding, monthly micro-trainings, quarterly phishing simulations, and annual enterprise-wide training.
• Deliver targeted training for executives, business units, and the Board of Directors, incorporating role-based risk scenarios and regulatory expectations.
• Measure training effectiveness through metrics and Key Risk Indicators (KRIs) for continuous program improvement.
• Lead the Information Security evaluation and continuous monitoring of third-party vendors, ensuring robust due diligence and risk scoring against security posture standards and procedures.
• Develop and manage the vendor security assessment lifecycle, integrating findings into enterprise risk reporting and procurement processes.
• Maintain and expand the Information Security Policy and Standards library to align with evolving business operations, regulatory changes, threats, and frameworks (NIST, SOC2, OSFI, ISO 27001, etc.).
• Oversee policy governance and internal communication to ensure organizational compliance and understanding.
• Lead the development, testing, and maintenance of the Cybersecurity Incident Response Plan (CIRP) and oversight of playbook updates in partnership with the Information Security Operations team.
• Facilitate regular tabletop exercises simulating real-world attack scenarios, driving executive participation and readiness.
• Support revenue growth by leading the security response to RFPs, participation in client meetings, and due diligence requests, enabling sales opportunities.
• Lead client assurance efforts, including security audit responses and TPRM assessments, reinforcing trust and compliance assurance with customers.
• Develop and operationalize a comprehensive Cybersecurity Risk Management framework aligned to NIST CSF.
• Oversee the execution of security risk assessments and quantification models to measure and report risk exposure across business units.
• Lead ongoing security control testing for systems, applications, and third parties to validate security control design and effectiveness, ensuring risk mitigation.
• Architect and execute a governance model that aligns with corporate strategy and risk appetite, ensuring consistent oversight of security programs and compliance obligations.
• Maintain governance documentation, charters, and processes reflecting continuous improvement and audit readiness.
• Develop and manage a centralized Control Library mapping to regulatory, policy, and framework requirements.
• Oversee periodic control testing, validation, and maintenance activities, ensuring transparency and traceability to audit results.
• Oversee development, implementation, and testing of Business Continuity and Disaster Recovery programs.
• Conduct Business Impact Assessments (BIAs), Process Impact Analyses (PIAs), and dependency mapping across systems, processes, and vendors.
• Lead BCP tabletop exercises and training to ensure operational resilience during crises.
• Act as the primary Information Security stakeholder in SOC2, OSFI, CLHIA, and other regulatory audits.
• Manage relationships with external auditors and internal risk teams to ensure timely, accurate evidence submission and remediation tracking.
• Support annual cybersecurity insurance renewals through risk data aggregation and reporting.
• Serve as the Alternate Company Security Officer (ACSO) responsible for safeguarding sensitive government information and ensuring compliance with federal contract security requirements.
• Collaborate with the Data Governance Committee to design and enforce DLP strategies.
• Guide the implementation of security controls to detect, prevent, and respond to data exfiltration risks.
• Oversee periodic access attestation reviews for critical systems and applications.
• Ensure compliance with audit standards and integration of results into enterprise KRI dashboards and Risk Committee reporting.
• Develop, author, and present quarterly Information Security performance and compliance reports to the Risk Committee, Executive Team, and Board of Directors.
• Track progress against key deliverables, KRIs, and program OKRs.
• Lead the creation and ongoing management of the Information Security Governance Roadmap, ensuring alignment with enterprise IT, risk, and organizational strategy.
• Identify emerging risks, regulatory changes, and technological trends to inform forward-looking governance objectives.