Director IT Risk and Compliance

About The Position

Requirements

• Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related field.
• 10+ years of progressive experience in IT risk management, IT compliance, or information security; including 3+ years in a people leadership role.
• Deep, hands-on expertise with SOX ITGC: control frameworks, testing methodologies, audit liaison, and remediation management.
• Substantive experience with PCI DSS compliance programs in a large-scale retail or financial services environment.
• Proven ability to manage complex, multi-stakeholder programs simultaneously under regulatory scrutiny.
• Strong executive communication skills; comfortable presenting to C-suite and Board-level audiences.
• Strong communication and interpersonal skills
• Proven analytical and organizational skills

Nice To Haves

• Professional certifications: CISA, CISSP, CISM, CRISC, or PCI ISA/QSA.
• Experience deploying or optimizing GRC platforms (AuditBoard, ServiceNow GRC, Archer, or similar).
• Demonstrated experience piloting AI or automation solutions within a compliance or audit function.
• Experience with third-party risk platforms (UpGuard, BitSight, Security Scorecard, or equivalent).
• Familiarity with state data privacy regulations (CCPA, VCDPA, CPA) and their IT implications.
• Prior experience in a Fortune 500 retail, consumer, or financial services environment.
• Familiarity with AI tools, including ChatGPT.

Responsibilities

• Own and mature the SOX IT General Controls (ITGC) program end-to-end: scoping, control design, testing coordination, interim and year-end audit support, and remediation tracking.
• Direct PCI DSS assessment activities and annual penetration testing, partnering with QSAs and internal stakeholders to maintain compliance posture.
• Collaborate with the IT leadership team on Governance, Operating Model and SDLC to ensure compliance with internal policy, industry standards and regulatory landscape.
• Serve as the primary liaison to Internal Audit, External Audit and Legal; manage audit findings through to closure.
• Own the annual IT policy review cycle to ensure policies reflect current regulatory requirements, emerging risks, and operational capabilities.
• Lead enterprise IT and cybersecurity risk assessments; maintain the IT risk register and report quarterly to senior leadership and the Risk Management Committee.
• Oversee the Vendor Risk Assessment program and Third-Party Risk Monitoring, including platform management and escalation protocols.
• Partner with Legal and Privacy teams on e-discovery, Legal Hold requests, contract reviews involving technology, and data retention obligations.
• Drive Architecture and Solution reviews in partnership with the enterprise architecture team to embed security and compliance requirements into project delivery.
• Maintain and exercise Incident Response plans; lead or co-lead annual executive and technical tabletop exercises.
• Design and oversee the enterprise security awareness and phishing tests program, ensuring content is role-relevant, engaging, and aligned to the current threat landscape facing large-scale retail environments.
• Champion the use of AI and automation to modernize compliance testing, evidence collection, and risk reporting — reducing manual effort and accelerating cycle times.
• Co-lead the monthly AI Working Group, evaluating emerging AI tools for risk and governance implications and piloting responsible AI use cases within the compliance function.
• Implement and optimize GRC platform capabilities to centralize controls management, automate workflows, and enable real-time compliance dashboards.
• Develop data-driven KPIs and metrics that provide the VP, IT Security and Compliance and ELT with actionable risk intelligence.
• Build and lead a high-performing team of IT risk and compliance professionals; provide coaching, career development, and performance management.
• Foster a culture of accountability and continuous improvement, where compliance is viewed as a business enabler rather than a gating function.
• Present risk and compliance status to the ELT, Audit Committee, and Board-level stakeholders; translate technical risk into business language.
• Collaborate across Technology, Finance, Legal, Internal Audit, and business units to drive cross-functional risk reduction initiatives.
• Interpret evolving legislation and regulatory guidance (SOX, PCI DSS, state data privacy laws) and translate implications into actionable organizational policy.
• Evaluate and manage strategic risk and compliance vendors and co-sourcing partners to supplement internal capacity.

Benefits

• Weekly Pay
• Free BJ’s Memberships
• Generous Paid Time Off (vacation, personal, sick days, holidays, bereavement, and jury duty leave)
• Flexible and Affordable Health Benefits (three medical plans, optional dental, vision, Health Savings Account (HSA), and flexible spending account options)
• 401(k) Retirement Savings Plan with company match
• Employee Stock Purchase Plan