Director, Security Governance, Risk & Compliance

About The Position

Requirements

• Bachelor's degree in Information Systems, Business, Law, Cybersecurity, or a related field required. Prior experience in lieu of degree is considered.
• 10+ years of progressive GRC, compliance, or risk management experience in information security contexts.
• At least 3 years in a leadership or senior individual contributor role owning a GRC or compliance program.
• Deep, hands-on experience with PCI DSS — ideally including management of a Level 1 merchant assessment and direct QSA engagement. PCI DSS v4.0 experience strongly preferred.
• Experience in retail, hospitality, QSR, food service, or other high-transaction consumer environments preferred — particularly environments with franchise or multi-location complexity.
• Track record of managing third-party risk programs across complex vendor ecosystems.
• Certified Information Systems Auditor (CISA) — primary qualification for this role
• Certified Information Security Manager (CISM)
• Payment Card Industry Professional (PCIP) or PCI QSA qualification — strongly preferred
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Privacy Professional (CIPP/US or CIPP/E) — valued for the privacy program ownership
• ISO 27001 Lead Auditor or Lead Implementer
• Expert-level knowledge of PCI DSS v4.0 requirements, scoping methodology, and assessment processes.
• Strong technical background in cloud computing and networking.
• Strong working knowledge of CIS Controls v8, and SOX IT general controls.
• Familiarity with GRC platforms (ServiceNow GRC, Archer, OneTrust, or equivalent) for risk register and compliance workflow management.
• Comfortable working with technical teams (IR/SOC, IAM, IT) to translate compliance requirements into implementable technical controls.

Responsibilities

• PCI DSS Compliance Program Own end-to-end PCI DSS v4.0 compliance program — including scoping, gap assessment, remediation roadmap, evidence collection, and coordination with the external Qualified Security Assessor (QSA).
• Maintain and continuously update the cardholder data environment (CDE) scope documentation; ensure network segmentation controls supporting CDE isolation are validated annually.
• Manage all PCI DSS reporting obligations: Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) as applicable, Attestation of Compliance (AOC), and payment brand submissions.
• Lead the organization's transition to PCI DSS v4.0 customized approach where applicable — including targeted risk analysis documentation for any controls using the customized approach.
• Coordinate PCI DSS obligations across franchise locations — developing franchise-appropriate compliance guidance, assessment tools, and training materials that account for franchisee-owned technology environments.
• Stay current on PCI SSC guidance, bulletins, and FAQ updates; brief the CISO on implications for the program and recommend adjustments proactively.
• Own and maintain the enterprise information security risk register — ensuring risks are identified, assessed, documented, assigned to owners, and tracked through treatment.
• Conduct formal risk assessments for significant technology changes, new vendor engagements, major projects, and annual program reviews.
• Develop and maintain a risk quantification approach that translates technical risks into financial exposure terms suitable for CISO and Board-level reporting.
• Present the risk posture quarterly to the CISO, including top risks, treatment status, residual risk acceptance decisions, and emerging risk areas.
• Facilitate risk acceptance decisions with appropriate business owners; ensure residual risk acceptances are documented, reviewed, and time bounded.
• Own the cyber insurance program — managing the renewal process, assessing coverage adequacy against current risk profile, and coordinating incident notification obligations with Legal and the CISO.
• Own the enterprise information security policy framework — maintaining a complete, current, and internally consistent set of policies, standards, procedures, and guidelines.
• Establish and operate a policy governance process: defined review cycles, version control, stakeholder approval workflows, and employee acknowledgment tracking.
• Develop and enforce security standards for areas including data classification, acceptable use, third-party access, encryption, patch management, and incident notification.
• Ensure policies are appropriately tiered — corporate-level policies cascading to franchise-appropriate operational guidance that is practical for restaurant environments.
• Partner with Legal and HR on policy intersections including acceptable use, employee privacy, and disciplinary procedures for policy violations.
• Own the third-party risk management (TPRM) program — establishing vendor security assessment requirements, risk tiering methodology, and ongoing monitoring processes.
• Conduct or oversee security assessments of critical vendors including POS technology providers, digital ordering platforms, loyalty program vendors, cloud service providers, and payment processors.
• Maintain a vendor risk register with current assessment status, identified risks, contractual security requirements, and remediation tracking.
• Ensure security and data protection requirements are embedded in vendor contracts — working with Legal and Procurement on standard security addenda and data processing agreements.
• Manage the annual vendor re-assessment cycle; escalate high-risk findings to the CISO with recommended treatment options.
• Own the enterprise security awareness program — ensuring all employees receive appropriate, engaging, and role-relevant security training.
• Design training content appropriate for diverse audiences: corporate staff, restaurant-level employees (including high-turnover hourly workers), franchise operators, and technology vendors.
• Manage the phishing simulation program in coordination with the IR/SOC team — tracking click rates, reporting trends to the CISO, and using results to target additional training.
• Ensure training meets PCI DSS annual requirements for all personnel with access to cardholder data environments.
• Track training completion rates and report to the CISO; escalate persistent non-compliance through appropriate management channels.
• Serve as the primary coordinator for all internal and external security audits and assessments — including PCI DSS QSA audits, SOX IT control assessments, and any regulatory examinations.
• Manage the audit lifecycle: scheduling, evidence collection, stakeholder preparation, finding responses, and remediation tracking.
• Build and maintain the evidence management system — ensuring audit artifacts are organized, version-controlled, and accessible for recurring assessments.
• Develop and maintain relationships with the external QSA, internal audit function, and Legal counsel to ensure aligned, efficient audit processes.