Governance, Risk, and Compliance Manager

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Systems, or related field (or equivalent experience).
• 8+ years’ experience in security, risk, compliance, or GRC-focused roles.
• Strong practical experience with one or more frameworks such as ISO 27001, SOC 2, NIST, CIS, or similar.
• Confidence leading meetings, workshops, and complex discussions.
• Ability to design security governance and compliance programs, not just implement them.
• Strong written communication skills, with experience producing high-quality documentation.
• Experience mentoring or supporting the development of junior team members.
• Strong organizational skills and ability to manage multiple engagements and priorities.
• A pragmatic, solutions-focused mindset with an understanding of business realities.

Nice To Haves

• Certifications such as CISSP, CISM, CRISC, CGEIT, or CGRC, preferred.

Responsibilities

• Support the development, maintenance, and lifecycle management of information security and IT governance policies, standards, and procedures.
• Coordinate periodic policy reviews and facilitate stakeholder input, approvals, and attestations.
• Maintain policy exceptions and waivers, ensuring appropriate risk evaluation, documentation, and executive approval.
• Partner with legal, compliance, IT, and security teams to ensure governance alignment across enterprise initiatives.
• Lead and coordinate the Business Impact Analysis (BIA) process by partnering with business and technology stakeholders to identify critical processes, assess operational, financial, and regulatory impacts, and document recovery objectives to support enterprise resilience and continuity planning.
• Identify, assess, and document information technology risks across infrastructure, applications, cloud services, and third-party environments using standardized risk assessment methodologies.
• Facilitate periodic and ad-hoc IT risk assessments, including inherent risk evaluation, control effectiveness testing, and residual risk determination.
• Maintain the enterprise IT risk register by ensuring risks are accurately described, consistently scored, and aligned to business impact and risk tolerance.
• Track risk remediation activities to completion and validate that corrective actions effectively reduce risk exposure.
• Support third-party and vendor risk assessments by evaluating IT-related risks associated with external service providers.
• Support continuous improvement of the IT risk management program through process optimization, tooling enhancements, and stakeholder feedback.
• Monitor emerging threats, vulnerabilities, and technology changes to identify new or evolving risk scenarios.
• Lead internal control testing, evidence collection, and audit readiness across cloud and on-prem system.
• Collaborate with architects and development teams to identify potential attack paths early in the design phase.
• Collaborate with cross-functional teams and external auditors to ensure regulatory compliance
• Leverage intelligence from vulnerability, threat, and incident data to continuously refine security controls.
• Evaluate and improve security controls, processes, and documentation.
• Develop and maintain risk metrics, dashboards, and reporting artifacts for management and executive-level audiences.
• Present risk posture and program effectiveness metrics to senior leadership and governance committees.
• Align program outcomes with frameworks such as NIST CSF & CIS Controls.