Governance, Risk, & Compliance (GRC) Director

About The Position

Requirements

• Bachelor's Degree in Computer Science, Information Technology, Management Information Systems, Engineering, Business, or other computer-related degree required.
• Twelve (12) or more years of diversified IT experience required.
• Five (5) or more years directly managing professional staff required.
• Adaptability – Maintaining effectiveness when experiencing major changes in work responsibilities or environment (e.g., people, processes, structure, or culture); adjusting effectively to change by exploring the benefits, trying new approaches, and collaborating with others to make the change successful.
• Authentic Communicator - Expresses ideas and information, both verbally and in writing, clearly and credibly. Listens to understand and fosters constructive dialogue.
• Business Acumen - Applies knowledge of MPC’s business, industry, and the marketplace to advance the organization’s goals. Makes decisions and recommendations clearly linked to MPC’s strategy.
• Continuous Improvement Mindset - Identifies and leads opportunities for continuous improvement and value creation, both incremental and large-scale.
• Data-Driven Decision Making - Applies data to make informed decisions with a priority on using real-time data, analytics, and insights to optimize operations, improve safety, and enhance the company's competitive edge.
• Digital Awareness - Actively explore, learn, and implement emerging digital tools, technologies, and trends. Involves seeking out new information, asking insightful questions, and testing innovative approaches to understand how digital solutions can create value, improve processes, or enhance experiences. Demonstrates openness to change, continuous learning, and adapting to the evolving digital landscape.
• Energizing the Organization - Creates a purposeful, engaged, optimistic workforce.
• Influencing Others - The ability to garner support for initiatives by gaining the respect of others and inspiring trust and confidence.
• Ongoing Learning & Self-Development - Regularly determines new areas for learning and acquires strategies and best practices for gaining/improving knowledge, behaviors, and skills.
• Results Driven - Drives operational and process excellence and innovative behavior by empowering others, collaborating, taking appropriate risks, making timely decisions, and holding people accountable for results.
• Selecting and Developing People - Recognizes and selects high caliber talent, accurately assesses abilities and potential, coaches to develop capabilities and builds high- performing teams.
• Strategic Outlook - Examines issues, generates ideas, creates future scenarios, and develops plans with a long-term perspective. Ensures short-term goals support long-term strategy and that organizational/functional strategy aligns with and supports MPC’s overall business strategy.

Nice To Haves

• Experience with NIST Cybersecurity Framework (CSF) 2.0 preferred.
• Certification in CISSP, C-CISO, CRISC, or CISA (or equivalent) highly preferred.

Responsibilities

• Leads managers and individual contributors through guidance, coaching, and support to ensure assignments align with organizational goals and established policies.
• Drives recruitment, development, retention, performance management, and succession planning to build a strong talent pipeline.
• Collaborates with key stakeholders and senior management to provide strategic guidance on technology risks, opportunities, and prioritization, ensuring cost effective and agile solutions.
• Oversees the planning, design, implementation, and measurement of IT systems, balancing agility with stability, security, and efficiency.
• Develops and oversees enterprise IT and cybersecurity governance frameworks, including policies, standards, procedures, and training that guide secure technology operations across the organization.
• Leads the designs and execution of enterprise-wide technology risk management processes, including cyber risk assessments and mitigation planning to protect critical systems and data.
• Directs and leads compliance programs for regulatory and industry standards (e.g., SOX, NIST, ISO 27001, PCI-DSS), to include a specific focus on TSA Pipeline Security Directives, MTSA (Maritime Transportation Security Act), ensuring processes and technical controls meet evolving requirements.
• Oversees third-party cyber risk management, vendor security assessments, and M&A ventures, establishing due diligence and ongoing monitoring processes to reduce supply chain and partner risks.
• Implements and manages security control frameworks and technical safeguards, collaborating with IT and business units to integrate security requirements into systems, networks, applications, and data platforms.
• Establishes processes and metrics to monitor compliance, risk posture, risk trends, and control effectiveness, and mechanisms for executive, internal and external audit, and regulatory reporting
• Develops and presents cybersecurity risk metrics, dashboards, and executive briefings to senior leadership and the Board, ensuring visibility into the organization's risk posture, compliance status, and program maturity.
• Coordinates with internal audit, external auditors, and regulatory examiners to support audit activities, manage findings, and drive timely remediation of identified gaps.
• Owns and manages GRC platform strategy and operations, including tool selection, configuration, and optimization to enable efficient risk assessments, policy management, control testing, and compliance workflows.

Benefits

• Marathon Petroleum offers a total rewards program which includes, but is not limited to, access to health, vision, and dental insurance, paid time off, 401k matching program, paid parental leave, and educational reimbursement.
• Detailed benefit information is available at https://mympcbenefits.com.
• The hired candidate will also be eligible for a discretionary company-sponsored annual bonus program.