About the position
KAYAK is seeking a talented individual to lead their Cybersecurity GRC program. The successful candidate will work closely with multiple teams to develop sensible processes and controls that satisfy internal business objectives as well as external audit requirements. The role involves leading compliance and security audit activities, improving the company's maturity on the NIST CSF framework, managing SOC 2 Type 2 and annual PCI DSS certification processes, and maintaining the risk register processes, standards, and components. The ideal candidate should have at least 3 years of experience performing technology third-party security and risk management lifecycle program work, familiarity with industry and regulatory frameworks like NIST, SOC, PCI, and a basic understanding of concepts of risk analysis, computer security, IT systems, and networking.
Responsibilities
- Lead compliance and security audit activities with external auditors and internal control owners to ensure timely and successful completion of audit requirements.
- Improve our maturity on the NIST CSF framework.
- Manage our SOC 2 Type 2 certification process and ensure that deficiencies are minimized.
- Manage our annual PCI DSS certification process.
- Maintain the risk register processes, standards, and components.
- Respond to partner third party risk assessments.
- Execute and manage vendor TPRM.
- Streamline audit and control processes.
- Develop metrics to measure the effectiveness of GRC programs.
- Stay up-to-date with changes in laws, regulations, and industry best practices related to GRC.
Requirements
- At least 3 years of experience performing technology Third-party security and risk management lifecycle program work, including assessment, reporting and remediation planning and tracking activities both for a Big 4 auditor or equivalent and inside a corporate environment.
- Familiarity with industry and regulatory frameworks like NIST, SOC, PCI.
- Basic understanding of concepts of risk analysis, computer security, IT systems, and networking.
- A balanced, pragmatic approach to risk management in the context of technical projects and organizational goals.
- Experience building complex project plans and tracking completion, negotiating commitments and escalating on blocking issues constructively.
- The initiative to determine what needs to be done with minimal guidance from your manager.
- Ability to work under ambiguous situations.
- Knowledge to bring clarity to projects by digging into documentation, and asking the right questions to the right people.
- An inventive nature to leverage technology to streamline and automate manual processes.
- Motivation to learn.