GRC IT Security Manager

About The Position

Requirements

• Mid-level leadership role
• Reporting to the Director of GRC
• Daily oversight of analysts and leads
• Drives process maturity
• Ensures consistent delivery of risk, audit, policy, and continuity efforts
• Helps shape the enterprise’s risk posture
• Mentors a high-performing team
• Fosters cross-functional collaboration
• Deep understanding of regulatory frameworks
• Ability to communicate complex risk concepts in clear, actionable terms
• Proactively identify control gaps
• Coordinate effective mitigation
• Ensure security efforts remain aligned with evolving business needs
• Experience with SOX, PCI, and privacy frameworks
• Experience managing policy lifecycle
• Experience managing company-wide security training programs
• Experience with NIST and PCI DSS frameworks

Nice To Haves

• Experience with AI vendors and AI-related risks
• Experience with Managed Security Service Providers (MSSP)

Responsibilities

• Lead enterprise-wide cybersecurity risk assessments across business units and IT domains.
• Own the accuracy and ongoing maintenance of the enterprise risk register, ensuring it is consistently updated and informed by stakeholder input.
• Collaborate with business and IT leaders to define and apply enterprise risk tolerance thresholds.
• Translate technical risk findings into actionable, business-relevant recommendations.
• Identify and escalate systemic risks that could materially impact operations or compliance.
• Monitor industry trends, threat intelligence, and regulatory changes to adjust risk posture.
• Deliver clear, timely risk reports and dashboards to senior leadership and governance bodies.
• Implement structured risk governance processes, including review cycles and escalation protocols.
• Implement automated GRC tools and data analytics to improve cybersecurity risk management efficiency and accuracy.
• Develop KPIs and KRIs for the security organization and maintain tactical and strategic dashboards to monitor risk and compliance efforts.
• Oversee GRC team operations, assigning work, setting priorities, and ensuring effective collaboration.
• Partner with senior leadership and business stakeholders to align GRC efforts with enterprise goals.
• Foster a high-performing, collaborative team culture through coaching, accountability, and career development.
• Lead collaboration with IT and business leaders to identify mission-critical applications and conduct comprehensive BIA, define RTO/RPO, and recovery procedures.
• Develop dependency mappings for critical systems with application and infrastructure teams.
• Oversee documentation of recovery procedures, including technical and business continuity procedures.
• Lead tabletop exercises and failover/failback recovery testing with IT and business users.
• Identify gaps in the BC/DR program and take ownership of remediation.
• Ensure business continuity objectives are effectively aligned with IT capabilities to support organizational resilience during disruptions.
• Contribute to recovery planning efforts and facilitate coordination among IT and business teams to ensure effective response during disruptions.
• Partner with the procurement and legal teams to integrate cybersecurity function into the overall process, mitigating supply chain risks for the company.
• Manage third-party risk processes, including assessments and reviews. Continuously identify opportunities for improvement to enhance its effectiveness and efficiency
• Escalate high-risk vendor issues to leadership and work with business stakeholders to develop and execute mitigation plans.
• Oversee monthly reporting on security assessments of AI vendors, provide expert analysis to leadership on AI-related risks and recommend strategic actions to resolve identified issues.
• Establish and manage a comprehensive set of criteria and assessment questions to support third-party risk management activities.
• Own vendor incident response governance program and playbooks.
• Ensure vendors provide formal evidence of incident containment and remediation and ensure compliance with security requirements before closing a third incident.
• Consolidate third party incident and GRC-owned MSSP results into executive dashboards.
• Embed incident response obligations into contracts and procurement.
• Oversee internal/external audit readiness and evidence collection.
• Ensure compliance with SOX, PCI, and privacy frameworks.
• Serve as audit liaison for the GRC function.
• Act as the primary contact for internal audit and take ownership of recreating risk and compliance assessment findings.
• Manage the policy lifecycle from creation through enforcement.
• Ensure policies align with frameworks like NIST and PCI DSS.
• Ensure the organization adheres to all relevant policies and standards.
• Manage company-wide security training programs.
• Strategically identify education and awareness needs based on enterprise-wide cybersecurity threats and business priorities.
• Establish metrics to evaluate the success of training initiatives, including trends in knowledge retention, behavior changes, and overall effectiveness of the security culture.
• Oversee continuous improvement of the training curriculum, ensuring it evolves to address new threats and compliance requirements.

Benefits

• $115-170K/yr + 10% annual bonus
• Willing support relocation
• Medical coverage options (Value Plan, Basic Plan, Plus Plan, Consumer Driven Plan (CDP) with Health Savings Account (HSA))
• Prescription drug coverage included
• Access to 24/7 telemedicine
• Access to the Aetna Choice POS II network of providers
• Assistance finding in-network providers via Care Coordinators by Quantum Health