Information Security GRC Program Senior Manager

About The Position

Requirements

• Bachelor’s degree in Information Security, Risk Management, Business, IT, or a related field (or equivalent experience).
• 8+ years of progressive experience in information security governance, risk, compliance, audit, or related disciplines.
• 3+ years of people management experience (direct reports) with demonstrated ability to build, coach, and scale a high-performing team.
• Demonstrated success leading cross-functional programs and driving accountability without direct authority.
• Strong understanding of security governance and control frameworks (e.g., NIST CSF, ISO 27001, CIS Controls) and experience mapping controls to regulatory obligations.
• Proven experience managing audits/regulatory exams, evidence, control testing/validation, and issue remediation governance.
• Excellent written and verbal communication skills; ability to translate control and compliance topics into business risk and outcomes.

Nice To Haves

• Experience in financial services and/or insurance regulatory environments.
• Familiarity with NYDFS cybersecurity regulation, PCI DSS, and privacy/security requirements applicable to customer data.
• Certifications: CISSP, CISM, CRISC, CISA, ISO 27001 Lead Implementer/Lead Auditor, or similar.
• Experience implementing or operating GRC tooling and building KPI/KRI dashboards.

Responsibilities

• Lead, coach, and develop a team of GRC professionals; set goals, performance expectations, and development plans aligned to program outcomes.
• Establish operating rhythms, playbooks, and quality standards for control documentation, testing/validation, evidence management, and reporting.
• Manage team capacity and prioritization against enterprise commitments (audits, exams, strategic initiatives, remediation).
• Own the Information Security GRC operating model, including control governance, control testing/validation cadence, evidence management, and exception management.
• Maintain and mature the security control framework and control library; ensure alignment to applicable regulatory and contractual requirements (e.g., insurance regulators, NYDFS, SOX ITGCs, Bermuda Cyber Code of Conduct, PCI DSS, privacy/security obligations).
• Govern the policy lifecycle (reviews, approvals, publication, training/attestation inputs, and adoption tracking) and ensure alignment between policy, standards, and procedures.
• Serve as the senior security lead for internal/external audits, regulatory exams, and assurance activities.
• Coordinate evidence collection, response narratives, and stakeholder alignment; ensure timely delivery and consistency across requests.
• Own the lifecycle of audit/exam issues: intake, triage, assignment, remediation plans, due dates, escalation, validation, and closure.
• Drive remediation governance for security findings, control gaps, and formal commitments; monitor execution and remove blockers through structured escalation.
• Validate remediation completion and evidence quality prior to closure; reduce repeat findings by ensuring root causes are addressed.
• Develop and maintain KPIs/KRIs and executive-ready reporting on control health, audit readiness, open issues, remediation status, and program maturity.
• Present decision-grade updates to the CISO and governance forums; support Board/Risk Committee reporting with clear themes, trends, and required decisions.

Benefits

• This job is eligible for an annual discretionary bonus, equity, and Kemper benefits (Medical, Dental, Vision, PTO, 401k, etc.)