IT/OT GRC Program Manager‌

About The Position

Requirements

• Education: Bachelor’s degree in IT, Cybersecurity, Engineering, or related field (or equivalent experience).
• Certifications: ISACA CISA / CISM / CRISC ISC2 CGRC (or equivalent GRC credential) IEC/ISA 62443-focused training/certificates
• Experience building policies/standards, control frameworks, and audit evidence packages.
• Experience working cross-functionally with IT, OT/Engineering, Operations, Legal/Compliance, and vendors.
• 7 + years in governance, risk, compliance, audit, IT/OT controls, in highly regulated environments.
• Candidate must have demonstrable knowledge/experience in: IT/OT governance program design and execution (standards, procedures, controls, RACI/RASIC). Risk management and control mapping (IEC62443/NIST CSF alignment; understanding of OT constraints). Change governance and control conformance across sites (managing exceptions, deviations, and validating compensating controls). Strong stakeholder management, facilitation, and conflict resolution (ownership clarity, accountability). Audit readiness and evidence management (ITGC/ITAC-style controls, SOX discipline, documentation rigor). Program management: milestones, reporting, KPI tracking, continuous improvement.

Responsibilities

• Product Security Governance (Build + Operate): Partner with product and engineering teams to embed “secure-by-design” requirements into the product lifecycle, so our delivered systems are positioned to comply with governing regulatory requirements.
• Strategic Framework Leadership (IT + OT): Lead the execution of the CIP, NIST (IT), IEC 62443 (OT) programs by establishing clear ownership and accountability for compliance targets. Actively assess organizational capabilities and recommend necessary staffing, training, or resource adjustments for program success to leadership.
• Develop & Validate Security Baselines: Formulate and govern the technical security standards for the enterprise. Responsible for the full lifecycle of compliance, from defining control requirements to assuring alignment via onsite inspection and independent verification.
• Drive Corrective Action Management: Own the centralized tracking of all audit findings, risk acceptances, and remediation plans (CAPA). Enforce strict timelines for remediation with system owners and escalate issues to leadership.
• Operationalize Compliance: Bridge the gap between policy and practice by translating regulatory requirements into executable operational procedures, working directly with engineers to configure, implement, and validate controls.
• Assure Audit Defense & Readiness: Serve as the primary lead for all internal and external audits. Maintain a continuous state of audit readiness by personally curating evidence repositories and validating artifact quality.
• Execute Internal Assurance Testing: Conduct hands-on "mock audits" and control self-assessments across all sites. Proactively identify and close non-compliance gaps to mitigate the material risk of a cyber event.
• Manage Third-Party Risk (TPRM): Execute the technical vetting of IT/OT suppliers. Directly review vendor security posture and enforce remediation of identified risks or formal risk acceptance prior to contract execution.
• Risk Visibility & Reporting: Translate technical compliance data into business-risk reporting. Provide the Director and CIO with accurate, validated metrics on risk burn-down and compliance posture backed by data.
• Administer GRC Software & Automation: Manage the configuration and maintenance of GRC platforms, services, and workflows to automate evidence collection, minimizing manual reporting overhead for technical teams.
• Manage Security Awareness & Training: Develop and deliver role-based security training content (e.g., lockout/tagout digital safety, password hygiene) to ensure engineering and operations teams understand their specific compliance obligations.
• Proactive Enterprise Risk Management: Lead ongoing risk identification, assessment, and prioritization across IT and OT environments, including threat modeling, maintenance of a centralized risk register, and integration of threat intelligence; conduct periodic comprehensive risk assessments to inform mitigation strategies and resource allocation.
• OT Asset Management & Architecture Governance: Oversee or partner with engineering teams to maintain an accurate OT asset inventory, define network zones and conduits per IEC 62443 requirements, and govern segmentation/architecture decisions to ensure foundational security controls are in place for effective risk management and compliance.
• Incident Response Integration & Lessons Learned: Collaborate with Security Operations and Incident Response teams to incorporate incident findings, root cause analyses, and lessons learned into the GRC program; ensure compliance-related reporting obligations are met and drive control enhancements or policy updates based on incident trends.

Benefits

• We offer a competitive compensation package as well as comprehensive benefits including medical, dental, vision, company-paid life/disability insurance, 401(k) plan, employee stock purchase plan, and generous paid leave.