Lead, Information Risk and GRC

About The Position

Requirements

• Bachelor's in information technology/security, Computer Science is preferred, non-technical degrees with Computer Science fundamentals will be considered combined with technology experience.
• At least one Information Security certification such as CISSP, CCSP, CEH, CRISC, GIAC, CISM, etc. required.
• 5-7 years of Information Security, Information Technology, Risk, Audit and/or a combination of experience.
• 5-7 years of managing projects and/or teams.
• 2-5 years of experience in GRC platform development.
• Proficiency in GRC platforms (e.g., RSA Archer, ServiceNow GRC, MetricStream) and risk assessment tools.
• Strong understanding of information security frameworks (e.g., NIST CSF, ISO 27001).
• Deep understanding of cyber risk management principles, threat modeling, and risk mitigation strategies.
• Strong analytical and problem-solving skills. Ability to assess risks, identify solutions, and make data-driven decisions.
• Executive level written and verbal communications required. Ability to effectively communicate complex security concepts to both technical and non-technical audiences.
• Takes initiative and anticipates needs before they arise.
• Pays close attention to detail while maintaining a big-picture perspective.
• Works well with others and contributes to a positive team culture.
• Thrives in a fast-paced, dynamic environment.

Nice To Haves

• Previous experience in a lead or managerial role is highly desirable.

Responsibilities

• Lead and mature the organization’s Third-Party Risk Management (TPRM) program, ensuring alignment with business objectives, vendor strategies, and regulatory requirements.
• Oversee end-to-end third-party risk lifecycle, including; Vendor onboarding and inherent risk tiering; Security due diligence (cyber risk assessments); Continuous monitoring and reassessment; Offboarding and risk closure.
• Define and enhance third-party risk methodologies, including; Risk scoring models; Standardized assessment templates; Control validation and evidence review processes.
• Prioritize and assess vendor-related cyber risks, ensuring appropriate mitigation strategies, compensating controls, and risk acceptance processes are implemented.
• Provide executive-level reporting on third-party risk posture, including; Critical vendor risk exposure; Concentration risk insights; Remediation progress and SLA adherence.
• Partner with Sr. Director and Sr. Manager to define the strategic roadmap for GRC and TPRM platforms, ensuring scalability and alignment to enterprise risk management needs.
• Lead configuration and optimization of TPRM workflows within platforms such as ServiceNow GRC / Archer / MetricStream; Intake workflows; Automated risk scoring; Evidence tracking; Issue remediation workflows.
• Identify automation opportunities to improve; Vendor onboarding cycle time; Assessment throughput; Reporting and dashboards.
• Oversee ongoing platform maintenance, enhancements, and user adoption across business units.
• Develop and maintain third-party risk policies, standards, and procedures.
• Ensure cyclical policy reviews with CISO, CIO, and senior leadership, with updates reflecting evolving supply chain threats.
• Act as SME for third-party risk during audits, regulatory reviews, and internal risk councils.
• Partner with Procurement, Legal, Privacy, and Business Owners to embed security requirements in vendor selection and contracting.
• Provide guidance and training to stakeholders on third-party risk processes and expectations.
• Support escalation management for high-risk or non-compliant vendors.

Benefits

• competitive compensation and benefits package
• excellent career development opportunities