Manager, Cybersecurity Policy, Risk & Governance

About The Position

Requirements

• Proficiency in Microsoft Office Suite (Word, Excel, PowerPoint, Visio, Project, Outlook, SharePoint).
• Expertise in designing and delivering GRC programs and cybersecurity governance frameworks.
• Strong understanding of global cybersecurity laws, regulations, and standards (e.g., NIST CSF & RMF, ISO 27001, TISAX, AirCyber).
• Ability to interpret and apply regulatory requirements to policy development and risk mitigation strategies.
• Skilled in risk tracking and analysis using tools such as risk registers.
• Strong analytical and decision-making capabilities based on data and cybersecurity trends.
• Experience in incident response planning and governance issue resolution.
• Exceptional communication and presentation skills for both technical and non-technical audiences.
• Proven ability to influence and collaborate across all organizational levels without direct authority.
• Experience presenting to executive leadership and boards.
• Deep understanding of IT systems, infrastructure, and cybersecurity technologies.
• Demonstrated leadership, problem-solving, and change management skills in a global, decentralized environment.
• Bachelor’s degree in business administration, Cybersecurity, Management of Information Systems (MIS), or a related field from an accredited institution.
• At least 5 years of experience leading cybersecurity programs, including 2+ years in cyber governance and risk management in a global organization.
• At least one Industry certifications such as CISSP, ISO 27001, CMMC CCP or equivalent.
• Must be legally authorized to work in the United States without sponsorship.

Nice To Haves

• Juris Doctor (JD) in Cyber Law, Intellectual Property Law, or related governance field.
• Advanced certifications: CMMC CCA, CISM, ISO 27001 Lead Implementer, ITIL, CRISC, GRC, or CISO-level credentials.
• Experience leading global cyber governance programs in a complex enterprise environment; preferably in a manufacturing environment

Responsibilities

• Align cybersecurity governance strategy with Howmet’s strategic priorities, business strategies, and standard processes.
• Partner with Global Information Services (GIS) directors/teams and functional groups (HR, Legal, Privacy, Trade Compliance, EHS, etc.) to standardize and evolve cybersecurity posture.
• Consult with Business Unit (BU) and Functional Area Leaders to assess governance and risk needs, delivering impactful programs in policy development, training, mentorship, and risk management.
• Lead the global governance and risk management process to support cybersecurity maturity and performance alignment.
• Build, lead, and mentor a high-performing cyber governance & risk team, fostering innovation and accountability.
• Design and deliver training, communications, and tools to support cybersecurity initiatives across GIS and BU teams.
• Develop and implement change management strategies to support adoption of new cybersecurity policies and practices.
• Provide organizational maturity assessments and interventions to enhance cybersecurity capabilities.
• Monitor industry trends, conduct benchmarking, and recommend solutions aligned with Howmet’s cybersecurity strategy.
• Collaborate with CIS teams to align business processes and technology platforms for optimal governance and risk outcomes.
• Support the CISO in strategic planning, compliance certifications (e.g., CMMC, ISO 27001), and regulatory interpretation (e.g., NIST 800-171, NIS2, UK Cyber Essentials).
• Create and manage procedures, work instructions, and contribute to corporate cybersecurity policies and standards.
• Track and report performance metrics to guide program investments and continuous improvement.
• Oversee internal teams and external vendors to meet governance and risk objectives within budget and timelines.
• Represent CIS in cross-business planning initiatives and support CISO in governance-related audits, customer inquiries, and leadership engagements.
• Serve as a leadership proxy for the CISO when required.