Manager, Information Security Policy and Controls Governance

About The Position

Requirements

• Bachelors degree in computer science, or relevant technical experience
• Has 5+ years experience in an IT Risk Management field, or equivalent relevant work experience
• Has a security technology background with strong knowledge of relevant technical security disciplines
• Exhibits courage by taking smart risks and encouraging others to do so; empowers innovative approaches by motivating others to be proactive and resourceful
• Able to effectively coach, mentor, identify, and address skills needs and gaps
• Proficient in methods and techniques for running effective meetings and for understanding and influencing the roles played by participants
• Displays good interpersonal skills at all levels of contact and in a wide variety of situations, able to listen and influence, and to relate to customers in their own language
• Demonstrates the ability to champion change and support teams through change.
• Demonstrates the ability to think critically, challenge conventional thinking and generate and apply unique business insight to create competitive advantage for the organization
• Has solid knowledge of regulations, including, GLPA, HIPAA, GDPR, CCPA, and other cyber security regulatory compliance requirements and related programs
• Has in-depth knowledge of security and control frameworks such as the NIST Cyber Security Framework, NIST SP 800-53, ISO 17799/27001, CobIT, and ITIL

Nice To Haves

• CRISC, CISSP, CISM, CISA, and other security related certifications are a plus

Responsibilities

• Oversees and evaluates the delivery and effectiveness of the organizations policy governance, risk assessments, control attestation, and issues management capabilities, taking action to address performance or quality gaps as needed.
• Ensures the team maintains a well‑defined, risk‑aligned backlog of work that advances program maturity and meets regulatory, audit, and business needs.
• Guides team members in prioritizing assessments, policy lifecycle activities, and control-related work based on risk, business value, and regulatory timelines.
• Proactively removes obstacles and operational roadblocks that hinder timely completion of assessments, attestations, and governance processes.
• Partners with business and technology stakeholders to translate security, compliance, and risk management objectives into actionable work items.
• Ensures best‑practice execution, including structured assessment methodologies, clear control documentation, consistent issue tracking, adherence to policy standards, and high‑quality evidence collection.
• Encourages creativity and continuous improvement in maturing governance, assessment, and control processes; fosters a culture of innovation within the team.
• Uses operational metrics, assessment cycle data, and workflow insights to understand team performance and drive process efficiency.
• Partners with leadership to ensure strong talent is in place to support the organization’s governance, risk and compliance obligations.
• Mentors, coaches, and motivates team members to elevate their GRC expertise, business partnership skills, and overall performance.
• Identifies skill gaps related to risk frameworks, regulatory requirements, control design, and assessment techniques, ensuring development plans address these needs.
• Promotes cross‑training and shared ownership of GRC functions to reduce single‑points‑of‑failure and increase team resilience.
• While accountable for the team’s output, actively cultivates a self‑organizing, autonomous, and collaborative team that consistently demonstrates accountability and continuous improvement.
• Conducts regular 1:1s and development discussions to monitor progress, reinforce strengths, and close skill gaps.
• Collaborates with peers to evaluate the effectiveness of resourcing models, proposing enhancements to better support team operations.
• Maintains a strong understanding of emerging regulatory trends, risk frameworks (e.g., NIST CSF, HIPAA, SOC, ISO), and control expectations to inform program improvements.
• Reinforces disciplined prioritization by ensuring the team focuses on the highest‑value, highest‑risk activities and commitments.
• Designs and operates GRC processes with partner teams’ knowledge and needs in mind, ensuring risk governance activities are clear, intuitive, and easy to complete.

Benefits

• onsite fitness facilities
• generous paid time off
• employee professional development programs
• healthcare benefits (health, vision, dental)
• insurance benefits (short & long-term disability)
• performance-based incentive plans
• paid time off
• 401(k) retirement plan with an employer match up to 5% and an additional 4.5% contribution whether you contribute to the plan or not