Security Governance Risk and Compliance Manager

Cleary Gottlieb Steen & Hamilton LLP•New York, NY

18h•Hybrid

About The Position

Reporting directly to the Firm's Director of Information Security, the Security Governance, Risk, and Compliance (GRC) Manager is considered an essential position in safeguarding our Firm's data and meeting clients' security requirements. This role spans at least three pillars of our GRC program: Client Security Assessment Management, ISO 27001/27701 Program Management, and Internal GRC Program and Audit Management. As a senior contributor within the Information Security Department, this role will take on additional responsibilities to support the team’s mission such as creating updated Security Awareness training materials. This role is expected to manage other personnel within and outside the Information Security Department as required to gather and document up to date information about security controls, close gaps and findings, and perform audits; however, initially this role will not have any direct reports and this role is considered an individual contributor manager role at this time. This role must ensure that all security GRC policies and procedures remain up to date and professionally written amidst a period of tremendous change, and to work with other IT departments to do so. This role works closely with other GCR-adjacent security roles including a third party risk specialist, our security operations analyst, and our security engineering team, and is expected to have a significant amount of security related expertise. As needed, this person may draw from the availability of other team members to complete recurring tasks, such as first pass questionnaire completion. This role will be our Firm’s primary point of contact for ongoing client security assessment requests, which are estimated to be at least 100+ such requests throughout the year, and range from full 150+ question questionnaires to minor vulnerability attestation requests. These assessments include handling the end-to-end process with the client compliance teams, and require a friendly demeanor coupled with deep expertise in our security program to guide these assessments through an initial response, detailed completion of security questionnaires, curation of evidence, and review meetings to step through evidence and findings. Critically, this role must ensure that our AI-assisted questionnaire automation platform (Vanta) answer bank remains up to date and is used to accelerate accurate completion of assessment requests. Note that this role routinely interfaces with our Risk Department (office of the General Counsel) to delegate specific questions and determine the appropriate response in the context of the client relationship. As the official ISO ISMS/PIMS Coordinator/SME , and a full time member of our Information Security and Privacy Forum (ISPF), this role is responsible for preparing all ISPM bi-monthly meeting agendas and minutes, working with auditors to scheduling internal and external audits, performing annual Risk Assessments, gathering and reporting performance metrics, and managing an extensive queue of continuous improvements that are aligned to risk themes & control domains. This is a strategic program management level responsibility that works closely with the Director of Information Security to ensure that these improvements are prioritized and produce expected results. Note that the entire ISMS/PIMS is supported by a third party consulting company, and this role is not expected to operate along without this important resource. Alongside the Director of Information Security, this role is also critical in developing our Security Awareness Program, including custom training videos and managing our phishing simulations. This role is expected to maintain currency of emerging cybersecurity news and incorporating any emerging themes into this program as necessary. This role will regularly interface with the Firm’s Risk Department and IT Leadership, as well as other departments as required, to answer questions effectively. Taking any feedback from our client auditors, this role will be pivotal to inform the firm’s Information Security strategy in a measured manner. The GRC Manager is a full-time member of the Firm's Information Security Department. They will collaborate with Senior Security Engineers, Security Operations Analysts, and Security Specialists to enhance core program elements, including incident response, assimilation of threat intelligence, vulnerability management, third-party risk management, and continuous compliance processes. Cleary Gottlieb is a preeminent law firm that prides itself on providing an extremely collaborative and collegial environment that is perfect for your career growth. We are leading the legal industry in the use of cloud and AI technologies and would love for you to join our team. We offer unmatched flexibility for hybrid work as well as providing a lovely office downtown to meet and work alongside your peers in Information Technology.

Requirements

Bachelor's degree in Information Systems, Information Security, Risk Management, or a related field.
Master’s degree in Cybersecurity Risk and Strategy, or a related field is a significant plus.
Prior experience leading high performance and complex GRC programs, including having at least 5 years of experience managing a ISO 27001 or SOC2 certification program.
Proven experience in governance, risk management, or compliance roles.
In-depth knowledge of relevant industry regulations and standards.
Strong analytical and problem-solving skills.
Excellent communication and interpersonal skills applied across various levels of technical expertise and management.
Ability to work collaboratively in a team and influence stakeholders at various levels.
Relevant certifications (e.g., CISA, CRISC, CISSP, PMP) are a significant plus, and if not presently held, one or more should be attained within 1 year of being in the job role.

Nice To Haves

Master’s degree in Cybersecurity Risk and Strategy, or a related field is a significant plus.
Relevant certifications (e.g., CISA, CRISC, CISSP, PMP) are a significant plus, and if not presently held, one or more should be attained within 1 year of being in the job role.

Responsibilities

Act as the primary point of contact to track, triage, and provide a professional response to incoming client assessments/audits, RFPs, and Outside Counsel Guidelines.
Delegate, oversee, and upskill other members of the Information Security Team in handling these assessments.
Own and govern the standard answer and evidence bank that ensures a consistent response to these client assessment requests.
Ensure that all material findings are tracked and escalated to Information Security Department management.
Work within IT, and to a lesser extent but also possible other departments within the Firm, to remediate control gaps and assemble evidence.
Work with external consultants to prepare ISPF meeting agendas, metrics, and other artifacts for review by ISMS-PIMS leadership.
Lead essential ISO 27001 and ISO 27701 activities such as our annual risk assessment, BCP tabletop exercises, and other periodic compliance checks (privileged account reviews, vulnerability assessments).
Prepare for and lead annual internal and external ISO audits by reviewing all in scope assets and required controls; and preparing required evidence to competently demonstrate our program through the entire audit process.
Provide senior guidance and awareness of our GRC program to partnering departments (e.g., Risk, Procurement, Operations).
Continue to develop a set of manageable controls that help support compliance with our clients security requirements, such as: Producing privileged account management oversight controls. Producing data loss prevention oversight controls. Producing threat and vulnerability management oversight controls.
Develop and update policies and procedures to address evolving regulatory requirements.
Maintain a comprehensive repository of policies, ensuring accessibility and understanding across the organization.
Lead and manage the firm’s quarterly phishing simulation campaigns to assess and enhance employee awareness of social engineering threats.
Analyze simulation results, track metrics over time, and report findings to IT leadership, including recommendations for targeted training and awareness initiatives.
Ensure annual review and refresh of cybersecurity training content to ensure alignment with current threat landscapes, regulatory requirements, and Firm policies.
In partnership with the IT Training Team, track training completion rates and evaluate the effectiveness of training materials, recommending updates as necessary to maintain employee awareness and compliance.
Manage and deliver weekly compliance updates to senior leadership, synthesizing key metrics from threat management tools, security reviews, client assessments, and relevant external threat intelligence into actionable strategic recommendations.