Security Governance Risk and Compliance Manager

About The Position

Requirements

• Bachelor's degree in Information Systems, Information Security, Risk Management, or a related field.
• At least 5 years of experience managing a ISO 27001 or SOC2 certification program.
• Proven experience in governance, risk management, or compliance roles.
• In-depth knowledge of relevant industry regulations and standards.
• Strong analytical and problem-solving skills.
• Excellent communication and interpersonal skills applied across various levels of technical expertise and management.
• Ability to work collaboratively in a team and influence stakeholders at various levels.

Nice To Haves

• Master’s degree in Cybersecurity Risk and Strategy, or a related field is a significant plus.
• Relevant certifications (e.g., CISA, CRISC, CISSP, PMP) are a significant plus, and if not presently held, one or more should be attained within 1 year of being in the job role.

Responsibilities

• Act as the primary point of contact to track, triage, and provide a professional response to incoming client assessments/audits, RFPs, and Outside Counsel Guidelines.
• Delegate, oversee, and upskill other members of the Information Security Team in handling these assessments.
• Own and govern the standard answer and evidence bank that ensures a consistent response to these client assessment requests.
• Ensure that all material findings are tracked and escalated to Information Security Department management.
• Work within IT, and to a lesser extent but also possible other departments within the Firm, to remediate control gaps and assemble evidence.
• Work with external consultants to prepare ISPF meeting agendas, metrics, and other artifacts for review by ISMS-PIMS leadership.
• Lead essential ISO 27001 and ISO 27701 activities such as our annual risk assessment, BCP tabletop exercises, and other periodic compliance checks (privileged account reviews, vulnerability assessments).
• Prepare for and lead annual internal and external ISO audits by reviewing all in scope assets and required controls; and preparing required evidence to competently demonstrate our program through the entire audit process.
• Provide senior guidance and awareness of our GRC program to partnering departments (e.g., Risk, Procurement, Operations).
• Within the Information Technology Department, continue to develop a set of manageable controls that help support compliance with our clients security requirements, such as: Producing privileged account management oversight controls. Producing data loss prevention oversight controls. Producing threat and vulnerability management oversight controls.
• Develop and update policies and procedures to address evolving regulatory requirements.
• Maintain a comprehensive repository of policies, ensuring accessibility and understanding across the organization.
• Phishing Simulation Program Management: Lead and manage the firm’s quarterly phishing simulation campaigns to assess and enhance employee awareness of social engineering threats. Analyze simulation results, track metrics over time, and report findings to IT leadership, including recommendations for targeted training and awareness initiatives.
• Cybersecurity Training Program Management: Ensure annual review and refresh of cybersecurity training content to ensure alignment with current threat landscapes, regulatory requirements, and Firm policies. In partnership with the IT Training Team, track training completion rates and evaluate the effectiveness of training materials, recommending updates as necessary to maintain employee awareness and compliance.
• Manage and deliver weekly compliance updates to senior leadership, synthesizing key metrics from threat management tools, security reviews, client assessments, and relevant external threat intelligence into actionable strategic recommendations.

Benefits

• health care benefits