Senior Director, IT & Security GRC

About The Position

Requirements

• Bachelor's degree in Business Administration, Accounting, Finance, Operations, Computer Science, Information Technology, Cybersecurity, or a related field; advanced degree (MBA, MS) preferred.
• Minimum 12+ years of progressive experience in technology risk, IT audit, GRC, or information security, with at least 7+ years leading and developing high-performing teams.
• Deep, hands-on expertise across SOX IT General Controls, technology risk management, control design, and the IT audit lifecycle within a complex public company environment.
• Strong understanding on AI risk management with practical experience working with AI solutions.
• Demonstrated experience designing and operating GRC programs aligned to NIST CSF 2.0, COBIT 2019, COSO 2013, ISO 27001, and MITRE ATT&CK.
• Proven track record of executive- and Board-level communication, including authoring risk narratives, committee materials, and Board updates.
• Ability to be a change agent and influence positive outcomes by exercising critical thinking, strategic growth, and a bias toward action.
• Exceptional ability to influence without authority and partner effectively with senior IT, Engineering, Security, Internal Audit, and business leaders.
• Exceptionally strong quantitative and analytical skills, with experience applying formal risk and process improvement practices (e.g., FAIR, NIST 800-30, Lean, Six Sigma).
• Excellent leadership, communication, interpersonal, and presentation skills, with the ability to operate from technical detail to Board-room strategy.
• Ability to work extended hours when needed to meet department, audit, and regulatory deadlines.
• Ability to challenge the status quo, go above and beyond, build and maintain trust, and strive for excellence.

Nice To Haves

• Relevant certifications strongly preferred (e.g., CISA, CRISC, CISM, CISSP, CIA, CGEIT, ISO 42001).
• Preferred 7+ years of experience in the Property Management, Multifamily Housing, SaaS, FinTech, or PropTech industries.

Responsibilities

• Partner with control owners (1st LOD) to mature controls, drive automation, and remediate control deficiencies prior to year-end.
• Monitor compliance of control design and operating effectiveness.
• Build, govern, and continuously evolve the enterprise Technology Risk, Threat, and Control Library, mapped to NIST CSF 2.0, COBIT 2019, ISO 27001, MITRE ATT&CK, and applicable regulatory regimes.
• Establish a unified control taxonomy enabling control rationalization, framework crosswalks, and "test once, satisfy many" efficiencies across SOX, PCI DSS, SOC 1, SOC 2 and NYDFS.
• Demonstrated interest or working proficiency in "vibe coding" and AI-assisted development workflows using tools (e.g., Claude Code, Cursor and GitHub Copilot), sufficient to prototype control automations, evidence collectors, and governance tooling without dependence on engineering backlog.
• Hands-on familiarity with leading Large Language Models (LLMs) (e.g., Anthropic Claude (Opus, Sonnet, Haiku), OpenAI GPT-4/5 and o-series, Google Gemini, Meta Llama, and Mistral), with a practical understanding of model selection trade-offs (reasoning depth, context window, cost, latency, data residency).
• Working knowledge of LLM application patterns — prompt engineering, retrieval-augmented generation (RAG), function/tool calling, agentic workflows, and Model Context Protocol (MCP) and the associated risk, control, and governance implications.
• Familiarity with the AI/LLM risk landscape, including OWASP Top 10 for LLM Applications, NIST AI RMF, ISO/IEC 42001, MITRE ATLAS, and emerging regulatory expectations (EU AI Act, NYDFS AI guidance, state-level AI laws).
• Ability to govern AI responsibly while using it productively leveraging LLMs to accelerate risk assessments, control narratives, policy drafting, audit evidence review, and Board reporting while maintaining accuracy, confidentiality, and IP boundaries.
• Develop and deliver executive ready reporting on technology risk posture, control health, emerging threats, regulatory developments, and remediation progress.
• Serve as a trusted advisor to IT, Information Security and Engineering on technology risk, control design, and regulatory implications of strategic initiatives, including AI/ML, cloud transformation, M&A, and platform migrations.
• Provide proactive risk and control guidance on architecture decisions, technology investments, third-party engagements, and new product capabilities.
• Embed risk and control thinking into enterprise programs and strategic pillars (Innovate, Expand, Protect, Transform), shaping outcomes earlier in the lifecycle.
• Own the enterprise technology risk and control issue lifecycle, including identification, root cause analysis, risk rating, remediation planning, tracking, and closure validation.
• Drive accountability across control owners and remediation owners; escalate aging or critical issues to executive leadership and the Board with clear paths to resolution.
• Maintain a single enterprise issue register with risk-rated, time-bound action plans and trend reporting for governance forums.
• Perform risk assessment on AI agentic solutions.
• Translate risk assessment outputs into actionable risk treatment plans, control improvements, capital and investment recommendations, and executive risk narratives.

Benefits

• Health, dental, and vision insurance.
• Retirement savings plan with company match.
• Paid time off and holidays.
• Professional development opportunities.
• Performance-based bonus based on position.