Senior Manager, Governance, Risk & Compliance (GRC) and Third-Party Security Risk

About The Position

Requirements

• Expertise in ISO 27001 implementation and audit lifecycle management.
• Deep understanding of NIST CSF, NIST SP 800-171, and control mapping across frameworks.
• Strong program management skills with ability to define, track, and report a portfolio of compliance and risk initiatives.
• Experience developing dashboards and reporting mechanisms for risk, remediation, and control maturity tracking.
• Proficiency in designing and operating third-party risk programs covering assessments, control validation, and ongoing monitoring.
• Capability to translate technical security findings into clear business impact.
• Advanced written and verbal communication for executive-level reporting and board-facing deliverables.
• Familiarity with hybrid enterprise environments (on-premises, SaaS, cloud platforms).
• Bachelor's degree in Information Security, Computer Science, Cybersecurity, or a related field.
• Minimum 10 years of experience in information security, with at least 5 years focused on governance, risk, and compliance or third-party/vendor risk management.
• Proven leadership in managing enterprise-wide compliance programs and coordinating audits or certifications.
• Demonstrated success implementing ISO 27001 and NIST frameworks across complex, distributed enterprises.
• Experience building and maintaining structured tracking and reporting frameworks for compliance and vendor risk portfolios.
• Prior experience engaging with procurement, supply chain, and legal teams to manage third-party risks.
• Track record of building executive reporting that demonstrates measurable risk reduction and maturity improvement.
• Strategic thinking and the ability to align cybersecurity governance with business objectives.
• Analytical rigor with high attention to detail and accuracy.
• Excellent organizational skills with ability to manage multiple concurrent projects.
• Collaborative leadership with cross-functional influence.
• Clear communication-able to distill complex data into actionable insights.
• Accountability and ownership of deliverables in a fast-paced, global environment.
• Continuous learning mindset and adaptability to emerging security frameworks and technologies.
• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• ISO 27001 Lead Implementer or Auditor

Nice To Haves

• Experience with GRC tooling (e.g., Archer, ServiceNow GRC, OneTrust, or similar).
• Background in global manufacturing or high-tech supply chain environments.
• Knowledge of privacy frameworks (GDPR, CCPA) and data protection practices.
• Working knowledge of secure software development lifecycle (SDLC) and DevSecOps principles.
• Familiarity with cybersecurity metrics automation and business intelligence visualization tools.
• Master's degree preferred.
• CRISC (Certified in Risk and Information Systems Control)
• CCSP (Certified Cloud Security Professional)
• CISA (Certified Information Systems Auditor)

Responsibilities

• Lead and maintain Lumentum's global information security compliance program across ISO 27001:2022, NIST CSF, and NIST SP 800-171.
• Develop and maintain structured frameworks for tracking compliance initiatives-defining project milestones, owners, dependencies, and measurable outcomes.
• Build and maintain dashboards and executive reports summarizing project progress, audit results, remediation status, and control maturity.
• Coordinate internal and external audits, certification renewals, and third-party assessments.
• Partner with enterprise risk management, audit, IT, and operations teams to integrate GRC processes into broader corporate governance.
• Ensure security controls are maintained across both on-prem and cloud/SaaS environments.
• Design, implement, and lead a global third-party risk management (TPRM) program encompassing suppliers, service providers, and strategic partners.
• Define and maintain vendor security assessment frameworks, control baselines, and onboarding/off-boarding requirements.
• Track and report on vendor coverage, risk remediation progress, and control maturity metrics.
• Establish continuous monitoring mechanisms to identify new or emerging vendor threats.
• Collaborate with Procurement, Legal, and Supply Chain to embed security controls in vendor contracts and lifecycle processes.
• Lead response coordination for vendor-related security incidents impacting Lumentum operations or data.
• Partner with IT, Supply Chain, Operations, Legal, and regional teams to align governance and risk management with business objectives.
• Guide cross-functional teams through remediation and risk reduction initiatives.
• Mentor and develop team members, fostering a culture of accountability, continuous improvement, and measurable progress.
• Present program performance and maturity metrics to executive leadership.