VP - Cybersecurity Governance, Risk & Compliance

About The Position

Requirements

• 12+ years of progressive experience in cybersecurity, risk management, compliance, or information security leadership roles preferred
• Demonstrated expertise in cybersecurity governance, risk management frameworks, regulatory compliance, and enterprise risk integration
• Proven experience developing and leading enterprise-wide GRC programs, including risk assessment, compliance, and governance processes
• Strong understanding of cybersecurity frameworks (e.g., NIST CSF, ISO 27001) and regulatory requirements
• Demonstrated experience presenting to executive leadership, audit committees, and board members
• Strong leadership, communication, and stakeholder management skills with the ability to influence across the organization
• Experience serving in a senior cyber leadership role (e.g., VP, Head of GRC, or equivalent) reporting to a CISO, CIO or CRO
• Demonstrated experience operating at the executive leadership level, driving strategic outcomes, influencing enterprise risk & governance, and tech compliance discussions with senior executives, boards and regulators
• Experience in highly regulated industries (e.g., aviation, financial services, healthcare, or government)
• Advanced degree (MBA, MS in Cybersecurity, Information Systems, or related field) preferred
• Professional certifications such as CISSP, CISM, CRISC, CISA, or similar
• Experience implementing or managing GRC platforms and enterprise risk tools

Responsibilities

• Support CISO in operating a cybersecurity governance program that defines policies, standards, roles, and accountability structures across the enterprise.
• Serve as an advisor to executive leadership and the board on cybersecurity risk posture, regulatory exposure, and compliance readiness.
• Establish and maintain governance processes that ensure alignment between cybersecurity initiatives, enterprise risk management, and business objectives.
• Drive integration of cybersecurity governance into enterprise decision-making, transformation initiatives, and operational processes.
• Foster a culture of accountability, transparency, and risk awareness across the organization.
• Maintain and enforce cybersecurity policies and standards aligned with regulatory requirements, industry frameworks, and enterprise objectives.
• Oversee policy lifecycle management, including development, review, approval, communication, and enforcement.
• Establish and maintain a centralized controls inventory to track security controls and associated requirements across systems and applications.
• Ensure effective communication and adoption of policies and standards across business and technology teams.
• Operationalize a standardized cybersecurity risk management framework, taxonomy, and methodology aligned to enterprise risk management practices.
• Oversee cyber risk assessments, including identification, evaluation, and prioritization of threats and vulnerabilities.
• Establish and maintain GRC platform to track risks, remediation activities, and risk ownership across cybersecurity and business teams.
• Oversee risk response and remediation strategies so that appropriate mitigation plans are developed, executed, and monitored.
• Partner with Enterprise Risk Management (ERM) to align cyber risks with broader organizational risk frameworks and reporting structures.
• Oversee cybersecurity compliance programs to support adherence to applicable regulatory, legal, and industry requirements (e.g., SOX, HIPAA, PCI, HITRUST, SOC 2).
• Establish and maintain processes for internal and external compliance assessments, including audit support, evidence management, and remediation tracking.
• Oversee internal compliance management efforts to enforce adherence to security policies, standards, and controls.
• Direct external compliance activities, including customer assessments, regulatory reviews, and third-party audits.
• Ensure continuous monitoring of the regulatory landscape to proactively adapt compliance programs and controls.
• Oversee the cybersecurity third-party risk management (TPRM) program, including risk assessments, onboarding, monitoring, and offboarding processes.
• Establish governance for third-party lifecycle management to ensure risks are identified, assessed, and mitigated throughout vendor engagements.
• Oversee contract reviews to validate inclusion of security and data protection requirements.
• Collaborate with internal stakeholders and external providers to develop joint incident response plans and ensure alignment with enterprise security expectations.
• Drive integration of third-party risk insights into overall cybersecurity risk posture and reporting.
• Define and lead enterprise cyber resilience strategy, including IT resilience assessments and dependency mapping to identify critical system vulnerabilities.
• Oversee development and maintenance of disaster recovery (DR) and business continuity plans for IT systems and operational environments.
• Direct execution of disaster recovery testing and simulation exercises to validate effectiveness of recovery strategies and plans.
• Oversee crisis management coordination, including establishment of governance structures, escalation protocols, and communication processes for major incidents.
• Ensure alignment between resilience, incident response, and business continuity strategies.
• Establish and oversee cybersecurity metrics and reporting frameworks, including KPIs and KRIs, to measure program performance and risk posture.
• Provide regular reporting and insights to executive leadership and the board to support strategic decision-making.
• Oversee the design, implementation, and optimization of GRC tools and platforms to enable efficient risk, compliance, and control management.
• Leverage data analytics to drive transparency, prioritization, and continuous improvement across GRC functions.
• Support and oversee the enterprise-wide cybersecurity training and awareness programs to promote secure behaviors and risk awareness.
• Oversee role-based and executive training initiatives to ensure accountability and understanding of cybersecurity responsibilities.
• Direct phishing simulation programs and awareness campaigns to strengthen organizational resilience against social engineering threats.
• Promote continuous learning and capability development across cybersecurity and business teams.
• Partner with business units, IT, legal, audit, and compliance teams to embed cybersecurity governance, risk, and compliance practices into business operations.
• Serve as a liaison between cybersecurity and enterprise stakeholders to ensure alignment on risk priorities and compliance requirements.
• Collaborate with security architecture and engineering teams to ensure solutions align with established security standards and policies.
• Drive consistent communication, reporting, and alignment across global cybersecurity and business teams.
• Build and lead a global GRC organization with capabilities spanning risk management, compliance, resilience, third-party risk, and governance.
• Develop team capabilities through coaching, structured career development, and role-based training.
• Drive continuous improvement of GRC processes, frameworks, and tools to enhance program maturity and scalability.
• Establish succession planning and leadership development to sustain long-term organizational capability.

Benefits

• Medical, dental and vision coverage
• Paid time off plan
• Health savings account (HSA)
• 401k savings plan
• Access to wages before pay day with myFlexPay
• Flexible spending accounts (FSAs)
• Short- and long-term disability coverage
• Work-Life resources
• Paid parental leave
• Healthy lifestyle programs