GRC Manager

Job Title: GRC Manager

Location: Philadelphia, PA

Duration: 12 Months

This is day 1 onsite.

TheInformation Security - Governance, Risk & Compliance (GRC) Manager willserve as a strategic leader, driving the development, operation, and continuousimprovement of the organization s global security GRC program. This roleentails managing cybersecurity risk, ensuring IT audit and compliancerequirements are met, overseeing supplier/vendor security reviews, and aligningthe security governance and controls program with best practices and regulatoryframeworks. The GRC Manager will collaborate extensively with other securityand technology teams, Internal/External Audit, as well as business and leadershipstakeholders.
In this role you will:

• Provide Hands-On management of all aspects of Security Governance, Risk & Compliance services, capabilities, staff, and third-party relationships.
• Own the IT Compliance, Audit, & Risk Assessment service portfolio for the Information Security program, driving the annual plan for each in a strategic manner, and ensuring high quality outcomes.
• Perform a range of risk assessment activities including enterprise wide, business unit, asset or control framework/standards (e.g. ISO 27001, NIST CSF, CIS) based assessments and presenting findings to both technical and business audiences.
• Analyze technologies and business requirements to establish highly effective processes, policies, standards, guidelines, and procedures to ensure comprehensive protection exists to ensure a safe, secure, and resilient technology environment and information assets.
• Oversee the execution of the IT General Controls framework supporting Sarbanes Oxley requirements. This includes functioning as the primary liaison with Internal and External Audit as well as Control Owners for control design, operation, testing, and remediation planning.
• Own the management of the security risk register, ensuring risk is appropriately tracked, and remediation strategies are documented.
• Manage the security metrics and reporting program, developing standard update reports, scorecards, and trend summaries to communicate the performance and health of the security program at regular intervals to leadership stakeholders.
• Participate in leading Security Awareness activities for the organization.
• Develop and maintain security controls, policies and capabilities as part of the Information Security Framework with ability to map/crosswalk controls between frameworks/standards (ISO 27001, NIST CSF, CIS).
• Manage third party, vendor and supplier security risk management and contractual activities in conjunction with Legal, Procurement, Purchasing and Supply Chain teams.
• Participate in all phases of the SDLC and project life cycles as needed for corporate initiatives - design, build and operate, ensuring technology initiatives align and comply with internal security policy and standards, as well as support relevant controls from standards/frameworks including as Sarbanes Oxley, ISO 27001, CIS, NIST CSF).
  

Qualifications:

Required:

• Bachelor s in Information Technology, Computer Science, Cybersecurity, Computer Engineering, Security Risk Analysis, Information Security & Assurance or other relevant focus area.
• Candidates must have a minimum of one of the following certifications or will be required to obtain within the first 12 months: CISSP, ISSMP, CISM, CRISC, CGEIT, CISA, Open FAIR.
• Minimum 5 years leadership experience in a GRC function with a track record of success and high-quality outcomes.
• Must have significant hands-on experience leading ITand Sarbanes Oxley focused IT compliance programs.
• Strong experience implementing and maturing security governance standards, frameworks and controls programs such as ISO 27001, NIST CSF, CIS Critical Security Controls.
• Strong business process knowledge, exceptional analytical skills, and solution-oriented mindset.
• Extensive experience developing security GRC processes, functions, and assessment tools in a GRC platform, with RSA Archer experience highly desired.
• Knowledge of security frameworks and standards such as NIST CSF, ISO 27001, CIS Critical Security Controls, GDPR and CCPA. Prior experience with TISAX is helpful.
• Expertise in the following security knowledge domains: security architecture, vulnerability management, risk management, identity and access management, user access and privileged access reviews, security awareness, cloud computing, and compliance.
• Experience articulating technical concepts and security risk clearly in business-oriented language. This includes risk scenario records, risk modeling, acceptance, exceptions, findings documentation, and management action/remediation plans.
• Exceptional written and verbal communication skills are required as this position will be responsible for working directly with multiple technology teams as well as IT leadership.
• Demonstrates strong organizational skills and the ability to multi-task, prioritize workload, and liaise/partner with other teams.