The IT Governance, Risk and Compliance (GRC) Lead position is an individual contributor role responsible for the implementation and operation of IT GRC activities for the Enterprise. The IT GRC Lead will help further and maintain IT GRC - leveraging the organizations security standards and applicable compliance regulations and IT Compliance with applicable IT standards, laws, and regulations. This individual will have a strong understanding of the SSAE 18 AICPA reporting standards, and an understanding of compliance frameworks supported such as SOC1, SOC2 (Security, Availability, Confidentiality, Processing Integrity, and Privacy Trust Service Principles), NIST, HITRUST, HIPAA and GDPR. This position reports to the Director of GRC within the CISO organization.

Candidate should be able to “lead from the front”, have a strong sense of ownership and be able to work autonomously. Candidate should also demonstrate our CISO org behavior of: Engagement, Maintaining a Consultative Mindset, Accountability and Emotional Intelligence

Candidate will be directly responsible for leading and/or supporting GRC initiatives:

• Annual IT audit programs including SSAE-18 SOC2, SOX 404, ISO 27001, NIST CSF, NIST 800-171, NIST 800- 218 certification(s) and HiTrust initiatives.
• Integrate IT GRC requirements into broader technology governance processes (e.g., cybersecurity, operational readiness, SDLC, enterprise architecture, ITIL processes, client security, supply chain security), ensuring IT GRC and Compliance practices are operating across all facets of the enterprise.
• Elevate Cyber risk-management function, including risk register and risk lifecycle processes (i.e., identification, assessment, remediation, exception/acceptance).
• Support of Control Framework(s) including:
  
  • Designing, reviewing and testing effective IT/Security controls
  • Control Self-Assessment program (CSA/SCA) which is inclusive of testing key controls such as patch management, backup process, vulnerability management, cybersecurity and network related controls
• Interpret regulations affecting control standards and suggests methods of updating policies and practices that address any risk concerns so as to maintain IT and regulatory compliance.
• Identify, define and update security standards and policies for servers, endpoints, network infrastructure, and cloud environments with supporting audit and reporting processes
• Liaise with engineering, IT operations, IT Infrastructure, IT security, HR, Marketing and business teams to provide accurate and timely responses to internal and external audit requests and related activities.
• Advocate for all business areas while accounting for and balancing risk
• Produce and maintain appropriate, KPIs, Metrics and Reporting

• 8 or more years working in IT Governance, Risk and Compliance
• 8 or more years of Information Technology related work experience.
• 5 or more years’ experience in SOC/SOX related audits.
• 5 or more years’ experience with Risk/Control Risk frameworks (NIST CSF, ISO, COBIT)
• 5 or more years’ experience with Vulnerability Management
• 3 years of experience with Cloud Governance, cloud applications and Infrastructure
• Identity Governance and Administration (IGA) or Access Management experience
• Experience working in the Financial Services Industry and/or Fintech
• Experience leading projects and service delivery initiatives.
• Internal/external customer facing experience

To excel in this role, the ideal candidate should possess the following expertise:

• Subject matter expertise in IT Governance, Risk, and Compliance (GRC) discipline, with in-depth knowledge of IT Service Delivery, ITIL, and Project Management.
• Strong understanding of current cybersecurity concepts, tools, and technology.
• Proven experience in SSAE18 SOC, SOX, or HiTrust audits for medium to large enterprises.
• Proficiency in risk frameworks and ISO27001, along with experience in Risk/Control Risk frameworks (NIST CSF, ISO, COBIT, COSO).
• Technical proficiency in key IT areas, including UNIX, DNS, Windows Server, Internet routing, TCP/IP protocols, Network technologies, Active Directory, and foundational technology concepts.
• Expertise in risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies, and knowledge of cyber-attack techniques.
• Ability to relate business requirements and risks to technology implementation for security-related issues.
• Strong cybersecurity acumen
• Knowledgeable in IT Service Delivery, ITIL and Project Management.
• Deep understanding of cybersecurity concepts including tools/technology
• Working knowledge and experience with MS Office products including Word, Excel, PowerPoint & Visio and SharePoint 
• Expert in writing/updating documentation to include standards, policies and procedures
• Experience with industry tools (e.g., ServiceNow, Archer, Process Unity, Panorays, Omada)
• O365 (Word, PowerPoint, SharePoint, OneDrive, Teams, Excel, PowerBI)
• Continuous control monitoring and automation
• Ability to be a trusted advisor relative to all things GRC related

• Demonstrated leader with team-oriented interpersonal skills; ability to effectively interface with a broad range of team members and roles.
• Ability to work independently with or without direction and/or supervision.
• Ability to prioritize workload and multitask. Flexibility and adaptability in work approach.
• Ability to work directly with internal and external audit partners.
• Calmness, clarity and due diligence process oriented and works well under pressure and has ability to maintain confidentially.
• Strong written and verbal communication skills and maintains attention to detail