IT Security Manager (GRC)

IT Security (GRC) Manager

The IT Security (GRC) Manager function is responsible for maintaining overall security risk management program, which is designed to ensure the company's Infrastructure and Applications are adequately protected. The Manager is responsible for identifying, analyzing, evaluating and reporting on information security risks. S/he works proactively with various IT and business departments to implement practices that meet the policies and standards for information security risk management. The Manager is a proven thought leader and problem solver, as well as, an effective internal consultant, who will regularly advise business leaders on information security risk issues. S/he must possess domain competencies in a number of IT-risk-related disciplines, including security, disaster recovery, privacy and compliance.

Responsibilities

• Work with the Director of Information Security to manage all the risk-related activities of the IT organization, including planning, testing, reporting and recommending appropriate remediation measures.
• Manage a staff of information security professionals, which includes but is not limited to, recruiting, hiring and training new staff, conducting performance reviews and providing leadership and coaching for team members.
• Manage oversight and monitoring of risk mitigation via the coordination of information security management systems and controls.
• Manage the oversight of risk assessments, including but not limited to, vulnerability scanning, penetration testing, new infrastructure/applications and third party service provider reviews.
• Partner with appropriate staff within IT and other business departments to facilitate risk analysis and risk management processes to identify acceptable levels of residual risk.
• Remain current with industry best practices and monitor the legal and regulatory environment for developments that could require changes to established policies, standards and practices.
• Provide security communication, awareness and training for audiences, which includes staff and lawyers.
• Work as a liaison with IT, legal and procurement to establish mutually acceptable contracts and service-level agreements, which should cover information security and disaster recovery content.
• Assist resource owners and IT staff with understanding and responding to security audit findings reported by internal and external auditors.
• Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments and internal and external audits to ensure appropriate remediation measures are taken.
• Coordinate information security and risk management projects.
• Work with the Director of Information Security to develop budget projections based on short- and long-term goals and objectives.
• Work with the Director of Information Security and Information Security Manager for Architecture, Engineering, and Monitoring to define metrics and reporting strategies that effectively communicate successes and progress of the security program.
• Provide support and guidance for legal and regulatory compliance efforts, including leading client information security assessments and audits.
• Other duties, as assigned.

Requirements

• Bachelor's degree or equivalent combination of education and/or experience.
• Minimum of 8 years of experience in IT risk management or a related discipline such as security, privacy, business continuity management or compliance, with at least 1 year in a leadership role.
• Experience with information risk assessment methodology development and application.
• Working knowledge ISO 27001/27002 with practiced program alignment and integration.
• Working knowledge of IT management frameworks such as Control Objectives for Information and Related Technology (COBIT) and/or Information Technology Infrastructure Library (ITIL).
• Experience developing, deploying and integrating security policy and standards documentation.
• Experience in developing, managing or providing direct support for IT security vulnerability and threat management

Nice To Haves

• Certified Information Security Manager, Certified Information Systems Security Professional (CISSP) or equivalent
• Experience initiating cloud assessments
• Experience conducting senior/executive level presentations