The Associate Director, Information Security GRC will manage the people, processes, and technology related to the company's security GRC group overseeing governance, risk, and compliance activities, such as client audit support, RFP response, internal IT audit, and contract review. To carry out the GRC activities in line with business objectives, regulatory requirements, and strategic goals, focusing on ensuring alignment with contractual requirements and recognised security frameworks.

You will be the process owner for all IS Security GRC-related projects and activities. You will assist the CISO in planning, developing, and overseeing the information security program, with a broad view of the effective integration of Security, Information Technology, new business development, the Office of General Counsel, and the professional responsibility group. In addition to providing ongoing governance and oversight of IS GRC operations, the role assists the CISO with maintaining strategic alignment with the business, engaging in security outreach and promotional activities, and providing expert guidance to internal and external constituents.
Responsibilities:

Direct responsibility for all aspects of IS GRC
Ensure continual improvement of the information security program via the effective application of technology, systems, processes, personnel, skill development, and leadership
Provide security services that meet or exceed the professional, contractual, regulatory, and certification requirements
Manage the IS GRC people, processes, and technology infrastructure, including the creation and review of IS GRC standards, guidelines, and operating procedures
Serve as the business owner for common IS GRC toolsets, platforms, and processes
Work with the business development team to accurately represent the information security program during client audits and RFP
Guide Legal regarding acceptable contract terms and conditions
Lead the System Governance Virtual Team, promoting continual ISMS improvement
Provide direction on risk assessment requirements and assistance with evaluating risk treatment plans
Define documentation requirements to ensure compliance with ISMS requirements
Advises the team regarding client contractual requirements and commitments relative to GRC practices
Work closely with the Security Operations and Engineering teams to define, develop, and facilitate efficient and effective service delivery to constituent organisations
Oversee the operation of integrated vendor and other risk assessment activities with assistance from the technical teams.
Meets published SLAs relative to the provisioning and support of GRC security operations and activities
Understands policies and standards and is capable of conveying those requirements to end users in a professional and objective manner.
Maintain the Information Security Management System (ISMS), including the creation and review of policies, standards, and procedures
Enforce, monitor, and report on compliance with the ISMS
Manages the security awareness program including ancillary functions such as phish testing and other constituent outreach programs
Liaises with system and business owners to ensure that new platforms are compliant with security requirements
Maintains assigned systems to ensure availability, reliability, and integrity, including the oversight of current and projected capacity, performance, and licensing
Provide status reports and relevant metrics to the CISO
Manage the security-related information repositories and contribute to marketing/awareness endeavours
Maintain situational and environmental awareness and utilise that knowledge to implement appropriate tactics and strategies to protect the organisation and assist with roadmap development.
Mentor and lead members of the Security GRC group by conducting effective performance reviews, suggesting development opportunities, establishing a culture of performance excellence, and maintaining the highest standards of ethical and professional care
Participate in defining the DR/BCP practices as required
Monitor changes in legislation and accreditation standards that affect information security

Skills and Experience:

Thorough knowledge of professional management practices including supervisory techniques, leadership principles, and employment practices
Proficiency in oral and written English; Excellent verbal and written communication skills, including public speaking, and ability to convey complex concepts to non-technical constituents
Ability to think and communicate strategically regarding the role of information security in a successful global organisation
Ability to quickly ascertain the current capability-maturity level of an organisation and use that information when responding to RFPs, audits, contract reviews, and internal operations
Ensure you have a good understanding of at least one of the major EGRC/ITGRC platforms
Comprehensive understanding of major information security frameworks such as NIST, CIS, ISO 27001/27002, and COBIT
Familiarity with common regulatory schemes such as GDPR, PCI-DSS, GLBA, FISMA, HIPAA, and ITAR
Advanced understanding of technical controls, how those controls address risk, and how they map to framework and regulatory requirements
Broad understanding of TCP/IP, DNS, common network services, and other foundational topics
Knowledge of server, workstation, and Active Directory technologies that affect security controls
Understand common security monitoring technologies such as SIEM, IDS, log management, and vulnerability assessment concepts
Ability to gather and analyse facts, conclude, define problems, and suggest solutions
Ability to maintain objectivity and composure under pressure
Capable of assisting with the creation of internal training materials and documentationHays Specialist Recruitment Limited acts as an employment agency for permanent recruitment and employment business for the supply of temporary workers. By applying for this job you accept the T&C's, Privacy Policy and Disclaimers which can be found at (url removed)