Information Security GRC Senior Manager

Foley & Lardner LLP is a great place to work because of what we do and how we do it. Here, your unique perspectives, experiences, and abilities will be embraced and developed, so you can excel. Being a part of Foley means having the opportunities and resources necessary to gain experience, advance professional goals, and forge meaningful connections. It's a place where you can build your career and enjoy professionally satisfying work. We have over 2,300 people who are #HappyatFoley, and we think you will be too.

Foley & Lardner LLP is currently seeking a Senior Manager, Information Security GRC to join our team. The right candidate will lead efforts to identify, assess, and manage Information Security risk across the firm's information and technology environment. This individual is responsible for assessing risk and control effectiveness based on industry standards in order to drive Information Security compliance, prioritization, and program planning to effectively manage risk while enabling the firm's attorneys to provide effective and secure client service. This individual is responsible for operating the risk management and audit program - leading efforts to plan, test, evaluate, document, remediate, and improve IT and security control effectiveness and maturity.

This individual will collaborate with stakeholders from Information Technology and Information Security architecture and operations teams to translate risk into a strategic and operational roadmap for the Information Security program. The Senior Manager will also be the primary liaison with key stakeholders, third-parties, and clients to coordinate internal and external security reviews and reporting. They will maintain compliance with third-party security controls, and provide subject matter expertise and independent validation of program health and metrics to senior leadership. The ideal Senior Manager will have proven and demonstrated leadership skills including relationship-building and collaboration skills with clear ability to influence, gain buy-in and negotiate with a diverse group of key business partners/stakeholders, including senior management.

Conduct risk and standards-based Information Security risk assessments and IT/Security audits
• Assess control effectiveness and associated Information Security capability maturity to drive strategic and operational prioritization for Information Security and Information Technology
• Establish audit work programs to effectively evaluate IT operations, based on best practices, regulatory requirements, and the operating environment
• Review IT and Security systems, processes, documentation, and tools to make an assessment of the firm's information technologies and business systems activities to determine operating effectiveness, risk assessment, appropriateness of testing activities in order to achieve established objectives
• Maintain compliance to industry standards and certifications such as ISO 27001. Conduct reviews and special projects to verify that IT system controls are adequate and operating effectively
• Develop recommendations for security controls and processes
• Maintain up-to-date reports to satisfy third-party security requirements
• Design and enhance all IT audit efforts, specifically audit methodology and techniques, pursuant to firm and professional standards such as COBIT
• Produce a high-quality end-product that clearly documents the audit work performed while adhering to schedules and deadlines
• Make oral or written presentations to management to highlight noted deficiencies and recommended corrective action to improve internal operations and reduce costs
• Participate in appraising adequacy of corrective actions taken by management to improve the reported deficient conditions
• Review, document, evaluate, and test business processes and/or manual and automated technology controls in the IT environment
• Develop and implement testing methodologies for business processes (including Business Continuity and Disaster Recovery) and/or availability, integrity, and confidentiality in the IT environment
• Comply with the firm's Professional Responsibilities and ethical standards
• Perform other duties as assigned including:
  • Responding to Requests for Information ("RFIs") from customers
  • Supporting the Information Security team with physical security tasks, as assigned

• Bachelor's degree required; Degree in IT, Information Security, Computer Science, Business, Finance, or related field preferred
• CISSP, CISA, CRISC, CISM or similar certifications preferred
• Minimum of ten (10) years of increasingly substantive roles in information security and risk management or information technology required
• Minimum of five (5) years of experience in information security required; experience in governance, risk, and compliance strongly preferred
• Prior people management experience required
• Direct experience and/or management of information security systems, tools, and operational functions required
• Demonstrated experience in testing, evaluating, and documenting IT controls for compliance required
• Information systems internal audit experience at a mid or larger size company strongly preferred
• Strong familiarity with IT auditing techniques, COBIT, ISO 27001, NIST 800-53 or equivalent framework
• Solid understanding of assessing and designing internal controls in an enterprise-level environment
• High level of familiarity with various data privacy, security and compliance regulations across multiple jurisdictions
• Experience managing complex projects to completion #LI-Hybrid

Pursuant to the Colorado Equal Pay for Equal Work Act and Illinois Equity Pay Act, the salary range for this Denver or Chicago based position is between $157,500 - $256,900. Pursuant to the Washington DC Pay Transparency Law, the salary range for this Washington DC based position is between $171,800 - $280,400. These figures represent the full compensation range of this position. The actual offered amount will be determined based on the following factors: education, experience, geographic market, and internal pay equity at Foley. We are accepting ongoing applications.