Information Security Director - Governance, Risk, and Compliance

What You'll Do

• Lead the strategic direction and execution of the enterprise-wide Information Security Governance, Risk, and Compliance (GRC) program.
• Lead enterprise-wide information security risk assessments, including risk identification, evaluation, and prioritization, to support informed decision-making and resource allocation.
• Collaborate with business units and technology teams to assess the impact and likelihood of cybersecurity threats, integrating findings into broader risk management and mitigation strategy.
• Manage the full issue lifecycle, including issue identification, root cause analysis, remediation planning, tracking, validation, and closure, ensuring timely and effective resolution of risk and compliance gaps.
• Provide subject matter expertise and guidance for Information Security policies and standards.
• Drive policy governance, including the creation, review, approval, and maintenance of security policies, standards, and procedures to ensure alignment with business objectives and regulatory expectations.
• Develop, implement, and mature a robust Risk and Control Self-Assessment (RCSA) program to identify, assess, and mitigate cybersecurity risks across business units.
• Oversee security assurance activities, including control design evaluations, walkthroughs, and control effectiveness testing aligned with regulatory and framework requirements (e.g., NIST CSF, ISO 27001, SOX, SOC2, FFIEC CAT).
• Direct the testing of security controls, including coordination with internal audit, external assessors, and business stakeholders.
• Advise management on the design and implementation of control activities that reduce risk, add value, and mature the control environment.
• Provide leadership and subject matter expertise during regulatory examinations, internal audits, and third-party assessments.
• Collaborate with business and IT stakeholders to integrate GRC practices into key business and technology initiatives.
• Leverage GRC tools (e.g., Archer, ServiceNow GRC, LogicGate) to automate risk management workflows and enhance reporting capabilities.
• Support KPI/KRI's to facilitate risk prioritization and articulation for the enterprise and senior leadership reporting.
• Develop and present executive-level reporting and dashboards to senior leadership and board committees on risk posture, control effectiveness, and compliance status.
• Stay current on emerging threats, industry trends, and regulatory changes to proactively adjust GRC strategies.
• Provide excellent customer service in support of program activities.
• Manages technical professionals (typically skilled exempt level employees) who have responsibility for operations and project outcomes. Provides direct and indirect supervision of teams.
• Sets priorities on daily operations, provides input to, and administers cost center spending, participates in long-range departmental planning, recommends control methodologies and frameworks.
• Sets objectives and priorities and ensures the effective allocation and use of department resources.
• Develops long-range plan for the department and is a key participant in strategic planning for the Information Security function. Translates strategic goals and priorities into technical strategies and objectives for his/her department.
• Introduces best practices and ensures the timeliness, quality, and consistency of his/her department's delivery of products and services.
• Writes and conducts performance reviews, provides ongoing performance feedback. Establishes salary budget and approves salary increases. Makes hiring decisions.
• Frequently interfaces with executives inside and outside the company to make operational and project-related decisions, to resolve critical issues, to gather industry and competitive information and to foster a productive professional network.
• Required to perform duties outside of normal work hours based on business needs.

What You'll Bring

Knowledge and Skills/Technology Used

• BA/BS degree in Computer Information Systems, Computer Science or equivalent experience is required. Training courses, seminars, certifications, or other security related education experience preferred
• 10+ years of experience in information security, with 5+ years in a leadership role within GRC.
• Certifications such as CISM, CRISC, CISSP, or CGEIT preferred.

• Strong knowledge of information security and risk management frameworks (e.g., NIST, ISO, COBIT, CIS).
• Proven track record of establishing and managing issue lifecycle management.
• Demonstrated experience building and operating RCSA programs and control testing frameworks.
• Experience managing the policy lifecycle and coordinating enterprise-wide policy governance.
• Proven success in managing audit and regulatory interactions.
• Familiarity with GRC platforms and data analytics tools for risk management.
• Leadership: Ability to communicate function vision and establish aligned direction and goals for his/her department. Obtains and effectively allocates resources. Creates systems to measure results. Has in-depth understanding of competitor, financial and industry dynamics.
• Teamwork: Ability to establish and maintain effective working relationships at the senior management level across functional groups and business units. Ability to change the thinking of, or gain acceptance from, others in sensitive situations, using influence and preventing damage to the relationship. Actively recruits, retains, and develops talent and holds employees accountable for results. Translates vision into action, leads change, and inspires people to get results.
• Integrity: Deals with others in an honest manner, assures adherence to company policies, and addresses questionable business practices.
• Service: Drives and models customer loyalty, manages customer expectations, uses customer feedback to establish department goals, and ensures commitments are met.
• Commitment: Successful track record designing, developing, and executing critical complex projects in more than one area of functional expertise. Provides others with reliable information, delivers informative and persuasive presentations. Uses good listening skills and negotiates effectively.

Pay Range: $166,800.00 - $222,300.00 annually

This hiring range is a reasonable estimate of the base pay range for this position at the time of posting. Pay is based on a number of factors which may include job-related knowledge, skills, experience, business requirements and geographic location