JOB SUMMARY:

This is not a technical operations role.

This is GRC with real authority, not checkbox compliance. It’s a Governance, Risk & Compliance leadership role for someone who wants to own programs, influence decisions, and represent IT Security at the enterprise level.

If your strength is IT risk, audit, compliance, and governance, and you enjoy being the person auditors trust, leaders rely on, and teams come to for defensible risk decisions, this role will feel like home.

Why this role stands out

In this position, you are not supporting GRC work - you own it.

You will be the primary owner of the IT Risk Management Program, the central liaison for Internal Audit and the Office of the Auditor General (OAG), and a key contributor to PCI DSS audits and ongoing compliance obligations.

This role sits at the intersection of IT, Security Operations, Audit, Risk, and Executive Governance, with real authority to shape how security risk is identified, assessed, tracked, and communicated across the organization.

What you will actually do:

Own IT & Cyber Risk Management

• Lead the end‑to‑end IT risk lifecycle: intake, assessment, scoring, treatment tracking, and governance review.
• Ensure IT and cyber risks align with Enterprise Risk Management (ERM) and are presented in a way leaders can act on.
• Facilitate risk discussions that balance security, business impact, and operational reality.
• Maintain risk visibility, decision records, and defensible documentation.

Be the face of IT Security for Audit

• Act as the primary IT Security liaison for Internal Audit, OAG, PCI DSS, and other external audits.
• Coordinate audit requests, evidence, walkthroughs, and responses.
• Translate security and technical controls into clear, auditable narratives.
• Track findings, drive remediation accountability, and ensure closure is real - not theoretical.

Lead Compliance & Governance Programs

• Own and evolve security governance programs including:
• Compliance & audit management
• Security metrics, dashboards, and executive reporting
• ITSM security ticket governance
• Third‑party and vendor security governance
• Ensure governance decisions are consistent, documented, and repeatable.
• Provide clarity where others see ambiguity.

Influence Without Being “the Police”

• Partner with Security Operations, Architecture, IT, and the business to guide outcomes, not just enforce rules.
• Support informed risk acceptance where appropriate and escalate when it is not.
• Serve as a trusted advisor rather than a gatekeeper.

Who this role is perfect for:

This role is ideal if you come from:

• IT Security GRC
• IT Audit / Technology Risk
• Cyber Risk Management
• Compliance & Assurance
• Internal Audit with strong IT exposure

You likely enjoy:

• Turning complex risk into clear executive decisions
• Working with auditors and regulators
• Owning programs rather than tasks
• Writing, documenting, and explaining why decisions were made
• Operating independently with accountability

What matters most (and what doesn’t):

What matters

• Strong experience in IT risk, audit, governance, or compliance
• Comfort engaging with auditors, executives, and technical teams
• Knowledge of frameworks such as ISO 27001, NIST CSF, PCI DSS
• The ability to create defensible, audit‑ready documentation
• Confidence making judgment calls and standing behind them

What does not matter

• Deep hands‑on engineering skills
• Running security tools day‑to‑day
• Writing detections or managing infrastructure

(You’ll work closely with technical teams, you won’t replace them.)

SKILLS & ABILITIES:

• Bachelor’s degree in a relevant discipline or equivalent experience.
• 5+ years in IT risk, security governance, audit, or compliance roles.
• Certifications such as CISSP, CISM, CRISC, CISA, or PCI‑related credentials are highly valued and supported.