The Associate Director, Information Security GRC will manage the people, processes, and technology related to the Firm's security GRC group overseeing governance, risk, and compliance activities, such as client audit support, RFP response, internal IT audit, and contract review. To carry out the GRC activities in line with the Firm's business objectives, regulatory requirements, and strategic goals, focusing on ensuring alignment with contractual requirements and recognized security frameworks. The role holder will be the process owner for all IS Security GRC-related projects and activities within the Firm. The role holder will assist the CISO in planning, developing, and overseeing the information security program, with a broad view of the effective integration of Security, Information Technology, new business development, the Office of General Counsel, and the professional responsibility group. In addition to providing ongoing governance and oversight of IS GRC operations, the role assists the CISO with maintaining strategic alignment with the business, engaging in security outreach and promotional activities, and providing expert guidance to internal and external constituents. Responsibilities:Direct responsibility for all aspects of IS GRCEnsure continual improvement of the information security program via the effective application of technology, systems, processes, personnel, skill development, and leadershipProvide security services that meet or exceed the Firm's professional, contractual, regulatory, and certification requirementsManage the Firm's IS GRC people, processes, and technology infrastructure, including the creation and review of IS GRC standards, guidelines, and operating proceduresServe as the business owner for common IS GRC toolsets, platforms, and processesWork with the business development team to accurately represent the Firm’s information security program during client audits and RFPsGuide Legal regarding acceptable contract terms and conditionsServes within the firm's Computer Security Incident Response Team (CSIRT)Lead the System Governance Virtual Team, promoting continual ISMS improvement across the Firm, including:Provide direction on risk assessment requirements and assistance with evaluating risk treatment plansProvide input on the selection and design of IS controlsProvide input on metrics developed to monitor and test the effectiveness of the firm's IS controlsDefine documentation requirements to ensure compliance with ISMS requirementsAdvises the team regarding client contractual requirements and Firm commitments relative to GRC practicesAssist the team with developing systems and processes that ensure ISMS compliance and continual improvementTransform executive priorities into operational initiatives and provide clear vision, support, and expectation-settingWork closely with the Security Operations and Engineering teams to define, develop, and facilitate efficient and effective service delivery to constituent organizationsOversee the operation of integrated vendor and other risk assessment activities with assistance from the technical teams.Meets published SLAs relative to the provisioning and support of security GRC operations and activitiesProvide input into policies, standards, guidelines, and procedures. Authors standards, guidelines, and procedures are designed to safeguard sensitive informationUnderstands Firm policies and standards and is capable of conveying those requirements to end users in a professional and objective mannerMaintain the Firm’s Information Security Management System (ISMS), including the creation and review of policies, standards, and proceduresEnforce, monitor, and report on compliance with the Firm's ISMSManages the security awareness program including ancillary functions such as phish testing and other constituent outreach programsLiaises with system and business owners to ensure that new platforms are compliant with Firm security requirementsProvide innovation within the context of the information security realm.Maintains assigned systems to ensure availability, reliability, and integrity, including the oversight of current and projected capacity, performance, and licensingProvide status reports and relevant metrics to the CISOManage the Firm's security-related information repositories and contribute to marketing/awareness endeavorsMaintain situational and environmental awareness and utilize that knowledge to implement appropriate tactics and strategies to protect the organization and assist with roadmap developmentStrike an appropriate balance between strategic leadership and operational contributions by utilizing a hands-on approach to solving problems and meeting deliverablesServe in a proactive, consultative role to other business units and constituentsMentor and lead members of the Security GRC group by conducting effective performance reviews, suggesting development opportunities, establishing a culture of performance excellence, and maintaining the highest standards of ethical and professional careProvide exemplary customer service by striving for first-call resolution and demonstrating empathy, respect, professionalism, and expertiseOversee information security risk assessments and provide audit mechanisms for the information security processParticipate in defining the Firm’s DR/BCP practices as requiredMonitor changes in legislation and accreditation standards that affect information securityInitiate, facilitate, and promote activities to foster information security awareness within the organization Skills and Experience:Thorough knowledge of professional management practices including supervisory techniques, leadership principles, and employment practicesProficiency in oral and written English; Excellent verbal and written communication skills, including public speaking, and ability to convey complex concepts to non-technical constituentsAbility to think and communicate strategically regarding the role of information security in a successful global organizationAbility to quickly ascertain the current capability-maturity level of an organization and use that information when responding to RFPs, audits, contract reviews, and internal operationsEnsure you have a good understanding of at least one of the major EGRC/ITGRC platformsComprehensive understanding of major information security frameworks such as NIST, CIS, ISO 27001/27002, and COBITFamiliarity with common regulatory schemes such as GDPR, PCI-DSS, GLBA, FISMA, HIPAA, and ITARAdvanced understanding of technical controls, how those controls address risk, and how they map to framework and regulatory requirementsBroad understanding of TCP/IP, DNS, common network services, and other foundational topicsKnowledge of server, workstation, and Active Directory technologies that affect security controlsUnderstand common security monitoring technologies such as SIEM, IDS, log management, and vulnerability assessment conceptsAbility to gather and analyze facts, conclude, define problems, and suggest solutionsAbility to maintain objectivity and composure under pressureCapable of assisting with the creation of internal training materials and documentationAbility to set priorities independently given broad executive requirementsDemonstrate flexibility in response to the ever-changing priorities of a service provider organizationApply a rigorous and disciplined approach to operational oversight This position is bonus eligible and includes medical, dental, vision, and 401(k) benefits based on the number of hours worked. The US base compensation for this position is expected to be $180-220K annually when located in an office in the state of Illinois. Within the range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training. Your recruiter can share more about the specific salary range for your preferred location during the hiring process.

Similar Opportunities