The Associate Director, Information Security GRC will manage the people, processes, and technology related to the Firm's security GRC group overseeing governance, risk, and compliance activities, such as client audit support, RFP response, internal IT audit, and contract review. To carry out the GRC activities in line with the Firm's business objectives, regulatory requirements, and strategic goals, focusing on ensuring alignment with contractual requirements and recognized security frameworks. The role holder will be the process owner for all IS Security GRC-related projects and activities within the Firm.
The role holder will assist the CISO in planning, developing, and overseeing the information security program, with a broad view of the effective integration of Security, Information Technology, new business development, the Office of General Counsel, and the professional responsibility group. In addition to providing ongoing governance and oversight of IS GRC operations, the role assists the CISO with maintaining strategic alignment with the business, engaging in security outreach and promotional activities, and providing expert guidance to internal and external constituents.
Responsibilities:
- Direct responsibility for all aspects of IS GRC
- Ensure continual improvement of the information security program via the effective application of technology, systems, processes, personnel, skill development, and leadership
- Provide security services that meet or exceed the Firm's professional, contractual, regulatory, and certification requirements
- Manage the Firm's IS GRC people, processes, and technology infrastructure, including the creation and review of IS GRC standards, guidelines, and operating procedures
- Serve as the business owner for common IS GRC toolsets, platforms, and processes
- Work with the business development team to accurately represent the Firm’s information security program during client audits and RFPs
- Guide Legal regarding acceptable contract terms and conditions
- Serves within the firm's Computer Security Incident Response Team (CSIRT)
- Lead the System Governance Virtual Team, promoting continual ISMS improvement across the Firm, including:
- Provide direction on risk assessment requirements and assistance with evaluating risk treatment plans
- Provide input on the selection and design of IS controls
- Provide input on metrics developed to monitor and test the effectiveness of the firm's IS controls
- Define documentation requirements to ensure compliance with ISMS requirements
- Advises the team regarding client contractual requirements and Firm commitments relative to GRC practices
- Assist the team with developing systems and processes that ensure ISMS compliance and continual improvement
- Transform executive priorities into operational initiatives and provide clear vision, support, and expectation-setting
- Work closely with the Security Operations and Engineering teams to define, develop, and facilitate efficient and effective service delivery to constituent organizations
- Oversee the operation of integrated vendor and other risk assessment activities with assistance from the technical teams.
- Meets published SLAs relative to the provisioning and support of security GRC operations and activities
- Provide input into policies, standards, guidelines, and procedures. Authors standards, guidelines, and procedures are designed to safeguard sensitive information
- Understands Firm policies and standards and is capable of conveying those requirements to end users in a professional and objective manner
- Maintain the Firm’s Information Security Management System (ISMS), including the creation and review of policies, standards, and procedures
- Enforce, monitor, and report on compliance with the Firm's ISMS
- Manages the security awareness program including ancillary functions such as phish testing and other constituent outreach programs
- Liaises with system and business owners to ensure that new platforms are compliant with Firm security requirements
- Provide innovation within the context of the information security realm.
- Maintains assigned systems to ensure availability, reliability, and integrity, including the oversight of current and projected capacity, performance, and licensing
- Provide status reports and relevant metrics to the CISO
- Manage the Firm's security-related information repositories and contribute to marketing/awareness endeavors
- Maintain situational and environmental awareness and utilize that knowledge to implement appropriate tactics and strategies to protect the organization and assist with roadmap development
- Strike an appropriate balance between strategic leadership and operational contributions by utilizing a hands-on approach to solving problems and meeting deliverables
- Serve in a proactive, consultative role to other business units and constituents
- Mentor and lead members of the Security GRC group by conducting effective performance reviews, suggesting development opportunities, establishing a culture of performance excellence, and maintaining the highest standards of ethical and professional care
- Provide exemplary customer service by striving for first-call resolution and demonstrating empathy, respect, professionalism, and expertise
- Oversee information security risk assessments and provide audit mechanisms for the information security process
- Participate in defining the Firm’s DR/BCP practices as required
- Monitor changes in legislation and accreditation standards that affect information security
- Initiate, facilitate, and promote activities to foster information security awareness within the organization
Skills and Experience:
- Thorough knowledge of professional management practices including supervisory techniques, leadership principles, and employment practices
- Proficiency in oral and written English; Excellent verbal and written communication skills, including public speaking, and ability to convey complex concepts to non-technical constituents
- Ability to think and communicate strategically regarding the role of information security in a successful global organization
- Ability to quickly ascertain the current capability-maturity level of an organization and use that information when responding to RFPs, audits, contract reviews, and internal operations
- Ensure you have a good understanding of at least one of the major EGRC/ITGRC platforms
- Comprehensive understanding of major information security frameworks such as NIST, CIS, ISO 27001/27002, and COBIT
- Familiarity with common regulatory schemes such as GDPR, PCI-DSS, GLBA, FISMA, HIPAA, and ITAR
- Advanced understanding of technical controls, how those controls address risk, and how they map to framework and regulatory requirements
- Broad understanding of TCP/IP, DNS, common network services, and other foundational topics
- Knowledge of server, workstation, and Active Directory technologies that affect security controls
- Understand common security monitoring technologies such as SIEM, IDS, log management, and vulnerability assessment concepts
- Ability to gather and analyze facts, conclude, define problems, and suggest solutions
- Ability to maintain objectivity and composure under pressure
- Capable of assisting with the creation of internal training materials and documentation
- Ability to set priorities independently given broad executive requirements
- Demonstrate flexibility in response to the ever-changing priorities of a service provider organization
- Apply a rigorous and disciplined approach to operational oversight
This position is bonus eligible and includes medical, dental, vision, and 401(k) benefits based on the number of hours worked. The US base compensation for this position is expected to be $180-220K annually when located in an office in the state of Illinois. Within the range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training. Your recruiter can share more about the specific salary range for your preferred location during the hiring process.
