GRC Manager

Manager, GRC (Governance, Risk, and Compliance)

Position Summary:

The Manager of GRC, of the Security Operations and Compliance subfamily of the IS and Compliance job family, is responsible for the organization's information security, compliance, and risk management programs to safeguard internal company data and the data of our clients. The Security Operations and Compliance subfamily is responsible for the management of the company's information security policies, processes, and toolsets; vendor risk management in terms of their information security practices; audit; and compliance with internal security policies, government regulations, vendor security requirements, and customer security requirements. The Manager of GRC will oversee the strategic direction, establishment/execution of objectives, and/or people management of the Security and Compliance function. The GRC Manager role will create and manage security compliance policies and procedures. The role will plan, implement, manage, monitor, and upgrade solutions to defend against cyberattacks, hacking attempts, and threats.

Expected Duties:

The Manager of GRC will be responsible for identifying, assessing, and mitigating risk. This may include establishing risk management procedures and processes to ensure adherence to policies

• Expected to specialize in developing, evaluating, and implementing compliance with programs and processes to mitigate cybersecurity risk

• Responsible for ensuring protection of firm and allied assets and information. Conducts security risk assessments, compliance, and cybersecurity audits. Selects, develops, and evaluates personnel to ensure the efficient operation of the function. Managers leading teams responsible for the overall risk to an organization’s business and financial operations, processes, and structures should be matched to Risk Management

• The Manager of GRC will oversee the development, evaluation, and implementation of governance, risk compliance, and processes to mitigate cybersecurity risk and ensure the protection of company and allied assets and information

• The role will research and interpret current and pending laws and regulations, industry standards, and customer and vendor contracts to understand and communicate compliance requirements. Consults with business and technical leadership to ensure that data, processes, and technology are designed for data protection and compliance

• Expected to oversee information security risk assessments and compliance audits; direct the development and operational effectiveness of IT security controls. Monitors investigations and documentation of cybersecurity compliance issues and incidents.

• Reviews information security risk findings and non-compliance with business leaders and proposes solutions to mitigate risks

Qualifications: Knowledge, Skills, and Abilities

• Bachelor’s degree in Information Security, Business Administration, IT, or related field.

• 5–7 years of experience in governance, risk management, and compliance

• Ability to provide guidance to subordinates within the latitude of established MeridianLink policies

• Ability to recommend changes to policies and establishes procedures that affect section or multiple disciplines

• Ability to execute financials, business planning, organizational priorities, and workforce

• Ability to follow processes and operational policies in selecting methods and techniques for obtaining solutions

• Ability to develop and manages operational initiatives to deliver tactical results

• Interacts frequently with subordinate supervisors, customers, and/or functional peer group professionals, involving matters between sections and multiple units

• Responsible for impact partnering with key contacts outside own area of expertise and other external stakeholders

• Ability to effectively communicate and present results and recommendations across discipline

• Hands-on experience with GRC platforms (RSA Archer, ServiceNow GRC, MetricStream) and risk assessment tools

• Experience with SOC 2 Type 2 and PCI audits

Preferred

• CISA (Certified Information Systems Auditor)

• CRISC (Certified in Risk and Information Systems Control)

• CISM (Certified Information Security Manager)

• CISSP (Certified Information Systems Security Professional)

• GRCP (GRC Professional) or CGRC (Governance, Risk & Compliance Certification) for specialized GRC knowledge