Cybersecurity Governance, Risk, & Compliance (GRC) Lead

enVista is the leading supply chain and enterprise consulting firm and the premier provider of supply chain technology & strategy services, material handling automation & robotics, Microsoft solutions and IT managed services. With 20+ years of unmatched domain expertise, enVista serves thousands of leading brands. enVista’s unique ability to consult, implement and operate across supply chain, IT and enterprise technology solutions allows companies to leverage enVista as a trusted advisor across their enterprises.

Our associates are on the front lines of commerce, supply chain and technology – developing innovative solutions that improve profitability, reduce waste and positively impact the world. Through onboarding and training, employee awards & recognition, volunteer committees & affinity groups and mentoring, enVista hires and grows top talent. Together, we work, grow and lead our market as a high-impact organization.

The GRC Lead will play a key role in ensuring a secure, resilient, and compliant enVista. As a core member of the enVista Information Security team, the Lead will serve as enVista’s primary subject matter expert for IT Governance, Risk, & Compliance. Responsibilities will include ensuring enVista’s compliance with applicable IT compliance frameworks and customer requirements, identification and reporting of IT risks, and information security program alignment with cybersecurity best practices. The Lead will collaborate closely with internal teams and stakeholders and will support clients through response to client security inquiries.  

Primary responsibilities:

• Architect, implement, and maintain information security policies and procedures to strengthen the organization’s security posture
• Develop and oversee the implementation of a unified IT control framework for enVista’s managed services organization
• Lead the annual SOC 2 audit process including thorough planning, execution, and reporting
• Oversee on-going compliance reviews including those for access and change control
• Build out an initial risk management program and mature it over time. This will include the implementation of a risk management process, execution of risk assessments, exceptions management, and maintenance of enVista’s IT risk register.
• Set-up an initial IT third-party risk management (TPRM) program to monitor and manage the risk profile of enVista’s IT vendors
• Establish a roadmap to achieve ISO 27001 certification and HIPPA audit completion
• High-level coordination of Business Continuity and Disaster Recovery planning and exercises
• Coordinate responses to customer security questionnaires and the evaluation of Information Security terms included in customer agreements.
• Support Legal Team policy, privacy, and data protection initiatives
• Collaborate with the sales and customer relationship teams to ensure security is a key factor in customer acquisition and retention strategies
• Monitor the legal, regulatory, and compliance landscape to identify impactful framework changes and report potential program gaps to enVista management
• Identify and report on key cybersecurity metrics
• Perform quality assurance of security incidents to ensure appropriate resolution and documentation
• Future oversight of training and awareness activities
• Own relationships with auditors and GRC product vendors
• Configure and maintain the GRC toolset
• Periodic travel to client sites, conferences, or industry events (20% or less)

Qualifications:

• Bachelor’s degree in Computer Science, Management Information Systems, Accounting, Information Security, Cybersecurity, or a related field
• 7 to 10+ years of experience with a background in cybersecurity, IT compliance, IT risk management, and/or IT audit. Experience implementing or auditing an ISO 27001 ISMS will be a differentiator.
• At least one of the following certifications: CISSP, CISM, CISA, CRISC, or ISO 27001 Implementor/Auditor certification
• Detailed knowledge of control and security frameworks, particularly the AICPA Trust Service Criteria (SOC2), ISO 27001, NIST CSF, and HIPPA/HITECH/HITRUST
• Prior experience working with or auditing Microsoft Azure, Microsoft Active Directory (AD), Microsoft EntraID, Microsoft Purview, Okta, and CISCO DUO would be helpful
• Prior experience implementing and maintaining GRC tools such as AuditBoard, OneTrust, Vanta, Drata, Risk Recon, and Security Scorecard will also be beneficial
• Experience within a Managed Security Service Provider (MSSP) environment
• Ability to communicate and drive for optimal security outcomes across all levels of the organization and engage with current and prospective clients
• Excellent verbal and written communication skills
• Comfortable with providing guidance and mentoring to less experienced staff
• Proficient with Microsoft Office Suite and Office365 (i.e., Teams, SharePoint)
• The successful candidate will be required to be present, in-person, Monday – Thursday in enVista’s Carmel, Indiana office and work from home Fridays

Benefits of Joining enVista:

• Competitive Compensation & Bonuses
• Medical, Dental & Vision Insurance
• Paid Time Off, Holidays & Volunteer Days
• Life Insurance, Short/Long Term Disability
• Paid Sabbatical Program
• 401k with Company Matching
• Flexible Work Opportunities
• Paid Sabbatical After Seven Years of Service
• Employee Referral Bonus

At enVista, diversity, equity & inclusion (DE&I) are part of our core values that we proactively foster and build upon. We are a ‘learning’ versus ‘knowing’ organization that values and welcomes diverse perspectives, ideas, beliefs and cultures as we aim to shape the technology, industries and world of the future.