Director of GRC

Amalgamated Bank is looking for a Director of Governance, Risk Management & Compliance who will be responsible for establishing and maintaining the company’s overall IT and security GRC program, as well as for developing and managing a global, enterprise-wide information GRC program. The role includes implementation and maintenance of policies, as well as a comprehensive controls framework with global third-party risk management. 

The director ensures the company’s technical systems and information assets are protected. Furthermore, the director is responsible for identifying, evaluating and reporting on information security risks that are important for the business to be aware of and act on accordingly. The director works in tandem with security leadership to elevate the company’s security posture. To be successful, the director of GRC must be able to influence and lead the GRC security strategy of the business within new and existing information system capabilities. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business-critical. The GRC program is led by the director, who reports to executive security or risk management leadership within the company.

 By joining our team, you’ll be joining a Bank that believes that that maintaining a diverse and inclusive workplace where everyone feels valued and respected is essential for us to grow as a company. We are dedicated to building a more equitable world in our everyday practices by embracing the values of our employees and customers.

 

Essential Job Functions:

1. In tandem with risk management and security, direct and conduct ongoing risk analysis organization-wide to uphold the GRC program.
2. Lead & direct the GRC team to document, communicate and enforce areas of security improvement that balance risk with business operations, as well as ensure controls are not weakening efficiencies or business innovation; providing rigorous oversight of security systems and security configuration administration that reduces risk to enterprise systems and accounts.
3. Emphasize privacy, security, business resiliency and compliance frameworks.
4. Establish and maintain a strategy for managing security-related audits, compliance checks, and external assessment processes for auditors, including but not limited to, the National Institute of Standards and Technology (NIST), Society for Worldwide Interbank Financial Telecommunication (SWIFT), FedLine, the EU’s General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Service Organization Controls (SOC) 2, California Consumer Privacy Act (CCPA), CRI-profile, and other applicable industry standards. Create strong oversight with third parties, vendors and business partners by confirming safeguards against risks identified with external entities; Inspire business units to adopt cybersecurity security controls to reduce the attack surface. 
   1. Partner with business units when onboarding solutions to ensure adequate controls are available and enabled in production.
5. Facilitate IT compliance of identified controls – for example, IT general controls (ITGCs), application, cloud and cybersecurity.
6. Oversee and ensure adequate protection of key information is maintained through data classification, data loss prevention (DLP) and enforcement of records retention requirements.
7. Act as a key point of contact when GRC team members identify risk to raise awareness with security management and business unit leads on a risk reduction plan.
8. Oversee findings brought forward through team analysis, requiring thorough documentation and recommendations to report to security leadership where gaps exist.
9. Engage in continuous professional development with team management, honing direction as well as strategic plans.
10. Effectively communicate knowledge of GRC controls across business units with a focus on, but not limited to, company practices, procedures, third-party integrations, product development and financials.
11. Influence and validate metrics used in assessment of security program success and report them regularly to security and business leadership. 
12. Focus on principles aligning with enterprise risk management fundamentals within security and technology teams to maintain up-to-date configuration documentation for systems and processes. 
13. Appoint team members to stay abreast in incident response cases and track occurrence and resolution, with strict documentation and reporting.  
14. Guide team members to align with security, audit and risk management leadership for ongoing security program assessments, as well as annual strategic technology and budgetary directives.
15. Liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws.
16. Provide leadership for disaster recovery and business continuity as they relate to security frameworks, compliance and privacy laws.
17. Perform other duties as assigned. 

 

Knowledge, Skills and Experience Requirements:

1. Bachelor’s degree in Computer Science, Information Assurance, MIS or related field or equivalent experience in cybersecurity in one or more roles, including security analyst, compliance and regulations, risk management or audit. 
2. Demonstrated leadership experience and thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, GDPR and GLBA.
3. Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls. 
4. Preferably at least two years’ experience in Amazon Web Services (AWS), Google Cloud Platform (GCP) and/or Microsoft Azure cloud computing security configuration and management.
5. Proven understanding of business focus and processes, and ability to inject cybersecurity into the business through teamwork and influence.
6. High level of integrity and trustworthiness, as well as confidence to represent the company and security leadership with the highest level of professionalism.
7. Demonstrated experience conducting tabletop exercises for business continuity. 
8. Capable of working with diverse teams and promoting a positive enterprise-wide security culture.
9. Ability to obtain and preserve credibility with the team and external constituents through sustained industry knowledge. 
10. Ability to motivate teammates to achieve excellence and willingly share knowledge.
11. Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and effective communication.
12. Organized, efficient self-starter requiring minimal supervision; Strong team and organizational management skills, and track record of delivering GRC projects under tight deadlines.
13. Understanding of service design, delivery concepts and control frameworks.
14. Forward thinking with strong business acumen and flexibility.
15. Highly focused on building and implementing a strong, cohesive team and security culture. 
16. Outstanding written and verbal, business and cybersecurity communication skills.
17. CISSP, CISM, CISA, CRISC, GSLC preferable, but not required.

Our job titles may span more than one career level. The starting base salary for this role is between $155,000.00 – $175,000.00. The actual base pay is dependent upon many factors, such as: training, transferrable skills, work experience, business needs and market demands. The base pay range is subject to change and may be modified in the future.

Amalgamated Bank is an Equal Opportunity and Affirmative Action Employer, Minorities / Females / Individuals with Disability / Veterans. AmeriCorps, Peace Corps and other national service alumni are encouraged to apply. View our Pay Transparency Statement. Submission of a resume or any information regarding your qualifications does not constitute a promise or offer of employment. At Amalgamated Bank, we consider an applicant to be someone who has interviewed at least once, in person, with the hiring manager. Amalgamated Bank does not sponsor applicants for work visas.

Hybrid Work Model 
Effective February 18, 2025, employees in office-based positions will be working a Hybrid work schedule consisting of three days or more, on-site per week, Monday - Thursday, although the specific days may vary by site or organization, with Friday designated as a remote-working day, unless business critical tasks require an on-site presence. This Hybrid work model does not apply to, and daily in-person attendance is required for, the contact center, branch service roles, and general services where the work to be performed is located at a Company site; positions covered by a collective-bargaining agreement (unless the agreement provides for hybrid work); or any other position for which the Company has determined the job requirements cannot be reasonably met working remotely. Please note, this Hybrid work model guidance does not apply to roles that have been designated as “remote”.
Search Firm Representatives- Please Read Carefully 
 Amalgamated Bank does not accept unsolicited assistance from search firms for employment opportunities. All CVs / resumes submitted by search firms to any employee at our company without a valid written search agreement in place for the position will be deemed the sole property of our company. No fee will be paid in the event a candidate is hired by our company as a result of an agency referral where no pre-existing agreement is in place. Where agency agreements are in place, introductions are position specific. Please, no phone calls or emails.