GRC Lead

Key Responsibilities

Governance Risk and Compliance

• Advise project teams, application owners, infrastructure services, and other IT teams on information security controls, such as access management, incident handling, business continuity, system development lifecycle, threat and vulnerability management, and data protection.
• Identify and manage risks and vulnerabilities, providing strategic mitigation recommendations.
• Continuously improve policies and procedures related to controls and operational processes.
• Develop and deliver precise and timely metrics and reports.
• Third-Party Risk Management: Conduct risk assessments of new and existing third-party vendors to ensure compliance with company policies and regulatory requirements. This includes reviewing security controls, attestation reports, compliance certifications, and pertinent policies and processes related to threat and vulnerability management.
• Client Due Diligence: Manage and respond to due diligence inquiries from clients, providing accurate and timely information to support their compliance and risk assessment processes, while ensuring adherence to company policies and regulatory standards.
• Training and Awareness: Develop and deliver training programs to educate internal stakeholders and third-party vendors on information security best practices and risk management procedures. This includes annual mandatory training, simulated phishing campaigns, and ongoing firm-wide communications.
• Transferred Employees: Maintain a workflow designed to review the access of transferred employees.
• Facilitate a risk acceptance program aimed at enhancing governance surrounding potential deviations from information security policies.

Compliance & Auditing

• Demonstrated expertise in managing and addressing complex audits and compliance issues.
• Support organizational compliance by ensuring security controls align with regulatory and industry standards (e.g., NIST, ISO 27001, DORA).
• Provide evidentiary support for Audit and Compliance teams.
• Oversee the remediation process for findings originating from internal and external audits, risk assessments, and other control evaluations.

Mentoring & Knowledge Sharing

• Mentor junior team members across processes and technical concepts.
• Conduct technical training and knowledge-sharing sessions to ensure effective execution of the processes.

Key Professional Competencies

• Exceptional analytical, problem-solving, and decision-making skills.
• Outstanding written and verbal communication skills in English.
• Experience working with global teams across multiple time zones, cultures, and languages.
• Proficient in communicating technical concepts and complex solutions to a general audience, including non-technical stakeholders.
• Strong understanding of cybersecurity frameworks and practices to safeguard organizational assets.
• Ability to stay abreast of emerging technologies and evolving regulatory landscapes.
• Skilled in developing and maintaining strong partnerships with relevant businesses and technical teams, including third parties.
• Adept at handling multiple tasks and prioritizing work under pressure.
• Collaborative mindset with a focus on teamwork and knowledge sharing.
• Strong work ethic and sense of discipline.

Technical Expertise

• Ticket management solutions (e.g., Provance).
• Information Security Training platforms (e.g., Ninjio).
• Third-Party Risk Management solutions (e.g., Venminder, CyberGRX, Upguard)
• Microsoft O365 products (e.g., Word, Excel, PowerPoint, Teams, etc.)

Education

Bachelor’s degree in Information Technology, Cybersecurity, Business Administration, or a related field (or equivalent experience).  

Experience

6+ years of experience in Governance Risk and Compliance with a focus on cybersecurity and technology management.

Certifications (preferred but not required)

CISA, CRISC, CISM, CISSP or similar certifications.