122 applicants

Company

Original Job Post

Consensus Cloud Solutions · 2 days ago

Director, Information Security, Governance, Risk and Compliance (GRC)

United States

Full-time

Hybrid

Director

$0/yr - $165K/yr

10+ years exp

Wonder how qualified you are to the job?

Maximize your interview chances

Information ServicesInformation Technology

Insider Connection @Consensus Cloud Solutions

Discover valuable connections within the company who might provide insights and potential referrals, giving your job application an inside edge.

Responsibilities

Manage the organization's Security risks, risk registers, and treatment plans. Coordinate with business stakeholders and lead point-in-time and annual security risk assessments on SaaS, IaaS, and PaaS products and solutions. Leads GRC participation in SDLC to assure compliance with policy requirements.

Lead a team of information security GRC professionals to streamline and accomplish security certifications and attestations on SaaS, IaaS, and PaaS products and solutions covering HITRUST, ISO 27001, SOC 2, PCI, and FedRAMP annually, demonstrating cybersecurity assurance internally and to customers.

Collaborate with staff across multiple products and departments, including Engineering, Product Development, IT, Network Operations, Project Management, Sales, Marketing, Legal, Internal Audit, HR, and external partners to maintain a world-class security risk and compliance posture for the company.

Conduct company-wide security training, phishing simulations, and awareness programs to educate employees on security best practices and reduce the risk of security incidents.

Perform security vendor risk assessments to evaluate and manage third-party security risks, ensuring all vendors meet the company’s security standards.

Develop and maintain a customer-facing trust center to provide transparency and build customer trust by clearly communicating the company's security practices and certifications.

Handle security inquiries from customers promptly and accurately, enhancing customer confidence in the company’s security posture.

Manage information security audits to assess and improve the company’s security posture and ensure continuous compliance with industry standards and regulatory requirements.

Coordinate business continuity exercises with the BCP's owners to prepare for and respond to potential disruptions, ensuring the company’s operational resilience.

Implement continuous real-time monitoring with security operations to identify and address non-conformities, security configuration baseline drifts, security risks, and threats while maintaining a proactive security stance across all products.

Provide executive and board of directors reporting on the company's security status, initiatives, and risk management efforts to ensure informed decision-making at the highest levels.

Develop and enforce robust security policies and procedures that align with the organization's goals and objectives, ensuring comprehensive security coverage and compliance across all products.

Align security initiatives with the company’s strategic goals to ensure that all solutions remain secure, reliable, and trusted by customers, supporting the company’s overall mission and business objectives.

Manage the design and implementation of GRC tooling and applications to ensure budget alignment and full utilization.

Manage programs and projects for GRC functions to ensure milestones are met and initiatives are on track within budget.

The role is crucial in overseeing the design and implementation of the organization's information security GRC program, including vendor risk, cloud security compliance, risk management, and organizational, administrative, and technical security controls. They ensure that security compliance is integral to the cloud technology stack.

Identifying, selecting, and implementing information security GRC tools and technologies that align with the organization's security program is an essential responsibility. This may include GRC platforms, training and awareness systems, third-party risk management solutions, and identity management systems.

Providing guidance and expertise to development and IT teams on designing and implementing secure and compliant solutions is critical. The role helps teams make informed decisions about technology and compliance choices that prioritize security.

Perform other duties and responsibilities as required, assigned, or requested. Consensus reserves the right to add or change duties at any time.

Qualification

Find out how your skills align with this job's requirements. If anything seems off, you can easily click on the tags to select or unselect skills to reflect your actual expertise.

Information SecurityGRC PlatformsRisk ManagementAWS Cloud TechnologiesSecurity CertificationsTraining DevelopmentVendor Risk AssessmentsCustomer Trust BuildingSecurity AuditsProduct Security CertificationsBusiness ContinuityContinuous MonitoringRisk Mitigation StrategiesCompliance ManagementRegulatory RequirementsIncident ResponseSecurity OperationsSecurity PoliciesInformation Security GovernanceSecurity StrategiesCustomer ExpectationsCompliance FrameworkMentoringPenetration TestingCode ReviewsSecurity ToolsThreat IntelligenceCybersecurity TrendsProblem-SolvingCommunication

Required

10+ years experience in Information Security GRC role.

8+ years of experience with GRC platforms for risk register management.

6+ years of experience with Third-Party Risk Management (TPRM) platforms for risk register management.

6+ years of experience with AWS cloud technologies.

5+ years of experience leading and managing GRC professionals or equivalent experience.

Holding relevant security certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified Information Systems Auditor (CISA) that are active and in good standing or ability to obtain within 12 months of hire.

Proficiency in developing and conducting company-wide security training, phishing simulations, and awareness programs to educate employees on security best practices and reduce the risk of security incidents.

Experience in performing security vendor risk assessments to evaluate and manage third-party security risks effectively, ensuring vendors meet the organization’s security standards.

Ability to develop and maintain a customer-facing trust center to provide transparency and build trust with customers by clearly communicating the company’s security practices and certifications.

Skill in handling security inquiries from customers promptly and accurately, enhancing customer confidence in the organization’s security posture.

Experience in managing information security audits to assess and improve the company’s security posture and compliance with industry standards and regulatory requirements.

Proficiency in overseeing product security certifications to ensure all products meet necessary security requirements and maintain their certifications.

Knowledge of business continuity exercises and the ability to coordinate and conduct them to prepare for and respond to potential disruptions, ensuring operational resilience.

Ability to implement continuous monitoring and assessment programs to identify and address security threats in real time, maintaining a proactive security stance.

Experience in providing executive and board of directors reporting on the company’s security status, initiatives, and risk management efforts to ensure informed decision-making.

Skill in developing and enforcing robust security policies and procedures that align with the organization’s goals and objectives, ensuring comprehensive security coverage.

Ability to develop, update, and enforce information security policies, standards, and procedures that align with industry and regulatory requirements while ensuring they are practical and effective for cloud-based solutions and infrastructures like AWS.

Proficiency in identifying, assessing, prioritizing, and managing information security risks and experience in developing risk mitigation strategies for SaaS, IaaS, and PaaS-based products and solutions.

Knowledge of regulatory requirements (e.g., GDPR, HIPAA) and experience managing compliance assessments, audits, and regulatory inspections on cloud-based products and solutions.

Security Certifications and Attestations: Experience in achieving and maintaining security certifications and attestations on cloud-based products and solutions (e.g., HITRUST, ISO 27001, SOC 2, PCI, FedRAMP) and ability to manage audit preparations and responses.

Ability to collaborate effectively across departments, including Engineering, Product Development, IT, Network Operations, Project Management, Sales, Marketing, Legal, Internal Audit, HR, and external partners.

Understanding security operations and incident response procedures and experience in collaborating with security operations teams to ensure effective incident response for on-premise and cloud-based systems.

Ability to perform security vendor risk assessments and manage third-party security risks effectively.

Experience in developing and conducting company-wide security training, phishing simulations, and awareness programs.

Experience coordinating business continuity exercises and maintaining business continuity and disaster recovery plans.

Ability to implement and manage continuous monitoring and assessment programs to identify and mitigate security risks in real time.

Strong written and verbal communication skills, with experience preparing and presenting reports and recommendations to senior leadership and the board of directors.

Ability to align security initiatives with the company’s strategic goals and business objectives, and experience in developing and executing security strategies.

Ability to develop and enforce robust security policies and procedures that align with organizational goals and objectives.

Commitment to ethical behavior and integrity in all aspects of information security governance, risk, and compliance.

Strong analytical and problem-solving skills, with the ability to analyze complex issues and propose practical solutions.

Ability to adapt to changing business needs and priorities and resilience to handle setbacks and challenges while maintaining a positive approach.

Commitment to understanding and meeting the security needs and expectations of customers and experience in building customer trust through transparent security practices.

Ability to design and implement a unified security compliance framework to streamline security audits and secure network, system, and application architecture.

Experience managing and mentoring a team of information security GRC specialists.

Ability to conduct or oversee penetration testing, code reviews, and security assessments.

Experience coordinating and responding to security incidents, including investigation, containment, and recovery.

Ability to select and implement security tools and technologies to enhance security posture.

Experience conducting security audits and reporting to senior management regularly.

Ability to stay informed about emerging cybersecurity threats and incorporate threat intelligence into security strategies.

Maintaining a solid technical understanding of cybersecurity technologies, protocols, and trends.

Preferred

Bachelor's degree in computer science, information technology, cybersecurity, or equivalent experience. A master's degree may be preferred.

Typically 6-8 years of experience in cybersecurity and information security roles.

Proven experience in security compliance, risk management, and integrating security compliance into software development processes.

Proficiency in various cybersecurity technologies and tools, including security training and awareness tools, vendor risk management tools, and security compliance and risk register tools.

Hands-on experience with security assessment and security benchmarking testing tools.

Familiarity with security information and event management (SIEM) systems.

Experience in deployment of cloud controls for infrastructure, platform, and applications (IaaS/SaaS/PaaS), specifically within AWS.