Governance, Risk, & Compliance (GRC) Senior Manager/Director
About Waterleaf and Cyberleaf
Waterleaf International, an engineering, cybersecurity and science-based defense and networking contractor, is seeking a full-time Senior Manager/Director of Governance, Risk & Compliance. Through its Cyberleaf TM Managed Cybersecurity Service, Waterleaf offers cybersecurity-as-a-service and related professional services including Pen Testing, vCISO, DFIR and GRC offering to customers of all sizes across a broad range of industry verticals.
Waterleaf hires, trains, and promotes the best and brightest for upward mobility and the opportunity to grow and succeed. We offer excellent benefits (Medical/Dental/PTO/Tuition) and more.
Waterleaf offers a forward leaning culture – that means our focus and direction is on people, intellect, process and deliverables. Our people include employees, contractors, and customers all of whom have inherent value and contributions to not only our mission in defending our country but to the community we each live in.
We support professional and individual growth and provide dynamic, fascinating, and supportive work environments. Talk to us about the ability to have great financial and personal gains in a thriving and vital environment.
Summary
Reporting directly to the Chief Operating Officer, the Head of Security Governance, Risk, and Compliance (GRC) is instrumental in guiding the company's GRC strategies and processes internally and is the lead advocate for customers. Customer facing, this role needs to build on or define company professional service offerings including a range of offerings across compliance, advisory and assessment categories, and oversee or directly deliver service to clients. The Head of Security GRC will develop prospects, close and deliver on GRC projects. The ideal candidate will have the experience and capacity to also recruit, hire, and train subordinates to address the growing needs of the company.
As the primary GRC authority, this leader ensures the alignment of the company and customer risk management framework with its business objectives and regulatory requirements. A vital addition to the team, the Head of Security GRC significantly contributes to the company's overall strategy and goals by establishing robust compliance mechanisms and effective risk mitigation measures.
The successful candidate will possess a balanced combination of profound technical expertise and an established background in GRC as well as in IT Consulting and Advisory Services. The candidate will have experience conducting Cyber Risk Assessments (CRA), Third Party Risk Assessments and other programs required by the company and its customers. This role demands comprehensive and extensive knowledge, particularly in the areas of corporate governance, risk management, regulatory compliance, and the creation of enterprise wide GRC policies, as well as extensive knowledge of Cybersecurity practices. The Head of Security GRC should be equipped to identify and address potential vulnerabilities, while proactively enhancing the company's overall GRC posture.
Responsibilities
- Client Engagement: Primary point of contact responding to Client Due Diligence and RFPs and leading this practice as a professional service.
- Strategy Development: Define, develop, and oversee the implementation of the GRC strategy externally for business development and sales and aligned with the company's business goals and legal requirements.
- Policy & Procedure Management: Develop, maintain, and oversee GRC policies and procedures for clients and the company to ensure they are in accordance with applicable laws, regulations, and industry standards, including but not limited those governed by SEC, FINRA, OCC, HIPAA, CMMC, NIST, NFA, FCA, MAS, and other global financial regulators.
- Risk Management: Identify, assess, and monitor enterprise risks, including strategic, operational, financial, privacy, and cybersecurity risks. Implement risk mitigation strategies and mechanisms to address identified risks and potential non-compliance.
- Regulatory Compliance: Maintain a current understanding of relevant laws and regulations to ensure the organization achieves and sustains compliance. Proactively monitor and respond to regulatory changes and updates.
- GRC Reporting: Create comprehensive GRC reports for the executive leadership and board of directors that provide clear insights into the company's risk profile, compliance status, and governance effectiveness.
- Training & Awareness: Oversee the creation and implementation of a GRC awareness and training program to ensure that employees are aware of the role they play in maintaining good governance and compliance.
- Third-party Management: Manage and monitor the GRC aspects of third-party relationships to ensure that vendors and partners are adhering to the company's GRC policies and relevant regulations.
- Audit Management: Coordinate with internal and external auditors to facilitate audits, with the goal of assuring compliance and addressing potential issues proactively.
- Incident Response: Develop and implement an incident response plan to handle GRC-related incidents effectively, including data breaches or non-compliance events. Coordinate annual incident response table-top exercises.
- Continuous Improvement: Regularly review and refine the company's GRC practices, leveraging technology and industry best practices to drive efficiency and effectiveness.
Qualifications
- Bachelor of Science Degree in Information Security or related field, or equivalent years of experience
- CISSP, CISA, Security+, CED, CIH+, HITRUST (CCSFP) or related certification in security operations and engineering
- Seven or more years of experience in Information Security, working with GRC tools and methodology
- In-depth Knowledge of Relevant Laws and Regulations: This includes an understanding of data protection laws such as GDPR and CCPA, as well as other regulatory frameworks relevant to the specific industry and location of the business.
- Risk Management Skills: Ability to identify, analyze, and effectively mitigate or manage enterprise risks. Familiarity with risk management frameworks and methodologies is essential.
- Strategic Thinking and Leadership: Strong ability to lead and manage the GRC function, develop and execute strategic plans, and guide the organization towards its GRC objectives.
- Communication and Presentation Skills: Excellent written and verbal communication skills, with the ability to present complex GRC issues and strategies clearly to various stakeholders, including the executive team and board of directors.
- Analytical Skills: Strong ability to analyze complex data, interpret compliance requirements, and develop effective solutions.
- Project Management Skills: Proficiency in planning, executing, and monitoring multiple projects simultaneously to ensure they are completed on time and within budget.
- Sales and Business Development Skills: The ability to create presentations, respond to RFP’s, develop close and long-standing relationships with customers and to convey value propositions resulting in closed sales and revenue attainment.
- Negotiation and Influencing Skills: Ability to negotiate with, influence, and secure buy-in from various stakeholders, both internal and external, to achieve GRC objectives.
- IT Proficiency: Familiarity with the use of GRC technology solutions, as well as a broad understanding of information security principles and best practices.
- Continuous Learning: A commitment to keeping up to date with the latest developments in the GRC field, including evolving laws and regulations, emerging risks, and best practices in GRC management.
Some attributes we value:
- You practice continuous learning to expand your skills and your knowledge beyond the current assignment. You think therefore you are.
- You are developing subject matter expertise in at least one area and are passionate about the field.
- You prefer working in a collaborative environment. You embrace the team player concept with your willingness to share knowledge, to jump in and help colleagues, to ask for help when you need it, etc. No person is an island.
- You are a brilliant communicator. Deliverables are well written. You easily communicate with customer, technical and management personnel at multiple levels.
Our team is varied and lives throughout the US with HQ in SW FL and offices in Atlanta and MD/DC. We primarily work remotely and have lab, testing and staging areas as well.
Compensation Details
The base salary range for this role is $100,000-$130,000 and is eligible for participation in annual performance bonuses and long-term stock incentive units. Compensation may be more or less than the posted range, and the range may be modified in the future.
Note: No amount of pay is considered wages or compensation until earned, vested, and determinable. The amount and availability of any bonus, commission, production, or any other form of compensation that are allocable to a particular employee remains in the Company's sole discretion unless and until paid and may be modified at the Company’s sole discretion, consistent with the law.
Benefits:
- 401(k) matching
- Dental insurance
- Flexible schedule
- Health insurance
- Paid time off
- Professional development assistance
- Vision insurance
- Maternity/Parental Leave
But wait there’s even more
What We Provide:
- Competitive compensation structure - We believe in above-average compensation for our above-average team members.
- Generous time off - Our team enjoys extensive PTO/Vacation, plus paid holidays and maternity/parental leave for new parents.
- Healthcare - We have you covered. Health, vision, dental and life plans, for you and your family. See our benefits above.
- Grow with us - We offer our team every chance to learn and grow their skills while helping shape the future of our company.
How to Apply:
Thank you for including us in your job search. Please submit your resume and a cover letter to let us know why you feel we are a good match. All applications are reviewed quickly because we respect your time. Please make note that due to potential Federal contract requirements, applicants must be US citizens.
Due to the volume of applications, only shortlisted candidates will be contacted.
Waterleaf has preferred agency relationships and does not accept unsolicited agency resumes. Please do not forward resumes to our jobs email address, our employees or mail to our office locations. Waterleaf is not responsible for any fees related to unsolicited resumes. Waterleaf is an equal opportunity employer who values diversity in our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. In fact, we know that the most inclusive and diverse teams accomplish the most extraordinary results!