Description of Position:
The Information Security Governance Risk Compliance (ISGRC) Program Manager is a key member of the organization’s independent Information Security function in its second line of defense. The role is responsible for developing, managing and executing the organizations Information Security Governance, Risk, and Compliance Programs.
This role reports directly to the Chief Information Security Officer and the level of work required is considered advanced and the associate must be able to work under minimal supervision. This role does not have any direct reports.
The cybersecurity team is primarily located in Racine WI however work seating is possible in Milwaukee, Madison, Green Bay, Kenosha regions area's and would require frequent visits to Racine WI.
Tasks and Responsibilities:
- Evaluate and recommend updates to the organization's security and supporting management policies considering the impact of regulatory compliance and implementation of industry good practices.
- Govern/oversee the Information security program and plan.
- Establish an information security risk management strategy, process and program.
- Support the organization’s annual information technology Risk and Controls Self-Assessment (RCSA) and the update of Independent Security’s view of the IT RCSA each quarter.
- Ensure Risk and Control content in the organizations Governance, Risk and Compliance software (RSA Archer) is reflective of the Risk and Control environment.
- Evaluate whether appropriate technical and administrative controls are in place and aligned with the organization's business needs and strategic direction relative to all aspects of security and related compliance.
- Manage and expand continuous monitoring capabilities designed to measure changes to the organization’s threat environment and the effectiveness of the security controls.
- Ensure controls meet legal, regulatory, privacy, policy, standards and security requirements.
Required skills, abilities, and certifications
- Conduct audits, risk assessments, risk scores and interpretation as needed.
- Execution of periodic and comprehensive cyber risk assessments
- Communicate, manage and escalate findings and exceptions to audits and assessments.
- Monitoring and consulting on open risk items pertaining to Information Security.
- Develop and maintain strong business partnerships with business partners to integrate information security risk management into support and business functions. Partners include: Enterprise Risk Management, Information Technology, Internal Audit, Vendor Management, Information Security, and Lines of Business.
- Prepare and present relevant information about the company’s security program.
- Bachelor’s degree required. Master’s degree in computer science, information systems, information security, information risk, or a related field a plus but not required.
- Active candidate for at least one relevant certification, including but not limited to Certified in Risk and Information Systems Control (CRISC), Certification in Risk Management Assurance (CRMA), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT), GRC Professional (GRCP) and/or similar risk management / IT assurance certifications.
- Two year minimum experience in related field. Individuals with 5-7+ years' experience preferred in an IT Risk capacity.
- Preferred 5+ years in Financial Services or heavily regulated industry.
- Experience contributing, maintaining, or overseeing an Information Security Governance, Risk and/or Compliance function.
- Practical work experience in an Information Security, Enterprise Risk Management, Compliance, or Information Technology, Audit or Compliance function.
- Demonstrated experience in an IT audit, risk or compliance role, with a strong understanding of IT risk and control concepts.
- Proven experience with IT risk and compliance frameworks such as NIST (preferred), ISO, COBIT, COSO, COBIT, etc.
- Proven ability to identify and assess the severity and potential impact of risks.
- Demonstrated ability to communicate risk assessment findings to risk owners in a respectful and collaborative manner, which promotes efficient and effective risk remediation balanced with business needs.
Computer Skills and Knowledge of Hardware & Software Required:
- Strong preference to candidates with experience managing risk with a Governance, Risk Compliance (GRC) software system (RSA Archer).
- Strong proficiency in the use of Microsoft Office, particularly Word, Excel, PowerPoint.
- Excellent oral and written communication skills.
- Effective interpersonal skills, which allow candidate to relate well to all levels of management.
- Managerial courage to confront difficult issues with the appropriate response and communicate appropriately and in a timely manner with all stakeholders in those issues.
- Strong written and verbal communication skills required.
- Strong analytical skills