In this role, the Director of Governance, Risk Management & Compliance provides leadership and direction for the company’s GRC requirements. The Director will manage, maintain and enhance the enterprise security risk management program comprising policies, standards and procedures, including communication and awareness of the same; manage a vendor/third party risk management program for evaluating the cybersecurity and data protection controls of our third-party service providers, oversee the response to client requests; coordinate evidence gathering for SOC2 and other compliance-related audits, assessments and certifications; and demonstrate key participation in programs for data governance and incident response; advise risk mitigations strategies and provide solutions to business units and corporate entities on new initiatives and existing projects.

The Director focuses on the protection of Convergint’s technical systems and information assets. Furthermore, the Director is responsible for identifying, evaluating and reporting on information security risks that are important for the business to be aware of and act on accordingly. The director works in tandem with security, technology and internal audit leadership to elevate the company’s security posture. To be successful, the director of GRC must be able to influence and lead the GRC security strategy of the business within new and existing information system capabilities. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business critical. The GRC program is led by the Director, who reports to the Chief Security Officer (CSO).

In tandem with internal audit and security, direct and conduct ongoing risk analysis organization-wide to uphold the GRC program. Focused effort on the ongoing security maturation of the security program, where areas of strength are amplified and areas needing improvement are documented. Emphasize privacy, security, business resiliency and compliance frameworks. Document, communicate and enforce areas of security improvement that balance risk with business operations, as well as ensure controls are not weakening efficiencies or business innovation. Establish and maintain a strategy for managing security-related audits, compliance checks and external assessment processes for auditors, including but not limited to, CMMC, the EU’s General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), Service Organization Controls (SOC) 2, California Consumer Privacy Act (CCPA) and other applicable industry standards. Create and manage cybersecurity oversight with third parties, vendors and business partners. Confirm safeguards against risk identified with external entities. Facilitate IT compliance of identified controls – for example, IT general controls (ITGCs), application, cloud and cybersecurity. Oversee and ensure adequate protection of key information is maintained through various cybersecurity tools and processes. Act as a key point of contact when technical risks are identified to raise awareness with security management and business unit leads on a risk reduction plan. Play a key role in the vendor risk assessment process and ensure all business units follow and uphold process rigor. Oversee findings brought forward through team analysis, requiring thorough documentation and recommendations to report to leadership where gaps exist. Maintain a high degree of knowledge with current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Effectively communicate knowledge of GRC controls across business units with a focus on, but not limited to, company practices, procedures, third-party integrations, product development and financials. Contribute to the development of key metrics used in assessment of security program success and report them regularly to security and business leadership. Focus on principles aligning with enterprise risk management fundamentals within security and technology teams to maintain up-to-date configuration documentation for systems and processes. Stay abreast in incident response cases and track occurrence and resolution, with strict documentation and reporting. Align with security, audit and risk management leadership for ongoing security program assessments, as well as annual strategic technology and budgetary directives. Liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws. Perform other duties as assigned.

Core Competencies:

At least 15+ years’ experience in cybersecurity in one or more roles, including cybersecurity, compliance and regulations, risk management or audit. 10 or more years’ experience managing distributed team personnel. Demonstrated leadership experience and thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, HITRUST, GDPR and GLBA. Proven understanding of business focus and processes, and ability to inject cybersecurity into the business through teamwork and influence. Strong team and organizational management skills, and track record of delivering GRC projects under tight deadlines. Ability to obtain and preserve credibility with the team and external constituents through sustained industry knowledge. Demonstrated project management, multitasking and organizational skills. Forward thinking with strong business acumen and flexibility. 

Technical Skills:

Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls. Preferably at least five years’ experience in vulnerability and configuration management within both on-premise and IaaS cloud partners. Experience implementing a GRC platform (ie. Archer, ServiceNow, AuditBoard, Securends, or similar)

Behavioral Skills:

Excellent collaboration and stakeholder engagement skills. Highly focused on building and implementing a strong, cohesive team and security culture. Influential leadership qualities. Organized, efficient self-starter requiring minimal supervision. High level of integrity and trustworthiness, as well as confidence to represent the company and security leadership with the highest level of professionalism. Capable of working with diverse teams and promoting a positive enterprise-wide security culture. Ability to motivate teammates to achieve excellence and willingly share knowledge. Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and effective communication. Outstanding written and verbal, business and cybersecurity communication skills

Education:

College degree or equivalent experience. Master’s degree is desirable.              

Experience:

At least 15+ years’ experience in cybersecurity in one or more roles, including security analyst, compliance and regulations, risk management or audit. 10 or more years’ experience managing distributed team personnel.

Certifications:

Certifications: CISSP, CISM, CISA, CRISC, CGEIT, CFE preferable.

Scope and Impact:

This role influences global technology, security and operations, impacting all Convergint regions and supporting the development of consistent risk management practices. Policies, Standards and Procedures will apply to Convergint globally.

Work Environment:

This role is remote but requires flexibility for global time zones and up to 10% travel annually.

Performance Metrics:

Successful implementation of GRC platform/Risk Register. SOC2 Type 2 compliance after year one Achieve CMMC certification within 1 year of hire. Positive feedback from regional leaders on explaining risk to the business and influencing risk mitigation strategies across the company.

Please note that this job posting includes salary information for the assigned target market range within the primary geographic region the requisition is posted.  If the position is posted in multiple locations or is a remote position, the salary range may vary.  Individual pay rates will, of course, vary depending on the job, department, and location, as well as the individual skills, experience, certifications, specific licenses, and education of the applicant.