Governance, Risk, and Compliance Specialist

About NY Creates

NY Creates serves as a bridge for advanced electronics, leads projects that advance R&D in emerging technologies, and generates the jobs of tomorrow. NY Creates also runs some of the most advanced facilities in the world, boasts more than 3,000 industry experts and faculty, and manages public and private investments of more than $25 billion - placing it at the global epicenter of high‑tech innovation and commercialization.

The Senior Governance, Risk, and Compliance Specialist (GRC) is the organization's authoritative governance, risk, and compliance strategist and execution lead, responsible for maturing and operationalizing a risk‑aware, evidence‑driven GRC program across NY Creates (NYC). This role owns the full lifecycle of enterprise risk assessments and risk register governance, third‑party vendor risk management, cybersecurity policy and standards framework, internal audit program design and execution, and training and awareness strategy.

With advanced expertise in quantitative and qualitative risk modeling, control framework mapping, regulatory interpretation, and audit defense, the Senior GRC Specialist drives cross‑functional alignment, automates compliance workflows, and delivers executive‑ready risk intelligence that directly informs strategic decision‑making. The incumbent operates with strategic foresight, diplomatic influence, and rigorous analytical discipline to ensure NYC's continuous compliance with NYC's NIST 800‑171, CMMC 2.0, NSPM‑33, ITAR/EAR, compliance posture in a federally funded research environment.

• Lead enterprise risk assessment program: design methodology, facilitate workshops, perform threat modeling, quantify likelihood and impact, and maintain dynamic risk register with residual risk tracking and KRIs.
• Own third‑party risk management framework: develop tiering model, author due diligence questionnaires, lead evidence reviews, negotiate contractual security clauses and enforce continuous monitoring via automated feeds.
• Architect and govern cybersecurity policy hierarchy: author, socialize, and enforce policies, standards, and procedures; ensure bi‑directional traceability to NIST 800‑53, CMMC 2.0, and CIS Controls.
• Design and execute internal cybersecurity audit program: scope annual plan, perform control testing, issue findings with root cause analysis, and validate remediation effectiveness.
• Strategize and scale training and awareness program: develop role‑based curriculum, integrate gamified phishing simulations, measure cultural maturity, and report behavioral risk trends to leadership.
• Produce integrated GRC dashboards and board‑level reports: risk heatmaps, compliance posture, control effectiveness, vendor risk exposure and audit readiness.
• Lead preparation for external assessments: CMMC Joint Surveillance, DIBCAC audits, and insurance cyber risk evaluations; serve as primary point of contact.
• Implement and administer enterprise GRC platform: configure risk, policy, vendor and audit modules; automate workflows, evidence collection and reporting.
• Chair risk committee meetings: present new risks, challenge mitigation plans, and secure executive approval for risk acceptance or treatment strategies.
• Drive GRC process automation and integration with ITSM, SOAR and CMDB for real‑time compliance visibility and control validation.
• Mentor Junior GRC Specialist and cross‑functional control owners; establish GRC Center of Excellence and internal audit training pathways.
• Critical thinking to perform scenario‑based risk analysis, challenge assumptions and align compliance with mission objectives.
• Ability to translate technical control failures into business impact and regulatory exposure.
• High degree of initiative, dependability and ability to influence without authority across all organizational levels.
• Effective oral & written communication skills, including policy authorship, audit report writing and C‑level risk presentations.
• Other reasonable duties as assigned.