Cybersecurity GRC Manager, FCH - IT - Security

#Be Here

Location: US:

WI:

MENOMONEE FALLS at our WOODLAND PRIME 400 facility. This job is remote.

FTE: 1.000000 | Standard

Hours:

40.00

Shift: Flexible 1st shift between 7 am and 5 pm

Healthcare security isn’t a compliance checkbox problem — it’s a patient safety problem. At Froedtert Theda Care, the Cybersecurity GRC Manager owns the program that connects our governance posture to real‑world risk outcomes for patients, clinicians, and the communities we serve across Wisconsin. This is a high‑visibility, high‑autonomy leadership role inside a Cybersecurity & Infrastructure team that operates with strategic intent and operational rigor.

You will build and run a team of 5+ GRC professionals, serve as the internal subject matter authority on compliance and risk, and translate complex regulatory requirements into actionable programs that the broader organization can execute against.

• Lead, mentor, and grow a team of 5+ GRC analysts and specialists across compliance, risk, policy, and awareness domains
• Establish clear role expectations, development pathways, and performance standards for each team member
• Foster a team culture that balances rigor with pragmatism — we care about outcomes, not just documentation

• Serve as the organization’s functional lead for HIPAA Privacy and Security Rule compliance, including ongoing gap assessment and remediation tracking
• Coordinate with Legal, Privacy, and Clinical Operations to ensure compliance obligations are understood and operationalized across the enterprise
• Oversee preparation for and response to regulatory inquiries, OCR investigations, and audit activity

• Own the enterprise cybersecurity risk register, ensuring risks are identified, assessed, prioritized, and tracked to resolution
• Lead the third‑party risk management program, including vendor onboarding assessments, ongoing monitoring, and risk‑tiering across the supply chain
• Develop risk reporting for executive and board audiences, translating technical risk into business impact language

• Own the cybersecurity policy lifecycle: authorship, review cadence, version control, approval workflows, and exception management
• Maintain alignment to NIST CSF, managing control mapping, evidence collection, and control effectiveness measurement
• Drive continuous improvement of the controls environment based on assessment findings, threat intelligence inputs, and regulatory changes

• Serve as the primary point of contact and program lead for internal and external cybersecurity audits and assessments
• Coordinate evidence collection, manage stakeholder readiness, and oversee finding remediation tracking through to closure
• Develop and maintain audit‑ready documentation across all GRC domains

• Own the enterprise security awareness program, including curriculum development, delivery scheduling, and effectiveness measurement
• Manage the phishing simulation program end‑to‑end: scenario design, cadence, metrics, and targeted follow‑up training for at‑risk populations
• Tailor awareness content for diverse audiences — from clinical staff to executive leadership — with a voice that educates rather than shames

• A minimum of six‑year experience in a related field
• Prefer 3+ years leading or managing a team in GRC, compliance, or risk management capacity
• Prefer experience in a healthcare or other highly regulated industry, with direct exposure to HIPAA compliance obligations
• Demonstrated experience managing a third‑party risk program, including vendor assessments and risk tiering
• Prefer prior experience building or significantly maturing a GRC program, not just maintaining one
• Prefer experience managing external audits or assessments (SOC 2, HITRUST, OCR, internal audit, etc.)

Required:

A Bachelor’s degree. Preferred:
Bachelor’s in Computer Science or a related field.

• In‑depth knowledge of cybersecurity frameworks including but not limited to NIST CSF, HITRUST CSF, ISO 27001
• Experience in managing or leading security organizations responsible for GRC,…