Program Lead, Governance, Risk & Compliance; GRC

Blackstone Talent Group, an award-winning technology consulting and talent agency is seeking a Program Lead, Governance, Risk & Compliance (GRC) to join our Client's team.

Governance & Program Leadership:

• Establish and mature the enterprise GRC program aligned to ISO , SOX, NIST CSF, CIS Controls and relevant regulatory requirements.
• Own the Information Security Management System (ISMS) lifecycle: scope definition, risk assessment, Statement of Applicability (SoA), control implementation, internal audit, management review, corrective actions, and surveillance/recertification readiness.
• Define and maintain policies, standards, and procedures (e.g., access control, change management, vulnerability management, secure SDLC, incident response, supplier security).
• Chair/coordinate governance forums (e.g., Risk & Compliance Steering Committee, Change Advisory Board, Management Review meetings).
• Implement enterprise risk management (ERM) for information and technology risks: risk identification, assessment (qualitative/quantitative), treatment plans, and risk acceptance with accountable owners.
• Build third‑party/vendor risk management (TPRM) including due diligence, contractual controls, continuous monitoring, and remediation.
• Integrate operational technology (OT) risk (ICS/SCADA, IIoT) into the enterprise risk register with pragmatic controls that do not disrupt production.

Compliance: ISO & SOX:

• Lead ISO certification journey: gap analysis, roadmap, control implementation, training/awareness, internal audits, and liaison with external certification bodies.
• Own SOX ITGCs and application controls: design, documentation, testing coordination, remediation tracking, and /Disclosure Committee reporting.
• Align identity & access management, change management, computer operations, and IT service delivery to SOX and ISO control objectives; ensure evidence quality and audit readiness.
• Coordinate with Finance/Accounting on financial reporting risks.

Audit & Assurance:

• Plan and execute internal audits (ISO , policy compliance, control effectiveness) and coordinate external audits (SOX, ISO surveillance/certification, PCI).
• Build defensible control evidence repositories, ensure sampling precision, and drive timely remediation of findings.
• Develop and maintain control libraries, test plans, and mapping across frameworks (ISO/NIST, SOX ITGC etc.).

Tooling, Automation & Metrics:

• Select, implement, and administer GRC platforms (e.g., Archer/Drata/Vanta, Service Now GRC/IRM, One Trust) and integrate with ticketing, IAM, CMDB, SIEM, and ERP (e.g., SAP/Oracle).
• Operationalize continuous control monitoring (CCM) and control analytics (e.g., access outliers, change exceptions, segregation of duties conflicts).
• Define and publish KPIs/KRIs and Board/C‑suite dashboards: audit status, control effectiveness, residual risk, TPRM posture, policy adoption, incident trends.
• Lead a hybrid, geographically distributed team of employees and vendor/consulting resources; set objectives, coach, and develop talent.
• Build SOWs, manage budgets, and ensure vendor SLAs/KPIs and quality outcomes.
• Foster a culture of accountability, transparency, and continuous improvement.

Training, Awareness & Change Management:

• Lead assessment and management of training + phishing campaign platform and process (e.g., SOX for IT engineers, ISO control owners, plant operations staff).
• Drive change management communications to embed controls into daily operations without impeding manufacturing throughput.
• Ensure incident response processes are governed, tested, and produce audit-ready evidence.
• Partner with Legal/Privacy on data protection, records retention, and supplier agreements (e.g. CCPA).

• Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred. Advanced degree (MBA, MS Information Assurance) is a plus.

• 10–15+ years progressive experience in IT Audit/Controls, or Enterprise Risk; 5+ years leading GRC programs in public companies.
• End‑to‑end ISO implementation experience (ISMS design through certification).
• SOX ITGC ownership experience, including scoping, control…