Director, Governance, Risk Compliance

Position: Director, Governance, Risk, & Compliance
The Director of (Cyber) Governance, Risk & Compliance (GRC) is a cyber leadership role responsible for establishing, operationalizing, and continuously maturing the organization's cybersecurity governance, risk management, and compliance programs in alignment with enterprise strategy and regulatory obligations. This role provides strategic oversight of policy development, risk assessment and treatment, internal controls, third-party risk management, audit readiness, and regulatory engagement.

The Director partners closely with security architecture, security operations, legal, privacy, internal audit, product, and business stakeholders to ensure cybersecurity practices are aligned with enterprise risk tolerance and customer expectations. The role is accountable for defining governance structures, driving risk-informed decision-making, ensuring compliance with applicable frameworks and regulations, and building a scalable GRC function that enhances transparency, accountability, and trust across the organization.

WHAT YOU'LL BE DOING:

* Lead the strategy, operating model, and maturity roadmap for governance, risk, and compliance programs.

* Develop, maintain, and enforce information security policies, standards, procedures, and guidelines aligned with regulatory and business requirements.

* Oversee enterprise risk management for cybersecurity, including risk identification, assessment, prioritization, treatment tracking, and reporting.

* Maintain a centralized risk register and ensure appropriate risk acceptance, mitigation, or transfer decisions are documented and approved.

* Lead internal and external audit readiness activities, including coordination of evidence collection, control validation, and remediation tracking.

* Manage compliance with applicable frameworks and standards such as NIST CSF, ISO 27001, SOC 2, HIPAA, PCI DSS, and other regulatory obligations as applicable.

* Oversee third-party risk management processes, including vendor assessments, due diligence, risk rating, and monitoring of remediation activities.

* Establish governance forums, reporting structures, and escalation pathways to support risk-informed decision-making and accountability.

* Develop and deliver risk reporting, dashboards, and executive communications that articulate control effectiveness, compliance posture, and residual risk.

* Partner with legal, privacy, human resources, and business stakeholders to ensure alignment on regulatory obligations and data protection requirements.

* Drive continuous improvement of controls, processes, and governance practices based on audit findings, risk trends, and evolving threats.

* Support customer-facing security and compliance inquiries, including RFPs, due diligence questionnaires, and assurance reporting.

* Manage technology platforms supporting GRC functions (e.g., risk management systems, policy tools, audit tracking solutions).

* Lead, coach, and develop GRC professionals while fostering a culture of accountability, transparency, and continuous improvement.

YOU'VE GOT WHAT IT TAKES IF YOU HAVE/ARE:

* 10+ years of progressive experience in cybersecurity, risk management, compliance, or related fields.

* 5+ years of leadership experience in a GRC or related cybersecurity function.

* Bachelor's degree in Cybersecurity, Information Security, Information Technology, Business, or a related field; or equivalent professional experience.

* Demonstrated experience building or managing governance, risk, and compliance programs in a mid-sized or large organization.

* Experience supporting audits, regulatory inspections, and compliance assessments.

* Experience managing third-party risk and vendor assessment processes.

* Experience developing policies, standards, and enterprise risk frameworks.

* Experience partnering with executive leadership and cross-functional stakeholders on risk and compliance initiatives.

EXPERIENCE/EDUCATION PREFERRED:

* Master's degree in Cybersecurity, Risk Management, Information Assurance, Business Administration, or related discipline.

* Professional certifications such as CISSP, CISM, CRISC, or CISA.

* Experience in SaaS, cloud-native, or highly regulated industries.

* Experience aligning security and compliance programs to FedRAMP, SOC 2, ISO 27001, or similar frameworks.

* Experience supporting customer trust programs and external assurance reporting.

* Experience implementing or optimizing GRC tooling and automation.