Sr. Manager of Cybersecurity Governance, Risk Mgmt & Compliance

Great company. Great people. Great opportunities. If you’d like the chance to make your mark with the world’s largest equipment rental provider, come build your future with United Rentals!

The Sr. Manager of Cybersecurity GRC (Gov, Risk Mgt & Comp) is a leader responsible for shaping the firm’s governance, risk, compliance, and data privacy posture. This role owns the multi-year GRC strategy, manages the cybersecurity budget (P&L for the function), and serves as the primary liaison and subject matter expert to executive leadership and the Board. The Sr. Manager aligns security investments with business objectives and leads initiatives that mature people, processes, and technology to ensure resilience against sophisticated threats while meeting global regulatory requirements.

This is a hybrid role

• Lead the development, maintenance, and enforcement of a comprehensive cybersecurity policy framework—including core policy and sub‑policies (e.g., Acceptable Use, Access Control)—aligned to ISO, NIST, and company values.
• Translate complex regulatory requirements into actionable, auditable operating procedures for IT and other teams.
• Serve as the organizational Center of Excellence for security standards, proactively updating them in anticipation of emerging mandates and industry trends.

• Own the multi‑year cybersecurity roadmap and align investments to enterprise strategy, justifying capital and operational expenditures to leadership.
• Manage the cybersecurity budget, optimizing security value across talent, tooling, and third‑party services.

• Direct implementation and continuous review of global and sectoral mandates, including GDPR, PCI DSS, DFARS/CMMC, CCPA/CPRA, and SOX.
• Engage with external vendors and auditors on matters of cybersecurity oversight and assurance.

• Convert qualitative technical risks into quantified business impacts to inform prioritization and investment.
• Develop and maintain the Enterprise Cyber Risk Register and integrate it with the broader ERM framework.
• Establish and report KRIs and KPIs to the Board and Executive Leadership, enforcing the enterprise risk appetite across initiatives.
• Provide balanced governance so speed to market does not compromise security integrity.

• Manage the end‑to‑end lifecycle of vendor security—from pre‑contract due diligence to continuous monitoring of critical SaaS and infrastructure partners.
• Partner with Legal and Procurement to embed robust security and privacy terms, including indemnification, in third‑party agreements.

• Lead red team, penetration testing, and cyber maturity assessment programs.
• Serve as a key member of the incident response command structure, emphasizing regulatory and crisis work streams during a breach.

• Design and deliver high‑impact training that transcends checkbox compliance to build true security ownership across the workforce.
• Run advanced phishing and social engineering simulations to continuously test and enhance resilience.
• Promote a culture of cyber awareness and compliance.

• Define the enterprise strategy for data classification, tagging, tracking, and handling.

• Direct, mentor, and develop teams; establish goals, performance expectations, and development plans; build succession capability.
• Foster a culture of collaboration, accountability, and continuous improvement.

• Other duties as assigned.

• Education/
  
  Certifications:
  
  CRISC, CGEIT, CISM, or CISA required; CISSP preferred.
• 10+ years in Cybersecurity, with at least 5 years in a senior leadership role managing complex GRC functions.
• Deep familiarity with the NIST Cybersecurity Framework, ISO 27001, and the legal nuances of international data transfer.
• Experience with GDPR, CMMC readiness and certification efforts, secure handling of Controlled Unclassified Information (CUI), DFARS compliance, and incident reporting protocols.
• Office‑based work (hybrid); occasional travel;…