· Candidates must have at least 7 years working in governance, risk and compliance and/or information security and risk management, and at least 5 in risk management.
· Functional knowledge of the CISSP security domains and information security industry standard and best practices.
· Functional knowledge of applicable security regulatory and compliance requirements (SOX, GDPR). Functional knowledge of ISMS governance models and analysis of certification reports (i.e. ISO 27001, SOC, CAIQ), information security roles, security controls.
· Ability to communicate risk methodologies and concepts to business units and IT teams.
· Demonstrated experience with controls definition, development, implementation and assessment.
· Strong interpersonal skills and ability to work effectively with diverse and globally distributed teams.
· Strong attention to detail, project management and organizational skills.
· Self-starter with the ability to effectively manage independent workloads asynchronously with stakeholders across multiple time zones.
· Ability to independently lead program areas and cross-functional teams to deliver high quality results according to well-defined planning.
· Define and communicate program and activity plans and roadmaps, and effectively collaborate with all business and IT groups to achieve goals.
· The use of defined risk methodologies and best practices to perform IT/Security assessments. Responsible for the planning, scoping, tracking, and execution of these assessments.
· Driving remediation activities from identification, treatment plan, remediation, and closure. Hold owners accountable to delivery of remediation solution within the agreed upon/reasonable SLA.
· Operations and improvements of security audit and compliance programs to support various compliance regulations.
· Operationalization of a metrics and reporting function to continually report on meaningful security, risk and compliance metrics for operational and executive management. Support the automation of KRIs and KPI reporting that align with operational/business risk areas and corporate risk.