Cyber GRC Manager

Job Summary

We are seeking a Cyber GRC Manager to lead and mature the company’s cyber governance, risk, and compliance (GRC) program. The successful candidate will partner with Security, IT, Legal, Risk, and business stakeholders to design, implement, and operate controls, policies, and risk management practices that reduce cyber risk and support business objectives. This role will own compliance initiatives, third-party risk assessments, policy lifecycle management, and metrics to drive continuous improvement across the organization.

Key Responsibilities

GRC Strategy & Program Leadership

• Develop and evolve a risk-based cyber GRC strategy that aligns with enterprise risk appetite and business priorities.

• Lead the GRC program, including governance forums, risk assessment cadence, control frameworks, and remediation tracking.

• Partner with senior leadership to translate regulatory and business requirements into practical program objectives and roadmaps.

Policy, Standards & Control Management

• Maintain and enhance information security policies, standards, and procedures; ensure clear ownership and version control across the policy lifecycle.

• Define and maintain control objectives mapped to frameworks (e.g., NIST CSF, ISO 27001, SOC 2) and ensure consistent implementation across teams.

• Coordinate control testing, assessments, and remediation activities with internal teams and external assessors.

Risk Assessment & Third-Party Risk Management

• Conduct enterprise and technology risk assessments; identify, evaluate, and prioritize cyber risks and mitigation plans.

• Own third-party risk management processes including vendor risk assessments, due diligence, contract security requirements, and ongoing monitoring.

• Work with procurement and vendor owners to remediate deficiencies and reduce supply chain risk.

Compliance & Audit Support

• Manage compliance programs and readiness for relevant regulations and standards (e.g., SOC 2, ISO 27001, GDPR, HIPAA where applicable).

• Act as primary liaison for internal and external audits, prepare evidence and reporting, and coordinate remediation activities.

• Maintain documentation and continuous evidence of controls to support attestations and regulatory reporting.

Metrics, Reporting & Continuous Improvement

• Define and report GRC metrics and dashboards (e.g., risk posture, control maturity, remediation timelines, vendor risk status) to leadership and stakeholders.

• Use data and trend analysis to identify program gaps, recommend improvements, and measure the effectiveness of risk reduction efforts.

• Develop and maintain GRC playbooks, runbooks, and process documentation to enable repeatable, auditable practices.

Required Qualifications - Skills & Experience

• Bachelor’s degree in Information Security, Cybersecurity, IT, Risk Management, or a related field, or equivalent practical experience.

• 5+ years of hands-on experience in cyber governance, risk, and compliance, information security, or related roles.

• Practical knowledge of common security frameworks and standards (e.g., NIST CSF, ISO 27001, SOC 2) and experience mapping controls to frameworks.

• Experience managing third-party/vendor risk assessments, contract security requirements, and remediation workflows.

• Strong communication and stakeholder management skills with the ability to influence technical and non-technical audiences.

• Analytical mindset with experience developing risk assessments, metrics, and executive-level reporting.

• Familiarity with GRC platforms, risk assessment tools, ticketing systems, and common productivity software.

Preferred Qualifications

• Relevant certifications such as CISSP, CISM, CRISC, CISA, or CDPSE preferred.

• Experience supporting SOC 2, ISO 27001, or other third-party audits and working with external assessors.

• Background in cloud security, identity and access management, or secure software development lifecycle practices.

• Experience implementing or operating GRC tooling (e.g., Archer, RiskLens, OneTrust, ServiceNow GRC) is a plus.

Work Environment & Compensation

• Full-time position with a hybrid onsite/remote model; occasional travel and after-hours engagement may be required to support assessments and incident response activities.

• Competitive salary commensurate with experience and a comprehensive benefits package, including health insurance, retirement plan options, and paid time off.

• Opportunities for professional development, cross-functional collaboration, and career growth within Security, IT, and Risk functions.

• Inclusive, respectful culture that values diversity, equity, and work-life balance.