Director, Information Security – Governance, Risk And Compliance (Grc)

This is a remote position

PURPOSE AND SCOPE: Manages Information Security Governance, Risk, Compliance programs across global business units as directed by the Sr. Director.  Interacts with diverse, cross-functional and global stakeholders to identify and remediate security risks to critical business processes and IT infrastructure by defining potential business impact with the responsibility to apply effective mitigation strategies and ensure effective controls are in place.   

PRINCIPAL DUTIES AND RESPONSIBILITIES:  

• Manages the tactical execution of short- and long-term objectives through the coordination of activities with a direct responsibility for results, including costs, methods, and staffing. 

• Technically proficient in the specific department and knowledge of industry practice and business principles.  Works on issues of diverse scope where analysis of situation or data requires evaluation of a variety of factors, including an understanding of current business trends.   

• Experienced leadership required for multi-faceted environment; role primarily focuses on tactical execution.  Receives assignments in the form of objectives and determines how to use resources to meet schedules and goals. 

• Program or project responsibility generally within the Information Security function.  Manages the operations of one or more departments, direct impact on Information Security.  Manages the coordination of activities of Information Security with direct responsibility for results, including costs, methods, and staffing.    

• Manages program to protect, govern, and monitor cybersecurity governance across Fresenius Medical Care business units specific to the compliance requirements of each line of business. 

•  

• Champions organization-wide Incident Management Program in collaboration with Legal, IT, and Compliance across all business units. 

• Leads implementation and enhancement of a Cybersecurity Governance Program which includes security and control framework that consists of standards, measures, practices, and procedures that provides assurance of compliance to regulatory or contractual requirements (NIST, ISO 27001/02, PCI, CCPA, and GDPR) 

• Develops and maintains a strong partnership with Senior IT, Legal, Compliance, HR, Internal Audit, and other relevant business units and third-party vendors to ensure that there is an effective understanding, awareness and adoption of their responsibilities as they relate to cybersecurity compliance requirements. 

• Champions adherence to security policies, standards, and guidelines. 

• Identifies gaps and ensures appropriate remediation plans are developed to effectively mitigate vulnerabilities, exceptions and defects to reduce risk to confidentiality, integrity, or availability of information.  

• Develops transparent reporting to demonstrate cybersecurity organizational, operational and risk management health 

• Ensures that security technology intended to protect company systems and information is configured and operating according to established requirements and standards.  

• Collaborates with incident response, threat intelligence and vulnerability management teams to drive remediation of security vulnerabilities based on quantified risk. 

• Deep experience driving risk-based decisions with executive leadership through collaborative and diverse inputs 

• Defines and implements a standard process for business stakeholders to make risk-based decisions and to submit and approve risk acceptances, policy exceptions and other necessary GRC processes. 

• Collaborates with Information Governance to support the business in identifying and classifying information and associated applications, minimize retention and control of confidential or restricted information. 

• Champions adoption and implementation of the risk management processes across the organization. 

• Assists implementation of eGRC tool to support governance, risk, and Compliance efforts across the organization. 

• Conducts global and tactical risk assessments to identify and manage critical risks to the organization. 

• Supports the governance teams to successfully support and assess security and resiliency compliance requirements across the organization. 

• Supports compliance and audit teams to successfully support and assess security and resiliency compliance requirements across the organization 

• Establishes agreement and lead documentation efforts for process improvements related to security and Compliance management 

• Participates and presents at meetings with internal and external representatives. Often leading a cooperative effort among members of a project team. 

• Interacts with global stakeholders and external customers; particularly in problem resolution.   

• Provides technical guidance and leads various programs and projects as assigned.  

•  

Additional responsibilities may include focus on one or more departments or locations.  See applicable addendum for department or location specific functions. 

PHYSICAL DEMANDS AND WORKING CONDITIONS: 

• The physical demands and work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job.  Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.   

• Travel required per business need.  

SUPERVISION:  

• May be responsible for the direct supervision of various levels of Information Security staff. 

EDUCATION:  

• Bachelor’s Degree required; Degree in related discipline desired (i.e., Information Security or Computer Information Technology; Advanced Degree desirable; equivalent experience in related field may be considered in lieu of degree. 

EXPERIENCE AND REQUIRED SKILLS:            

• 10-12  years related experience. 

• 5+ years’ supervisory or project/program management experience preferred. 

• Prior experience with agile methodologies required 

• Prior experience with IT governance, risk, and controls, including governance frameworks 

• Deep understanding of Information Security and technology frameworks (i.e. NIST CSF, NIST 800-53, CSACSM, COBIT, ITIL, ISO 2700X, HITRUST, Cloud Security Alliance (CSA), etc.) 

• Deep understanding of Cybersecurity Governance models, principles and frameworks 

• Deep experience identifying, assessing, and mitigating, regulatory and Compliance risk 

• Adeptly communicates Risk and technical issues in business digestible terms. 

• Technical understanding of cloud infrastructure, networking, access controls, and change management. 

• Strong organizational change management, executive communications, analytical and problem-solving skills are required. 

• Deep decision-making and problem-solving skills  

• Thrives in a fast-paced environment with competing and shifting priorities 

• Excellent written and verbal communication skills, primarily with executive level stakeholders 

• Promotes a highly-collaborative, team environment. 

• Results-driven and accountability-minded 

• Ensures rigorous attention to detail in all work activities and products 

• Deep program management skills with experience defining objectives, identifying resource needs, and ability to execute detailed plans towards goal completion. 

• CISSP, CRISC, CISA, CISM, or other technical certification(s) a plus 

•  Experience deploying cybersecurity governance frameworks and deploying Information Security or information technology initiativesrequired 

EO/AA Employer: Minorities/Females/Veterans/Disability/Sexual Orientation/Gender Identity

Fresenius Medical Care North America maintains a drug-free workplace in accordance with applicable federal and state laws.