Manager - Governance, Risk, And Compliance

About the Role

Abnormal Security is looking for a Manager, GRC (Governance, Risk, and Compliance) to lead a team of GRC Analysts. The GRC team aims to facilitate information security and data governance processes, enable risk-based decision-making, and deliver a compliance foundation to achieve and maintain compliance certifications.

As a core leader within GRC, this role will play a critical part of the execution of the GRC program, directly support the Director of GRC with strategy and roadmap development, and act as a GRC domain advisor to the business. The role will be focused on leading a team of GRC analysts, scaling this team over time, and will be responsible for all elements of team development – recruitment, hiring, enablement, and management of the team.

The ideal candidate will have proven people leadership skills, can scale the organization through continuous improvement of processes and team utilization, demonstrated leadership of compliance and governance programs, and an adept awareness of our customers' requirements of Abnormal as a leading cybersecurity SaaS provider.

Who you are

• Proven experience building, scaling, and leading compliance or GRC teams.
• Solid technical background with an ability to give instructions to a non-technical audience.
• Demonstrated experience leading and scaling programs, managing portfolios of projects, and owning audits.
• Hold yourself and your team accountable for high-quality results and meeting deadlines in a fast-paced environment.
• Exercise sound judgment even when faced with ambiguity or competing approaches regarding the best path to success.
• Ability to foster relationships with stakeholders and represent the GRC team across the company.

What you will do

• As a core leader within GRC, you will manage GRC domains such as internal and external audits, policies management, data governance activities, and security and privacy awareness.
• Ensure program activities align with strategy and manage the timely and high-quality execution of GRC landmarks.
• Lead Policy Management including maintaining policy content and structure, managing policy repository and communication, policy lifecycle management, communication, developing solutions to rectify policy gaps, and educating policy owners.
• Lead Data Governance to define, develop, and implement capabilities to govern data handling and educate data owners.
• Define, develop, and implement capabilities to manage third-party risks.
• Lead the Compliance Program including development of the audit plan in partnership with leadership, leading audits, driving internal control effectiveness, and working with and training control owners.
• Supportenterprise risk assessment activities, including BCP-DR.
• Drive remediation and mitigation activities, also known as issues management, including root cause analysis and owning the design, tracking, and progress of action plans in partnership with internal business partners.
• Design and manage program operations to support the program goals and implement and maintain technology to support the program and its operations.
• Engage in ad-hoc projects as required.
• Maintain regular, clear communication with project teams, key partners, and management regarding the status of controls testing, audit progress, risk assessment progress, and progress of issues management.
• Effectively communicate program and project execution status, program health and effectiveness, key accomplishments, and risks to senior management both within Security and to our business partners.

Must Haves

• 6+ years of experience in GRC and/or technical compliance roles
• 3+ years leading GRC teams and programs
• Bachelor's degree or equivalent military experience with at least 7 years of Risk Assurance/Compliance and or Information Security experience.
• Strong understanding of security concepts and practical usage
• Strong understanding of policy and data management
• Strong understanding of risk management, and business resiliency, business continuity, and disaster recovery for a SaaS/cloud-native organization.
• Strong understanding and practical experience working with ISO 27001, ISO 27701, NIST cyber framework, or others such as HITRUST and NIST SP800-53, NIST SP800-171, and CMMC.
• A solid grasp of audit, security, financial, and operational internal control methodologies and terminology (e.g., COSO).
• Proven experience leading evaluations/audits and implementing controls, and with managing SOC 2 and ISO 27001 audits in a SaaS environment.
• Demonstrated track record of successfully executing projects with an emphasis on delivering results.
• Ability to effectively communicate governance, risk, and audit functions to executives.
• Familiarity with Governance Risk Compliance (GRC) tools

Nice to Have

• CRISC, CISSP, CPA, CISA, PMP, CISM certification(s)
• Prefer a degree in information assurance, computer science, information security, or business.
• Experience preferably at a technology or SaaS / Cloud and/or with a regulated public company
• 2+ years of Big 4 experience

#LI-RT1