Security GRC Specialist II

About Kirkland & Ellis

At Kirkland & Ellis, we are united in our ambition and drive to move forward. We share core values that help us achieve excellence: collaboration, talent empowerment, service, inclusion, respect and gratitude. Our people are our greatest asset, and we invest in the brightest talent and encourage a diversity of perspectives and strengths to create dynamic teams that operate at the pinnacle of their field. Our talented professionals show up every day knowing they will engage in meaningful work, continuous learning and professional development.
 
As one of the world’s leading law firms, we serve a broad range of clients with market-leading practices in private equity, M&A and other complex corporate transactions; investment fund formation and alternative asset management; restructurings; high-stakes commercial and intellectual property litigation; and government, regulatory and internal investigations. We handle the most complicated and sophisticated legal matters because we don’t just meet industry standards, we create them. We bring innovation and entrepreneurialism to every engagement and, as a result, have long-standing client relationships with leading global corporations and financial sponsors. With 6,500 employees (including 3,500 lawyers) operating from 20 offices across the United States, Europe, the Middle East and Asia, we are one of the largest law firms in the world and a top financial performer.

Essential Job Functions

The Security GRC Specialist II serves on the Governance, Risk Compliance (GRC) team, leads and executes assigned services within the GRC team. Specialist II is a subject matter expert for Information Security (consulting to technical / non-technical management and the user community), and performs key risk management functions within the Security Governance department. Primary GRC services include Policy & Standards lifecycle management, Security Vendor Risk program management, Security Awareness program management, Controls Assurance, Vendor and Client risk assessments and GRC platform administration and tool support.

Current position openings will lead either Security Vendor Risk Management or Security Awareness.

ESSENTIAL FUNCTIONS

Management of process improvement, control maturity, and communication of risk throughout assigned GRC service activities.  Level II responsibilities include incorporating ISO 27001 principles for continuous improvement throughout all services and support activities.

• Third-party vendor management:  Respond to security assessments, questionnaires and audits from clients and third-party business partners in a timely manner. Document and perform assessments as needed. This service also provides contract review for security requirements.
• Policy management:  Technical writing for policies, standards and communications. Lead in the creation and maintenance of security policies, standards, processes guidelines and support documentation.
• Compliance management:  Lead, evaluate, and supports the processes necessary to assure that Information Technology (IT) systems meet the organization's cybersecurity and risk requirements. Conduct evaluations of an IT program or its individual components to determine compliance with published standards. Exception management, processing and tracking requests for exception to security controls.
• Assessment management:  Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives. 
• Advisory services:  Serve as a subject matter expert for Information Security consulting to technical / non-technical management and staff.
• Security awareness management:  Ensures security awareness training is aligned, defined, and executed.  Evaluation of cyber training/education courses and methods based on instructional needs.  
• Administration of the GRC technology platforms.

Qualifications & Requirements

Education, Work Experience, Skills

• Bachelor's degree or five (5) years of work experience in IT Security is required.
• Four (4) years of Information Security experience required. Those containing hands on technical experience are preferred.
• Communication skills including message creation, verbal presentation (to team, client, group) including tact and diplomacy is required.
• Strong knowledge on Security frameworks and technologies such as ISO 27001, NIST, SOC, SIG is required.
• Prior IT Security experience in the legal industry experience is preferred.
• Technical writing experience is required.  Experience with instructional content educational writing strongly preferred.
• Strong knowledge of risk management principles and practices are required.
• Strong knowledge of security administration and role-based security controls are required.
• Three or more years of experience managing timelines and being self-directed preferred.
• Governance, Risk, and Compliance (GRC) tool management (Administrative and/or Engineering) is preferred.
• Interview, gather, and understand content from subject-matter experts.
• Maintain accurate records and manage client security and risk requests.
• Ability to perform as primary Security Subject Matter Expert (SME).
• Ability to facilitate and lead project and vendor risk assessments with relative independence and provide guidance on secure design and operation.
• Ability to independently complete and assist in completing client security questionnaires and security assessments concerning the Firm’s security program and controls.
• Demonstrate the ability to create and maintain security policy, standard, guideline, and procedure documents.
• Demonstrate the ability to communicate effectively technical topics at an appropriate level of detail to varied audiences - including IT Subject Matter Experts, senior management, and non-technical users.
• Communicates succinctly and effectively.
• Strong organization and problem-solving skills required.
• Strong project and time management skills required.
• Strong reading comprehension skills required.
• Strong analytical ability with excellent written and verbal communication skills required.
• Ability to work independently and as a group member is required.

Technologies/Software

• Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options.  
• Broad experience and exposure to cloud hosted services, applications, infrastructure, including architecture, log management, monitoring, and security configuration requirements.
• SharePoint administration is preferred for team intranet site management.
• Provide back-end support, report creation, application updates for GRC platforms.
• Strong PC skills with Microsoft (i.e. Word, Excel, PowerPoint) required.  Ability to perform data analytics, generate succinct reporting.
• Knowledge of host and network-based anti-malware technologies.
• Knowledge of authentication technologies and interactions between diverse authentication platforms, both on-site and remote.
• Knowledge of client and server firewalling technologies and capabilities.
• Knowledge of security event management (SIEM), event correlation and analysis technologies.
• Knowledge of data encryption technologies.
• Strong knowledge of Intrusion Detection and Intrusion Prevention technical capabilities.
• Knowledge of web filtering and email SPAM prevention techniques.
• Knowledge of vulnerability assessment and forensic investigations tools.
• Knowledge of mobile device security and Mobile Device Management solutions.
• Knowledge of Privileged Access Management technologies.

Certificates, Licensures, Registrations

• Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications are preferred.

WORK ENVIRONMENT

• “This job operates in a professional office environment.

How to Apply

Thank you for your interest in Kirkland & Ellis LLP.  To complete an application and submit your resume, please click "Apply Now."

Equal Employment Opportunity

All employment decisions, including the recruiting, hiring, placement, training availability, promotion, compensation, evaluation, disciplinary actions, and termination of employment (if necessary) are made without regard to the employee’s race, color, creed, religion, sex, pregnancy or childbirth, personal appearance, family responsibilities, sexual orientation or preference, gender identity, political affiliation, source of income, place of residence, national or ethnic origin, ancestry, age, marital status, military veteran status, unfavorable discharge from military service, physical or mental disability, or on any other basis prohibited by applicable law.

Closing Statement

The www.kirkland.com job postings and recruiting mailbox are for candidates only. If you are a recruiter, search firm or employment agency, and do not have a signed contract with Kirkland & Ellis LLP ("K&E") and have not been asked specifically to submit candidates, you will not be compensated in any way for your referral of a candidate even if K&E hires the candidate. Direct contact with K&E employees in an attempt to present candidates is inappropriate and will be a factor in determining any future professional relationship with the Firm.#LI-Hybrid #LI-JN1