The Company
Heico has a history of success. Since its founding over 40 years ago The Heico Companies has grown from a single business to over 78 separate companies through a strategic acquisition policy, and by reinvesting its earnings into internal growth and new prospects. Historically talented at restoring distressed companies, Heico now strategically targets acquisitions that will complement its ever-growing portfolio of companies in manufacturing, construction, and industrial services.
These four core operations are organized into groups: Metal Processing Group, Construction Solutions Group, Applied Solutions Group, and Industrial Technologies Group. Once acquired, new Heico companies are assigned to a group and run on a stand-alone basis, allowing for great independence as well as the opportunity to share knowledge about markets, production processes, and management practices across other Heico groups and companies. Each Group has its own corporate team.
Heico continues to seek out new opportunities and maintain its standard of success. The Heico Companies has remained a privately held company since its creation and maintains a majority ownership in each of its operations, which generates more than $3.3 billion dollars in revenues. Many of our businesses are certified Woman-owned Business Enterprises (WBE).
More information about the holding company and overall organization can be found at www.heicocompanies.com.
The Position
The Senior Manager, Governance Risk and Compliance will be responsible for the build out and scale of an effective risk management program. This position will be responsible for managing direct and indirect teams to implement the strategy and embed risk management programs across risk and compliance areas of impact. This position will play a key leadership role in scaling and integrating risk-attuned teams across the organization. The successful candidate will possess and demonstrate deep knowledge and experience understanding complex challenges and guide groups to appropriate solutions.
Job Description
Primary Responsibilities
- Implements security controls, risk assessment framework, and program that align to regulatory requirements, ensuring documented and sustainable compliance that aligns and advances business objectives
- Maintains and drives accountability for regulatory and compliance objectives, initially DFARS, CMMC, SOC 2, GDPR, CCPA and others
- Evaluates risks and develops security standards, procedures, and controls to manage risks. Improves security posture through process improvement, policy, automation, and the continuous evolution of capabilities
- Implements processes, such as GRC (governance, risk and compliance), to automate and continuously monitor information security controls, exceptions, risks, and testing. Develops reporting metrics, dashboards, and evidence artifacts
- Defines and documents business process responsibilities and ownership of the controls. Schedules regular assessments and testing of effectiveness and efficiency of controls and creates GRC reports
- Updates security controls and provides support to all stakeholders on security controls covering internal assessments, regulations and objectives (DFARS, CMMC, NIST, ITAR, ISO 27001, TISAX, GDPR, CCPA), protecting Personally Identifying Information (PII) data, and Payment Card Industry Data Security Standards (PCI DSS)
- Performs and investigates internal and external information security risk and exceptions assessments. Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks
- Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities
- Assists other staff in the management and oversight of security program functions
- Trains, guides, and acts as a resource on security assessment functions to other departments within the enterprise
- Remains current on best practices and technological advancements and acts as the technical SME for security assessment and regulatory compliance
- Oversee the effective identification, assessment, monitoring, and reporting the risk and the surrounding controls environment
- Maintain and enhance a scalable, sustainable, and robust cyber risk management program including governance, assessment, monitoring, and reporting procedures
- Collaborate with IT department and other stakeholders to refine and implement the security strategy which protects the organization
- Lead a team dedicated to an ongoing security program, where areas of strength are amplified and areas needing improvement are documented
- Expand and integrate the risk assessment framework to facilitate identification, assessment, and reporting of risk in quantifiable business-relevant terms
- Build a risk program to quantify and recommend compensating controls or risk mitigation techniques to reduce inherent risk within business operations
- Create and maintain security policies, procedures, and standards to govern application and enforcement of the controls environment
- Ensure timely and effective continuous risk monitoring, measurement, and tracking for current and emerging threats and impact on the business
- Recommend and prioritize risk reduction and management strategies using business and technical processes
- Identify and evaluate technologies/tools to support operating and monitoring of risk functions
- Maintain awareness of market/industry conditions and trends
Job Requirements
Education
- Four-year bachelor’s degree required
- One or more of the following certificates a plus - CRISC (Certified in Risk and Information Systems Control), CISA (Certified Information Systems Auditor, CISSP (Certified Information Security Systems Professional
Skills & Relevant Work Experience
- 10+ years’ experience in Information Security GRC and/or IT Risk/Audit organizations
- Significant experience implementing security controls, frameworks, and programs to achieve compliance with one or more of the following, DFARS, CMMC, NIST, ITAR, ISO 27001, TISAX, GDPR, CCPA
- Experience assessing administrative and technical controls impact on risk and translating resulting impact to internal stakeholders
- Leadership experience in a large, matrixed organization
- Experience with business continuity and/or disaster recovery
- Proven ability to roll out frameworks such as FAIR, SABSA, or OCTAVE in an enterprise environment
- Strong understanding of the terminology, concepts, IT controls and best practices across key risk areas including risk assessment methodologies, identity and access management, cloud/SAAS, application security data loss prevention, networks, systems design and operations, incident management
- Knowledge and experience in documentation of security policies, standards, and processes
- Deep understanding of access control, specifically role-based access and inheritance of role and record-based permissions
- Experience with implementing Governance Risk and Compliance technology such as RSA Archer, MetricStream, or ServiceNow
- Ability to suggest creative solutions with strong written and verbal communication skills
- Self-starter who demonstrates complete ownership over assigned objectives and can work independently
EOE M/F/D/V