OverviewThe Director of Governance, Risk Management & Compliance (GRC) will lead API's global IT and security GRC program, reporting to the CISO. This leader is accountable for the company's cyber risk management framework, regulatory compliance posture, vendor risk program, and data governance strategy.
Success in this role requires the ability to identify, evaluate, and communicate security risks - and to influence strategy across a diverse technology landscape that spans new platforms and legacy business-critical systems. This leader must balance rigorous risk management with business agility, positioning security as an enabler rather than an obstacle.
Key Responsibilities- Risk Management: Lead organization-wide risk analysis, maintaining a risk register with documented remediation and mitigation plans. Serve as the primary advisor on information security risks to security management and business unit leads.
- Compliance & Audit: Establish and own the strategy for managing security audits, compliance checks, and external assessments - including GDPR, SOC 2, ISO 27001, CCPA, and other applicable standards. Liaise with internal and external auditors to implement and sustain required controls.
- Vendor & Third-Party Risk: Build and manage a comprehensive vendor risk program, evaluating the cybersecurity and data protection controls of third parties, vendors, and business partners.
- GRC Program Maturation: Drive ongoing security program improvement by amplifying areas of strength and developing actionable plans to address gaps. Develop and report key metrics to security and business leadership.
- Data Governance & Protection: Lead data governance and data protection programs, ensuring alignment with enterprise risk management principles and up-to-date documentation of systems and processes.
- Controls & IT Compliance: Facilitate IT compliance across identified controls, including IT general controls (ITGCs), application, cloud, and cybersecurity controls.
- Policy & Communications: Document, communicate, and enforce security policies that balance risk with business operations. Champion cybersecurity best practices across all business units to reduce the organization's attack surface.
- Incident Response: Oversee GRC-related incident response activities, tracking occurrences and resolutions with strict documentation and reporting protocols.
- Access Review: Manage the access review process to ensure appropriate access is consistently granted, maintained, and revoked.
Success MetricsRisk register is current, with documented mitigation plans and clear ownership for all identified risks.
SOC 2, ISO 27001, and other applicable certifications and audits are managed on schedule with no critical findings.
Vendor risk program covers all strategic third parties with completed assessments and remediation tracking.
Security metrics are reported regularly to executive leadership with measurable program improvement over time.
Security policies are actively communicated, adopted, and embedded across business units.
Data governance documentation is current and aligned with enterprise risk and compliance requirements.
Required Skills, Education and Experience7-10+ years of experience in cybersecurity, spanning security analysis, compliance and regulatory affairs, risk management, or audit.
Demonstrated experience leading and managing GRC programs, including risk registers, remediation planning, and executive-level reporting.
Proven track record managing security audits and assessments for SOC 2, ISO 27001, GDPR, CCPA, and other standards; familiarity with PCI, HITRUST, and GLBA is a plus.
Hands-on experience with vendor and third-party risk management programs, including evaluation of cybersecurity and data protection controls.
Experience with incident response tracking, documentation, and reporting.
2+ years of experience with AWS and/or Microsoft Azure cloud security configuration and management preferred.
Skills & CompetenciesProven ability to lead and influence across business units, translating complex risk concepts for both technical and non-technical audiences.
Strong understanding of IT general controls, cloud controls, and how they intersect with business operations.
Balances risk management with business efficiency - security controls should enable, not obstruct, business objectives.
Strong project management skills with the ability to manage multiple audits, assessments, and programs simultaneously.
High integrity and professionalism, with the confidence to represent the organization at the executive level.
Outstanding written and verbal communication skills, producing thorough documentation and presenting clearly to varied audiences.
Organized, efficient self-starter capable of operating with minimal supervision.
Education & CertificationsBachelor's degree, trade school certification, or equivalent professional experience required; Master's degree desirable.
Preferred certifications (not required): CISSP, CISM, CISA, CRISC, or GSLC.
Compensation:$160,000 - $190,000 USD, commensurate with experience.
Other DutiesDuties, responsibilities and activities may change at any time according to business needs.
The performance of additional responsibilities if you are designated as a Data Protection Champion (DPC), Senior Information Risk Owner (SIRO) or Information Assurance Accounting Officer (IAAO).
Work EnvironmentThis position operates in a professional office environment. This role routinely uses standard office equipment such as computers, phones, photocopiers, filing cabinets and fax machines.
Physical DemandsThe physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. While performing the duties of this job, the employee is regularly required to talk or hear. The employee frequently is required to stand, walk; use hands to finger, handle or feel; and reach with hands and arms.
