Director Security, Risk, & Compliance

Public Stuff   •  

San Ramon, CA

8 - 10 years

Posted 241 days ago

This job is no longer available.


Impact you will make in the role:

  • Enhance the security minded across all department.
  • Lead the organization’s existing and prospective Information Security, Compliance and Privacy programs in accordance with industry standards and requirements, which includes, but is not limited to, ISO 27001, SOC 1 & 2, FISMA, PCI-DSS, HIPAA, FedRamp and others
  • Establishes the cyber-security risk management program, policies, standards, and procedures
  • Design and conduct security risk assessments and develop a reporting framework to measure continuous improvement
  • Evaluate and report to management on the security posture of internal and possible M&A targets
  • Communicate to management, through reports presentations, metrics and other documentation, the cyber-security risks
  • Track, monitor, audit and report on anomalies and/or breaches of security and report to management on potential impact
  • Coordinate and conduct external assessment & penetration testing exercises
  • Consult with vendors to define remediation requirements found from assessments
  • Validate vulnerabilities have been correctly mitigated or remediated
  • Determine the relevance and risk of emerging threats across our environment
  • Contribute to enterprise IT Risk and Control awareness efforts
  • Stay abreast of current and emerging information risks including compliance requirements. Educate team and key stakeholders. Problem Solving:
  • Identify potential areas of vulnerability and risk. Objectively assess impact, likelihood, velocity, and magnitude of identified risks.
  • Facilitate the formulation of corrective action plans for resolution of problematic issues
  • Mediate differing perspectives on risks between a variety of stakeholders driving objectivity and building consensus
  • Rapidly analyze complex technical details and synthesize detailed analysis into a “big picture” view that can be easily understood by non-technical stakeholders to support risk-based decision-making for management
  • Gather, analyze, and report status and metrics on risks, controls and issues including coverage metrics, KRIs and KPIs Decision Making:
  • Determines when exceptions, exemptions, and invocation of the risk adjudication process are merited
  • Determines and approves risk treatment decisions
  • Determines ranges of controls when risk mitigation is desired
  • Determines to methods, instrumentation, training, documentation, and processes
  • Develops solutions for automating and streamlining InfoSec risk management practices Working Relationships:
  • Communicates regularly with I.T. management and security staffs across all Post business units.
  • Regularly develop and present findings and assessments to senior I.T and Business Management.
  • Communicates regularly with cross-functional peers, including Compliance, Internal Audit, IT Procurement, Legal and business unit leadership.
  • Interacts occasionally with industry peers, standards organizations, solution providers, etc.


Expertise you will bring in:

  • Experience in Information Security and Risk Management
  • Experience and deep understanding of industry based information security and / or control frameworks (NIST Cyber Security Framework, ISO 27002, CobIT, etc.).
  • Professional certification in InfoSec or Risk Management (such as CRISC, CISM, CISSP, CGEIT, CISA)
  • Able to communicate technical issues to non-technical people
  • BA or BS degree in Information Security, Cyber Security, Computer Science or related field or commensurate experience
  • 5+ years’ experience working in Information Security
  • 7+ years’ experience working in I.T.