Director, Cybersecurity GRC

Position Summary 

The Cybersecurity Governance, Risk, and Compliance (GRC) Director is a senior leadership role responsible for establishing, maturing, and overseeing the enterprise cybersecurity GRC program. This role provides strategic direction and governance for cybersecurity risk management, regulatory compliance, and internal control assurance across the organization’s technology environment. The Director partners closely with executive leadership, Internal Audit, Legal, Privacy, and business stakeholders to ensure cybersecurity risks are identified, measured, managed, and communicated in alignment with the organization’s risk appetite and regulatory obligations. 

Key Responsibilities 

• Define and execute the enterprise cybersecurity GRC strategy, roadmap, and maturity model aligned to business objectives and regulatory expectations. 

• Establish governance structures, policies, and standards that support consistent cybersecurity risk management and compliance across the organization. 

• Serve as the executive subject matter expert for cybersecurity risk, compliance, and control frameworks (e.g., NIST CSF,  ISO 27001,, PCI DSS, privacy regulations). 

• Lead enterprise cybersecurity risk assessments, risk prioritization, and remediation oversight, including emerging threat and regulatory risk analysis. 

• Own the design, implementation, and continuous improvement of cybersecurity policies, standards, procedures, and control frameworks. 

• Oversee compliance efforts related to regulatory, contractual, and industry obligations, including audit readiness, evidence management, and remediation tracking. 

• Act as the primary liaison for cybersecurity GRC matters during internal audits, external audits, regulatory reviews, and third-party assessments. 

• Provide regular reporting to executive leadership and governance committees on cybersecurity risk posture, compliance status, key risk indicators (KRIs), and program performance. 

• Partner with the CISO and Technology leadership to define cybersecurity risk appetite and integrate risk considerations into strategic initiatives. 

• Collaborate with the CISO to build and run a Cyber Risk Steering Committee that integrates cybersecurity risk governance into the enterprise risk management framework. 

• Lead, mentor, and develop a high-performing GRC team, fostering accountability, continuous improvement, and a culture of risk awareness. 

• Influence and coordinate cybersecurity risk management activities across Technology, Security, Legal, Privacy, Internal Audit, and business units. 

• Own the evaluation, selection, implementation, and optimization of enterprise GRC tools to drive automation, consistency, and executive-level reporting. 

• Support due diligence activities related to mergers, acquisitions, and strategic partnerships from a cybersecurity risk and compliance perspective. 

Leadership & Governance Responsibilities 

• Provide strategic leadership and direction for the cybersecurity GRC function, balancing risk reduction with business enablement. 

• Establish measurable program goals, KPIs, and KRIs to demonstrate risk reduction and compliance effectiveness over time. 

• Ensure clear accountability for risk ownership and remediation across Technology and business stakeholders. 

• Coach and develop team members, building a scalable and resilient cybersecurity GRC capability. 

Qualifications 

• Bachelor’s degree in Cybersecurity, Information Security, Computer Science, Risk Management, or a related field. 

• Advanced degree and/or professional certifications strongly preferred, including CISA, CISM, CISSP, CRISC, GRCP, or equivalent. 

• 8–12 years of progressive experience in cybersecurity risk management, compliance, audit, or GRC functions. 

• Minimum of 5 years in a senior leadership role with responsibility for enterprise-level programs and people leadership. 

• Deep expertise in cybersecurity governance frameworks, regulatory requirements, and control environments. 

• Demonstrated experience building or transforming cybersecurity GRC programs within complex, multi-site or regulated environments. 

• Proven ability to engage effectively with executive leadership, auditors, and regulators. 

• Strong analytical, communication, and influencing skills, with the ability to translate technical risk into business impact. 

• Hands-on experience with enterprise GRC platforms such as ServiceNow GRC, LogicGate, Drata, or similar solutions. 

Why Join Us? 

This role offers an opportunity to lead and mature a critical cybersecurity function with high executive visibility and impact. The Cybersecurity GRC Director will play a pivotal role in shaping how cybersecurity risk is governed and managed as the organization grows, modernizes its technology landscape, and strengthens its security posture.