Security Manager – GRC

Location: Pittsburgh

Job Type: Full Time / Permanent

In this role on the Cybersecurity & Digital Trust team, the candidate will drive security Governance, Risk, and Compliance (GRC) strategy, manage execution of GRC capabilities, and mentor/develop a team of GRC analysts. This is a highly visible role across technology and the business that is responsible for identifying, assessing, and providing mitigation strategies for security and technology risks both for the enterprise and with third parties. The candidate will also manage ongoing compliance requirements such as PCI and SOX and execute the strategy for an engaging and comprehensive security awareness and education program. Excellent communication and presentation skills that can be leveraged/adjusted across a wide range of technical and non-technical employees is a must. The candidate should also have a passion for employee mentorship and development.

Responsibilities: Manage the security governance and risk assessment/management processes, including providing consulting/expertise to business and technology stakeholders. This involves defining risk assessment methodology, taking a risk-based approach on organizational scope, and interviewing leadership and individual contributor employees. The interviews involve discussing current practices and how these align with policy requirements and key cybersecurity controls. The candidate will support the GRC analysts conducting these interviews and add both business and risk mitigation value throughout the process. This also involves serving as a subject matter risk/controls expert to business and technology employees during ad-hoc projects and initiatives, namely, translating technical risk to overall business risk. Manage PCI and SOX technology compliance through building partnerships with external auditors and managing these engagements, creating robust 2nd line of defense processes to manage and mitigate compliance risk, and improving control efficiency to increase business value while improving compliance posture. Manage the security awareness and education program, including conducting ethical phishing campaigns, overseeing the creation of training modules and other engaging guidelines/training mechanisms, and partnering with technical cybersecurity resources to create technical security training (e.g. secure coding, secrets management, etc). Assist in the development and management of GRC strategy through working with the Cybersecurity and Digital Trust Team to develop a security program and security projects that address identified risks and business security requirements. Manage the process of gathering, analyzing and assessing the current and future risk landscape to provide a realistic overview of risks and threats in the enterprise environment. Develop budget projections based on short- and long-term goals and objectives. Propose changes to existing policies and procedures to ensure operating efficiency and regulatory compliance. Lead a team of GRC employees through regular development and performance conversations, providing specific development opportunities and empowering employees to meet these objectives, mentoring employees with both function, technical and soft skills, and hiring/training new employees.

Education & Experience:  Bachelor’s Degree in Management Information Systems, Information Security/Cybersecurity, Computer Science, Business, Accounting or equivalent experience 7-10 years of experience in Security GRC, technology controls, security frameworks, risk assessment and management, DevSecOps, staff mentorship & development CISM (preferred not required), CRISC (preferred not required), CISSP (preferred not required).