Manager, Information Security GRC

The Challenge

We are looking for a dynamic Information Security GRC Manager to support Information Security, IT, and the business by performing various governance, risk, and compliance activities as part of the OneTrust InfoSec GRC team, including customer assurance, risk management, audits (internal and external), policies (standards, procedures, SOPs), etc.

This role is critical to support OnePlan of maturing security processes and posture at OneTrust within the information security GRC domain.

• Develop, mature, and operate a global customer assurance function.
• Be the center of providing trust to our customers throughout the sales lifecycle.
• Work directly with customers and internal stakeholders to demonstrate OneTrust's security posture and alignment with industry best practices and applicable laws.
• Grow a global program dedicated to addressing and anticipating customer security and compliance requirements.
• Develop SME–level expertise in the security features of OneTrust's products and infrastructure.
• Lead information requests, including completing questionnaires, providing supporting documentation, partnering with product and engineering teams to clarify discrepancies, and communicating results in an organized manner.
• Collaborate and manage multiple business unit stakeholders to mature the compliance process.
• Create, modify, and design policies and content; oversee maintenance of critical procedural documents.
• Partner with organizational leaders to find creative and innovative ways to address and manage risks effectively.
• Develop metrics to track the effectiveness and maturity of the security program.
• Manage and oversee all aspects of security audits, both internal and external, to ensure compliance with industry standards and regulatory requirements.
• Oversee security compliance audits and work with cross–functional teams to collect evidence.
• Manage and develop audited internal controls in support of audited policies and procedures.
• Perform and document testing of those controls and champion recommendations for remediation.
• Define and track security & compliance audit lifecycle metrics.

• A Relationship builder: Ability to listen, build rapport, and credibility as a strategic partner vertically and horizontally.
• An Innovator: Ability to seek alternatives and recommend best solutions that gain all parties' support and lead to win–win results.
• Value Driven: Detail–oriented with an eye for quality.
• Ability to work with minimal oversight.
• Ability to execute given high–level direction.
• Asks good questions and always learning.
• Planning, supporting, and/or executing audits (customer–driven, internal, external).
• Ability to communicate clearly, both verbally and in writing.
• Ability to collaborate and coordinate with multiple teams and vendors.
• Ability to work independently and as part of a team.
• Ability to multitask and prioritize effectively.
• Keen attention to details while keeping the big picture in mind.
• Ability to mentor, train, and educate other security & GRC personnel.
• Highly skilled communicator and influencer with the ability to describe complex concepts in easily consumable terms.
• 3–5 years managing a global team.
• Understanding of applicable laws and regulations and security standards and frameworks including, but not limited to, ISO 27001, 27017, 27701, SOC 2, PCI–DSS, HITRUST, etc.
• Understanding of technology domains including governance, risk management, security, privacy, customer assurance, information technology, and business continuity.
• Bachelor's degree in a related field or equivalent experience required.
• Must have demonstrable experience as a GRC professional both in a management setting and as an individual contributor.
• Advanced planning/organizational, problem–solving, analytical, consulting, time management, and decision–making skills required.
• Ability to effectively communicate technical security plans, strategies, and designs to all levels of the company.
• Must be detail–oriented and able to maintain a high degree of accuracy.
• 1+ certifications such as CISA (Certified Information Systems Auditor), CISSP, CISM, CRISC, etc.

• Demonstrable experience working at a hyper–growth SaaS company.
• 5+ years' experience in policy management.
• 2+ years' experience in security awareness training.
• 3+ years' experience in DR/BCP.