NBCUniversal Cyber Security is seeking a motivated individual for role of the Governance, Risk and Compliance (GRC) Vice President. This position manages a major functional area reporting to the Chief Information Security Officer (CISO) and has oversight of the following functions: policies, standards, and procedures; maintenance control framework; control monitoring and surveillance; Risk assessments; 3rd party risk management; governance and risk management coordination; and regulator/auditor/customer response coordination; PCI, SOX and GDPR compliance, and disaster recovery. The role requires a strong leader who is joining NBCUniversal at an exciting time as they embark on transforming cyber security organization on threat driven principles. The leader will be responsible for defining and aligning strategies for the governance, risk and compliance team to support the security transformation and ensure exposures to cyber risk are identified and managed at an acceptable level.
- Develop and manage the cybersecurity risk management strategy, framework and approach.
- Integrate cyber security risk reporting and aggregate reporting into an Enterprise risk framework € Provides briefings to leadership and advise them of critical issues that may affect business or enterprise cybersecurity objectives in partnership with the Business Area Information Security Officers € Evaluate and recommend security products, services, and/or procedures to enhance productivity and effectiveness.
- In conjunction with Legal, identify information management and protection laws and regulations and implement actions to ensure compliance.
- Recommend strategies to ensure a common approach towards regulatory authorities and obtain internal efficiency.
- Ensures a comprehensive understanding of existing requirements and ongoing monitoring of new requirements.
- Develop strategies and action plans to drive control maturity improvement in areas where controls do not adequately mitigate risks.
- Facilitate prioritization of cybersecurity risk and due diligence activities with different lines of business in conjunction with the Business Area Information Security Officers
- Identify global cyber security regulatory, legislative, and industry specific compliance requirements and applicability to each line of business.
- Partner with cyber architecture and engineering teams to develop risk mitigation strategies, solutions, and recommendations to reduce components, systems, or enterprise security risk
- Develop, document, and assess measures, metrics, and internal controls related to cyber security assessments and acceptance
- Coordinate and track all information technology and security related audits including scope of audits, business units involved, timelines, and outcomes. Liaise with Internal Audit, maintaining excellent relationships and provide transparency
- Provide guidance, evaluation and advocacy on audit responses.
- Develop and maintain a strategy for managing security related audits, compliance checks and external assessment processes for auditors, Payment Card Industry (PCI), Personally Identifiable Information (PII), General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), and other applicable industry standards.
- Lead the development and implementation of effective and reasonable policies and practices to secure sensitive data and ensure security and compliance with contracts, regulatory requirements, and industry standards.
- Manage the 3rd party risk assessments process to ensure risk transparency and business acceptance, contractual obligations and enable risk-based decision making
- Partner with business and technology leaders in ensuring new and existing business relationships adequately address information security risk through vendor management, security engineering engagements, and security assessments of processes and procedures.
- Risk management evangelist for the organization
- Manage specified GRC projects from inception to completion
- Support the CISO in establishing annual and long-term goals, defining risk and governance strategies, metrics, and reporting mechanisms.
Required Experience, Skills and Attributes:
- Minimum of 10 years¹ work experience in IT with direct responsibility for technologies in scope, including at least 8 years previous experience in a management role.
- Experience working in an IT organization with global operations desirable.
- Experience working in a shared services IT model desirable.
- Bachelor degree in Computer Science/Engineering/Information Security preferred or equivalent combination of education and/or relevant experience.
- Extensive experience in enterprise security program development and implementation, enterprise security SOP & policy creation, designing and delivering employee security awareness training, and managing security staff.
- Ability to evaluate risks to the company and articulate issues, develop consensus, raise awareness, and provide and implement solutions.
- Knowledge of common information technology management frameworks such as ISO/IEC 27001, ITIL, COBIT, and NIST.
- Strong knowledge of Cloud Security requirements.
- Knowledge and understanding of relevant legal, regulatory and privacy requirements.
- Strong project management experience.
- Ability to work collaboratively and effectively with a cross-section of the Information Technology team and business organizations to implement information security standards and initiatives.
- Understanding of threat driven methodologies, SDLC, threat modeling and attack trees.
- Passion for risk management and cyber security
- Ability to clearly present complex technical concepts and techniques to others
- Excellent written and spoken communication skills
- Comfortable and effective in building partnerships with organizational leaders and influencing senior management
- Experience with GRC/ERM tools (i.e. RSA Archer, MetricStream, SAP GRC, Logicmanager, etc.)
- Ability to manage multiple projects with changing/shifting/dynamic priorities