About the role:

The IT GRC Lead will be responsible for leading several existing governance, risk and compliance initiatives while also ensuring that internal systems are compliant with security standards. The IT GRC Lead’s responsibilities include timely meeting of the security and compliance requirements, control deficiencies and information security risks.

Responsibilities:

• Develop and maintain IT policies, procedures, and standards to ensure compliance with regulatory requirements and industry best practices

• Lead internal and external compliance/audit projects to timely completions on multiple security and compliance frameworks (e.g. SOC 2, PCI, ISO, NIST, GDPR, CIS, COSO, HITRUST, PIPEDA and FISMA) and manage the roadmap of corresponding mitigating controls.

• Map multiple requirements across the information security framework to identify gaps, develop mitigation plans and timely execute them

• Manage third-party risk for critical vendors and ensure completion of internal risk assessments 

• Manage expectations from critical stakeholders around security policy/risk management

• Support sales teams in the completion of RFPs and client or vendor security questionnaires

• Manage client contractual obligations around security and compliance

• Lead periodic gap assessments to validate compliance on an ongoing basis to ensure that proper controls are in place and risks are appropriately mitigated

• Collaborate with cross-functional teams to monitor and remediate control deficiencies against established deliverables and timelines

• Providing guidance and training to IT teams on GRC best practices and standards.

• Keeping abreast of developments in IT risk management and compliance trends to recommend improvements to the organization's GRC program.

Requirements:

• Relevant education and certifications in audit, information assurance, corporate governance and/or risk management (preferably)

• 7+ years of progressive experience in the IT risk, security, compliance, or audit field

• Minimum 5+years of experience conducting security control assessments and audits for on-premise and cloud platforms (SOC 2, PCI, ISO)

• Knowledge of risk and security controls for cloud platforms (GCP, AWS, Azure) highly desired

• At least one industry certification (e.g. CISA, CISM, CRISC, CISSP) highly desired

• Strong analytical and critical-thinking skills

• High-level of attention to detail and be a self-starter with ability to work independently, multi-task and adjust to shifting priorities

• Ability to work under pressure and meet tight deadlines

• Ability to communicate issues to technical and business representatives, in both written and verbal forms

• Demonstrate ability to negotiate resistance effectively and win concessions without damaging relationships

• Experience with GRC tools

• Bi-lingual (French) an asset

What’s in it for you:

• Private medical and life insurance from day one.

• Employee Stock Purchase Plan ESPP

• Budget for professional growth (certifications)

• Schedule flexibility.

• Extra bonus based on performance.