GRC Specialist/ Regulatory Lead is an SME in Information Security Governance, Risk Management, and Compliance. This role focuses on conducting security risk assessments, ensuring compliance with cybersecurity laws, regulations, internal policies, and industry frameworks. You collaborate with IT and security teams to implement, test, and document security controls, playing a critical role in developing and managing the security GRC framework. This role is HYBRID 2 days in the NYC office and 1 day in the Jersey City Office or vice versa with 2 days WFH. There is no flexibility on this.
Key Responsibilities:
- Manage the regional cybersecurity regulatory compliance program, including assessing requirements, coordinating with internal stakeholders, and ensuring the effectiveness of implemented controls.
- SME for DFS500 compliance
- Support cyber regulatory examinations by preparing presentations, responses, and documentation.
- Develop and maintain an effective FFIEC CAT framework.
- Maintain a comprehensive understanding of the regulatory landscape and its impact on business and IT operations.
- Develop and manage the Security GRC Framework for SG AMER, mapping threats, vulnerabilities, risks, and controls into a cohesive lifecycle approach.
- Conduct security risk assessments, ensuring compliance with client, regulatory, and internal standards.
Required Knowledge and Experience:
- 8-10 years of experience in security GRC, project management, and related security practices.
- Proficient in cybersecurity and data privacy regulations, with knowledge of frameworks such as NIST CSF, ISO 27001, COBIT, FFIEC CAT.
- Strong understanding of security topics, including application security, infrastructure security, vulnerability management, IAM, data protection, incident response, and cloud security.
- Experience in managing risk and compliance, including IT audit, cyber risk management, and regulatory compliance.
Education and Certifications:
- Degree in IT, Computer Science, Cybersecurity, or a related field.
- Ability to pursue or already possess certifications such as Security+, CISSP, CCSP, CCSK, CISA, CISM, GSEC, or CRISC.
