Lead GRC Specialist

Location: Rosemead, CA
Date Posted: 12-07-2018

Position Overview

The successful candidate will support a key client whose focus is to improve their Cybersecurity GRC practices.  The future organization will address new technology domains such as cloud security, incorporate technical data into risk assessment processes, and factor the organization’s threat profile into its governance and risk practices.  Our team will have the opportunity to advance the organization as we develop strategies for improving processes, remediating security gaps, and protecting technology infrastructure, information assets, and business operations.  This will be accomplished through effective policy, standards, and risk analysis processes.  The embedded team will interact with members of the client’s Cybersecurity GRC team, business unit stakeholders, and executive leadership to develop and apply the organization’s cybersecurity strategy.


  • Lead the adoption of a new GRC platform for the existing cybersecurity GRC team, including establishment of risk management workflows, strategizing interoperability with related technologies, performing testing and quality assurance on the platform, and providing direction to the professional services team for the GRC platform vendor.
  • Provide guidance and awareness on the GRC platform to educate stakeholders and key contributors on its capabilities and the expectations for utilizing the platform. These activities include core Team mastery of the platform, integration of GRC process workflows with cybersecurity stakeholders, and finally the education of Asset Owners and Business Unit stakeholders who partner with the Cybersecurity GRC Team.
  • Perform Business Impact Analyses (BIAs) to understand and reduce risk to the organization’s critical business processes, inclusive of developing the organization’s BIA approach, documenting the BIA process in a playbook/reference guide, training the GRC team on the process, and assisting with BIA execution.
  • As the organization’s future Cybersecurity GRC leadership team is selected, ensure a smooth transition of roles and responsibilities. This includes the development of departmental and contributor-level KPIs, the creation of employee training and performance plans, and the creation of relevant dashboards to assist with program management.
  • Actively participate in developing security governance framework materials (policies, controls, standards) to drive consistent standards across the enterprise.  Provide guidance, interpretation, and education on specific security policies to Cybersecurity, IT, and business stakeholders and help ensure positive and actionable outcomes.
  • Establish and apply cybersecurity requirements for IT hardware, software, network, and cloud services.  Routinely assess existing and planned infrastructure, systems, and applications for risks and propose relevant cybersecurity controls. Research new technologies and emerging threats for proactive planning.
  • Consult with and provide awareness to specialized security experts such as security architects, engineers, secure coding, and privacy specialists to obtain more specific requirements or design direction.
  • Develop and report on key metrics related to cybersecurity risk and governance to provide stakeholders with situational awareness regarding enterprise security control and standards adoption.
  • Apply methods for evaluating supplier cybersecurity practices and formulate risk mitigation strategies, providing risk-based guidance to supplier business sponsors to communicate and reduce risks involved with third parties.

Required Qualifications

  • Extensive cybersecurity experience, particularly focused on Governance, Risk, and Compliance functions.
  • Experience with applying best practice frameworks such as NIST 800 series, ISO 27000 series, ISA, or COBIT to develop security policies, standards, and guidelines.
  • Significant experience in developing and implementing IT governance practices and processes.
  • Experience with creating policy and standards to secure configurations, management, and maintenance of server, network, and application infrastructure.
  • Experience with cyber risk assessment practices, including risk identification, analysis, prioritization, tracking, and design of compensating controls, addressing both programmatic risks (e.g., deviations from policy or standards) and technical risks (e.g., current vulnerabilities or control gaps).
  • Basic technical knowledge and working experience with the TCP/IP stack and common IT platforms: Windows, Linux, AIX, MS SQL, IIS, SAP, Directory Services, etc.
  • Knowledge of security best practices in hardening and protecting networks, servers, endpoints, applications, and databases.
  • Awareness of security threats and defensive strategies within the utility industry, including techniques, tactics, and procedures (TTPs) that threat actors utilize to attack an organization.
  • Experience communicating and presenting effectively with diverse levels of the organization including managers, users, and technical teams, with ability to explain security topics to a business audience.
  • Results-oriented and self-motivated team member who enjoys working in a dynamic environment, with a proven ability to take ownership of projects and deliver them on time and within budget.
  • Bachelor’s Degree in Cybersecurity or IT-related field, or equivalent work experience.

Preferred Qualifications 

  • Experience in managing cyber security functions, strategy, and risk within Fortune 500 companies.
  • Expertise with ServiceNow Platform and GRC application strongly preferred, with knowledge of Discovery, Service Mapping, Problem Management, Asset Management, Project Management, Service Catalog modules a plus.
  • Knowledge of Software Development Life Cycle (SDLC), quality assurance, and vendor risk management.
  • Knowledge of networking essentials, data flows, architecture, and protocols including wired, wireless, and cloud networking concepts.
  • Knowledge of cloud technologies (e.g., Azure) and strategies for security cloud infrastructure and applications.
  • Knowledge of change management process such as ITIL, Six Sigma, or MSF.
  • Knowledge of industrial control systems, compliance standards (e.g., NERC CIP), and related cyber security standards (e.g. IEC 62443) are strongly preferred.
  • Experience with Vulnerability Management, Network Security, Endpoint Security, Application Security, and Incident Response processes and technologies.
  • Experience with integrating industry-recognized network defense frameworks (e.g., ATT&CK, Cyber Kill Chain, etc.) into risk assessment processes.
  • Ability to evangelize security concepts to a wide audience and influence decision-making processes.
  • Master’s Degree in Cybersecurity or IT-related field.
  • Certifications: CISA, CISM, CISSP, or GSEC, or willingness to obtain within nine months of start date.
this job portal is powered by CATS