Manager of Cybersecurity-Governance, Risk, and Compliance

The Manager of Information Security Governance, Risk, and Compliance is responsible for maintaining the organization's information security policies, procedures, and practices to ensure compliance with cybersecurity regulatory requirements and industry standards. This role involves managing risk assessments, maintaining a risk register, developing and implementing security strategies, developing and communicating key risk and compliance metrics, and making risk decisions in alignment with the risk tolerance of the organization. This role also involves working to achieve and/or maintain compliance to cybersecurity certifications and qualifications as required by regulatory or contractual obligations or if desired to support business requirements.

Key Responsibilities

• Develop and enforce enterprise cybersecurity policies, guidelines, and standard operating procedures.
• Establish and manage an enterprise cybersecurity risk management program, including risk assessments, risk mitigation planning, risk mitigation tracking, and compliance reporting.
• Develop and report key metrics related to the risk management program to various stakeholders.
• Develop and/or maintain processes for cybersecurity risk review of hardware, software, and third-party suppliers.
• Operate any necessary tooling in support of the Enterprise governance, risk, and compliance program.
• Implement processes to automate or orchestrate continuous monitoring of security controls, exceptions, risk, and control testing.
• Document and report control failures and gaps to stakeholders, provide remediation guidance and assist in the tracking of remediation activities.
• Develop artifacts and evidence necessary to support audits for cybersecurity certifications and qualifications.
• Assist the business with responding to customer supply chain queries about Mirion's enterprise and product cybersecurity posture and practices.
• Coordinate with the owners of Mirion's Enterprise Risk Management (ERM) to ensure alignment between Information Security GRC and to roll findings and metrics up to the ERM as needed.
• Assist in cybersecurity event root cause analysis processes to help identify and track causative or confounding risks.
• Support annual efforts for renewal of cybersecurity and related insurance policies.
• Perform other related duties as assigned.

Qualifications and Experience

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, Risk Management, or related field (or equivalent practical experience).
• Experience: 8+ years in a cybersecurity-focused role, with significant exposure to cybersecurity risk management, network operations, cloud computing, and endpoint security.
• Experience developing, maintaining, or performing tracking in the areas of risk management, risk assessments, and risk registers.
• Experience in supply chain assessments and management.
• Experience in cybersecurity software reviews and the maintenance of an Approved Software List (ASL).
• Experience in reviewing, documenting, or planning security controls in association with common security control frameworks such as ISO 27001, NIST 800-171, NIST 800-53, CIS 18, Cyber Essentials.
• Experience with regulatory and industry driven privacy and security frameworks such as HIPAA, GDRP, CCPA, PCI DSS, SOC2, FISMA, SOX, and NERC-CIP.
• Experience in the development, maintenance, and/or operation of Governance, Risk, and Compliance (GRC) automation tooling.
• Experience in technical areas of Information Technology and Cybersecurity that would provide a strong foundation for identifying, qualifying, and categorizing technical risks to systems.
• Excellent communication skills, both written and verbal, for reporting and collaborating with technical and non-technical stakeholders.
• Ability to work both independently and as part of a larger team, while managing multiple tasks in a fast-paced environment.
• Highly motivated self-starter that is willing to take initiative.
• Critical thinking and problem-solving abilities with a strong attention to detail.
• Proven skills in working collaboratively with peers and developing strong working relationships.
• Certifications: An ideal candidate would have one or more industry certifications such as:
  
  
  
  • Certified Information Systems Security Professional (CISSP)
  • ISC2 Governance Risk and Compliance Certification (CGRC)
  • GIAC Critical Controls Certification (GCCC)
  • GIAC Law of Data Security & Investigations (GLEG)
  • GIAC Systems and Network Auditor Certification (GSNA)
  • GIAC Strategic Planning, Policy, and Leadership (GSTRT)
  • ITIL Expert
  • Other industry certifications that would demonstrate experience in GRC.