Role: Governance, Risk, and Compliance Manager

Department: Information Security

Reports To: The CISO

Type: Full Time

Job Overview: 

The Governance, Risk, and Compliance manager will be responsible for defining, implementing and leading a GRC function in the CISO office. This role creates the security risk strategy and provide cyber governance and risk management oversight; establishing and managing the security policy framework and relevant standards; overseeing applicable security, privacy, contractual and compliance requirements (i.e. SOC2, MRC, ISO27001, GDPR, CCPA, NIST, DPAs and local privacy laws) through strategy development, controls definition and assessment and process oversight.

 Responsibilities and Duties:

• Directly responsible for policies, procedures and controls to assure compliance with applicable regulatory, legal and audit requirements as well as good business practices
• Develop and manage an information security risk management program including development, evaluation, and adherence to multiple areas of practice
• Develop a risk strategy that identifies and classifies risks, defines appropriate tolerances, prioritizes mitigation activities, and measures risk levels using the CMMI Cyber Maturity/NIST CSF Framework
• Establish and oversee formal risk analysis and self-assessments program for various information services, systems, processes and recognized industry standards
• Identify, assess, manage, and track remediation of risks related to IT infrastructure, applications, platforms and suppliers and drive explicit requirements and timelines in all environments
• Develop strong relationships with external audit and key stakeholders to ensure risk management oversight is understood, managed appropriately and current with all standards, guidelines, and regulations that are applicable to DoubleVerify
• Liaise with all DV departments to identify, track and provide remediation guidance for new projects, services and/or third-party contracts in terms of information security assurance
• Oversee highest risk initiatives and serve as a point of escalation for remediation/mitigation efforts
• Develop security compliance strategy and approach and ensure compliance with MRC, SOC2, ISO27001, CCPA, GDPR, local privacy laws, contractual requirements and globally-recognized standards and guidelines
• Establish and oversee formal vulnerability management, penetration testing and security posture assessment programs
• Identify regulatory, legislative, and industry specific compliance requirements and define controls that can be used to meet those requirements
• Oversee third party assessment standards and privileged user monitoring as a check on critical system access
• Act as privacy and compliance officer and serves as the intake on security related inquiries and coordinating with subject matter experts
• Build out and maintain current GRC tools and processes within information security to provide visibility and transparency

Qualifications:

• 10+ years’ experience in information technology; 5+ in a security governance, risk, and compliance management experience
• 5+ years of progressive information security work experience
• Industry recognized certification in security (e.g., CISSP, CISA, CISM, CEH, etc.) 
• Prior experience with security policy, standards, and controls definition
• Strong knowledge of current and emerging cyber security risks, and innovative risk management methods and solutions

• Experience with risk assessments, regulatory requirement can be PCI or SOC 2
• Experience with regulatory compliance GDPR
• Ability to collaboratively develop a risk strategy in conjunction with stakeholders
• Strong analytical thinking, written, and oral communication and presentation skills
• Demonstrated knowledge of industry authoritative sources such as COBIT, NIST, SOC2, GDPR, MRC, CCPA and ISO standards.
• Must have the ability to influence others and work at all management levels across the organizational structure
• Broad understanding of security and privacy concepts
• Experience working in an international/global organization
• Skilled at planning, tracking plans, working cross department to review processes and controls, gathering and organizing documentation and test results
• Able to understand contracts and technical documentation and is able to assess it for consistency and alignment with processes and controls outlined in requirements and audit materials
• Education – Bachelor’s degree in computer science or related area
• Experience with MRC accreditation and deep understanding of the online advertising industry and ad platforms (networks, DSPs, ATDs, SSPs, Exchanges)