Director - IT Security GRC
Des Moines, IA, USA | Leading Media / Entertainment Company
Industry:Media / Entertainment
IT / Information Technology
Job Description:48 people have viewed this job
The Director IT Security GRC position facilitates information security governance, risk, and compliance across the company to support strategic goals and business opportunities. This position is responsible for PCI controls compliance for protecting Meredith’s processes for receiving credit card payment; compliance with personal information security controls driven by GDPR, CCPA, and other privacy regulations; facilitating enterprise wide third-party supplier risk assessment; and developing and maintaining Meredith IT Security policies, standards, and guidelines. This position collaborates with all levels of the organization including senior executives, executives, peers, technical staff, business staff, suppliers, and service providers.
The Director IT Security GRC position collaborates to:
Protect credit card payments and comply with PCI-DSS
Protect personal information and comply with data protection requirements driven by privacy legislation
Manage third-party supplier risk
Maintain Meredith IT Security policy and manage policy exceptions
This position has broad information security skills and supporting specialized skills in controls audit and assessment.This position also has excellent communication skills, strong relationship building abilities, and effectively interacts with senior executives, business stakeholders, Legal, Sourcing, Privacy, HR, decision makers, and external suppliers.
Essential Job Functions
Accountabilities, Actions and Expected Measurable Results
Lead the IT Security GRC Team
Develop, lead, manage, and maintain the IT Security GRC team to manage information security governance, risk, and compliance. Build a cohesive team that works well together and develop individual technical skills and abilities to ensure the team’s ability to support future information security GRC needs of the Company. Design information security GRC processes and procedures in collaboration with IT Security directors and as a member of the information security architecture team. Stay current with broad information security landscape and initiatives. Participate in IT Security leadership discussions, strategic initiatives, budget planning, and technical direction.
Protect Personal Information
Manage and perform data protection controls assessments and facilitate remediation as required to protect personal information across the Company. Collaborate with IT Security directors, Legal, Privacy, and HR to coordinate and perform security risk assessments and data mapping inventory.Maintain and apply working knowledge of GDPR, CCPA, and other regulations that impact data security.
Protect Credit Card Payments
Manage and perform PCI-DSS assessment and compliance processes and delivery compliance reports (AOCs, SAQs) across Meredith.Collaborate with business units, IT infrastructure and digital operations teams, software engineering teams, IT Security teams, and other business and technology support teams to coordinate and perform PCI-DSS compliance assessments.Ensure that PCI-DSS controls are operational and effective. Maintain and apply working knowledge of PCI-DSS and other data protection regulations.
Manage Third-Party Compliance Risk
Manage and perform supplier cyber risk assessments, supplier information security contract review, and supplier information security audits.Collaborate with business units, Sourcing, and Legal to develop and maintain a robust, fast, efficient, and effective process to assess third-party supplier cyber risk.Coordinate and assess technical risk assessment of supplier web portals.Manage and perform ongoing supplier cyber risk assessment. Maintain and apply working knowledge of supplier risk landscape and state of the art tools and techniques for managing supplier cyber risk.
Maintain IT Security Policy
Manage and maintain Meredith IT Security policy, standards, and guidelines which includes the Meredith IT Acceptable Use Policy in collaboration with business units, IT, IT Security, Legal, HR, Privacy, etc. Manage the policy exception risk assessments including periodic review of policy exceptions and facilitation of remediation or implementation of compensating controls.Educate and inform the technical and company staff of relevant IT Security Policies. Maintain the content of the Meredith’s mandatory annual Acceptable Use Policy training.Maintain and apply working knowledge of information security controls, threat landscape, business objectives, and other environmental factors that inform an effective information security policy.
Other Duties as Assigned
Perform other duties contributing to the goals and objectives of Leading Media / Entertainment Company, Meredith IT, and Meredith IT Security.
Minimum Qualifications and Job Requirements | All must be met to be considered.
Bachelors or master’s degree in information assurance, computer science, information systems, or information systems audit.
Minimum of 12 years’ information technology experience consisting of a combination of information security, information security audit, compliance controls assessment, and risk assessment.
Must have experience managing people, providing work direction, managing complex projects, and delivering results in an environment with competing priorities.
Must have experience and working knowledge of information security and compliance regulations and standards such as PCI-DSS and NIST CSF.Must have working knowledge of the security implications of privacy regulations such as GDPR, CCPA, etc.Must have experience identifying and remediating technology and application risk across a broad range of technologies.
Current information security certifications such as CISA, CISSP, CISM, CRISC are beneficial.
Specific Knowledge, Skills and Abilities:
Ability to manage the work activities and deliverables of subordinates.
Ability to deliver results through facilitation and collaboration.
Ability to quickly assimilate and apply new job-related information.
Ability to listen to customer’s needs and provide appropriately security solutions.
Ability to work independently, reliably, and responsibly.
Ability to handle confidential information with integrity.
Relationship building skills.
Written and verbal communications skills.
Project management skills.
Vendor management skills.
Knowledge of audit and controls assessment.
Knowledge of common information security management frameworks such as NIST, ISO, COBIT, ITIL
% Travel Required (Approximate):less than 10%