Job Title: Information Security - Governance and Compliance
Job Function: Information Systems
Division / Department: IT Americas / IT Security
Location: New York City, NY - approx. 80% and Berkeley Heights, New Jersey - approx. 20%
The Director of Governance and Compliance will be responsible for the vision as well as the strategies necessary for the governance and compliance team. This role is accountable for the key governance and compliance management areas, including but not limited to, security training and awareness, policy management, information security metrics, data protection, security risk management, crisis management and PCI compliance.
ESSENTIAL DUTIES AND JOB RESPONSIBILITIES
Reporting to the CISO, the Director of Governance and Compliance is in charge of for developing and maintaining department cyber security policies and standards. This is a leadership role where you will define, develop, maintain and facilitate the overall cyber security training and awareness program. The director will work closely with IT Management, Legal and Finance to establish and conduct oversight on approach to governance and compliance of PCI, Data Governance, IT Security Policies, and Crisis Management.
- Promote training, awareness and best practices within the enterprise with regard to needed processes and procedures to maintain a secure operating model.
- Responsible for developing and maintaining department cybersecurity policies and standards.
- Participate in planning, scheduling and preliminary analysis for all internal and external audit projects.
- Coordinate audit activities including notification and scheduling for all affected parties of audit timing, scope, objectives, approach and deliverables.
- Establish agreement and lead documentation efforts for process improvements related to security and compliance management.
- Ensures compliance with industry, regulatory and L’Oreal Group defined policies and standards.
- Identify, evaluate, and assist with the implementation of an information governance solutions to provide systemic monitoring of the Information Governance program.
- Manage day-to-day activities, including policies, procedures, training and communication regarding the Information Governance Program.
- In conjunction with Group Legal and Group Compliance identify information management and protection laws and regulations and implement actions to ensure compliance.
- Ensuring that the respective functional heads have the correct IT policies, procedures, standards, and practices for conformance with the IT Governance Framework and mandatory legislation
- Manage day-to-day activities related to developing and advising on the IT Functional Area development of governance documentation such as policies, standards, procedures and training.
- Perform regular IT Governance Maturity Assessments for the respective IT Functional Areas.
- Develop a training plan aligned to the IT Governance Program for all IT Functional Areas, based on the defined current Skills Matrix.
Education & Experience Requirements
(Minimum number of years experience, skills, certification and academic background required to perform this job.)
- BS in Computer Science, Information Security, or a related field. MBA is preferred
- Risk-related industry-standard qualifications such as CISA, CISM or CGEIT would be a strong recommendation.
- 10 +years with IT Systems/Information Risk Assurance experience, and experience in developing/delivering Governance and Compliance program at the Enterprise level.
- Prior experience working with regulatory requirements and standards (PCI-DSS, SOC, ISO, BSI, GDPR etc.) and frameworks (ISO, NIST, OWASP, etc.).
- The ability to communicate complex security risks to non-technical staff
- Work with business owners on remediation plans that address identified gaps.
- Demonstrated experience in identifying, assessing, and mitigating, regulatory and compliance risk
- Strong project management skills with experience defining objectives, identifying resource needs, and ability to execute detailed plans towards goal completion.
- Technical understanding of cloud infrastructure, networking, access controls, and change management.
- Strong analytical and problem solving skills are required.
- Ability to use independent judgment to make sound, decisions and take action to solve problems
- Strong verbal and written communication skills and ability to influence others
- Ability to plan, organize, prioritize, work independently and meet deadlines
- Ability to work in a collaborative, team environment.
PERSONAL ATTRIBUTES REQUIRED
• An influential leader with sound knowledge of business management
• Working knowledge of information security technologies
• Proven ability to assess risks and controls and to identify solutions to reduce risk
• The ability to collaborate across the organization with other teams, such as system operations, infrastructure, auditors and business users.
• Ability to design, evaluate and document processes and lead teams in accomplishing process review and improvement.
• Ability to conduct governance, risk and compliance sessions
• Excellent written and verbal communications skills.
• Ability to give feedback on governance, risk and compliance issues in a structured manner
• Demonstrated initiative and commitment for results and the ability to set priorities and manage multiple initiatives.
• Ability to adjust to changing priorities while multitasking effectively.
• Time Management
• Solid work ethic with attention to detail
• Excellent time management and related organizational skills, including appropriate sense of urgency, a proactive approach, and a suitable ability to anticipate and manage project life cycle events, issues and obstacles.
• Able to identify and document specific governance and compliance issues, propose resolution options, and interpret matters from the perspective of involved stakeholders.
• Consulting skills (client service orientation, conflict resolution, analysis/synthesis of information, negotiation, project management, presentation etc.)
• Negotiation skills needed to obtain commitments to remediate risks from leadership of other teams.
• Ability to work on own initiative.
We are an Equal Opportunity Employer and take pride in a diverse environment. We do not discriminate in recruitment, hiring, training, promotion or other employment practices for reasons of race, color, religion, gender, sexual orientation, national origin, age, marital or veteran status, medical condition or disability, or any other legally protected status.