Information Security GRC Technology Risk Lead

First Quality was founded in 1989 and has grown to be a global privately held company with over 4,000 employees. Its corporate offices are located in Great Neck, New York, with manufacturing facilities and offices in Pennsylvania, South Carolina, Georgia, and Canada. First Quality is a diversified family of companies manufacturing consumer products ranging from Absorbent Hygiene (adult incontinence, feminine care, and baby care), Tissue (bath and towel), and Industrial (print and packaging materials), serving institutional and retail markets throughout the world. First Quality focuses on private label and branded product lines.

We are seeking an Information Security GRC Technology Risk Lead for our First Quality Enterprise working remotely preferably in the Eastern half of the US.  This position is responsible for the development and delivery of First Quality’s Information Security Program which includes information security risk management across First Quality Enterprises. This program ensures that all physical and digital information assets and technologies, as well as employee, client and First Quality data are adequately protected. This role is responsible for defining and maturing the 2nd line of defense and providing management with updates on the overall security posture of the organization. This role currently has 1 direct report and will report to the Manager of Information Security Governance, Risk, Compliance and Strategy. 

The GRC Technology Risk Lead will be tasked with leading the following Information Security Programs; Enterprise Technology Risk Management, Data Governance, Security Awareness & Training, and Compliance. This position will work alongside the Manager of Information Security Governance and other IS team members to identify ways to innovate and mature the Information Security program.  This Lead will be directly responsible for conducting IS technical risk assessment of First Quality systems and platforms against industry standards and frameworks such as the Center for Internet Security (CIS). This is a technical role where the candidate is expected to identify system misconfigurations, weaknesses, gaps, and associated risks across a wide variety of platforms. 

Primary responsibilities include:

Enterprise Technology Risk Management

• Directly responsible for performing technology risk assessments and control assessments to ensure systems and applications (on prem and in the cloud) are complying with First Quality policies, applicable regulatory and legal requirements, and leading industry practices.
• Updating the Business Impact Analysis (BIAs) plans to determine key systems to assess.
• Maturing the Information Security Risk Management Program by managing the IS risk register and ensuring appropriate risk management strategies are in place and followed up on.
• Meet with business stakeholders to quantify risks across the organization and maintain the top board level security risks.
• Develop and drive the implementation of security best practices and standards to mature the overall IS Risk Management Program which includes defining security system and application standards of control.
• Provide solutions to identified issues and risks.
• Works with the Manager of Information Security Governance, Risk, Compliance and Strategy to determine the acceptable level of risk for enterprise computing platforms.
• Liaise with key functional teams such as HR, IT, Digital Marketing, Finance, Internal Audit, Enterprise Risk, Quality, Office of General Counsel and the Business to identify new applications and service providers in use and the associated security controls to secure the data.

Data Governance 

• Investigates incidents and events that include potential HIPAA and other data breaches, data leakage, brand reputational risks, malware propagation, system compromises etc.
• Assist with maturing the Data Loss Prevention Program by reviewing and enhancing security technologies such as MS Purview and Compliance Center, Crowdstrike, Palo Alto, Netskope etc.
• Establish and maintain Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the Data Governance Security Program and initiatives.

Security Awareness & Training 

• Oversee the enterprise wide IS Security Awareness Program which includes phishing simulations, computer-based training, proactive communications on latest threats, workshops and newsletters.
• Promote a security mindset through enterprise and functional team specific presentations and initiatives.

Compliance 

• Work with the Office of General Counsel and both the Director and Manager of Information Security Governance, Risk, Compliance and Strategy to ensure the Information Security team stays abreast of new regulatory, legal and/or compliance security and privacy requirements to compliance against.
• Ensure compliance with HIPAA and applicable legal and regulatory requirements.

Travel

• Occasional travel

The ideal candidate should possess the following:

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. 

• B.S. in a technology discipline (Computer Science, Information Management, Computer Engineering, Cybersecurity or equivalent); Security certifications such as CompTIA Security +, CISSP, CISA, CCNA or equivalent or working towards certification is preferred
• 6+ years’ experience working directly in an Information Security or Information Technology department with experience in developing testing security frameworks for compliance
• Hands on experience with assessing security configurations in Windows/Mac/Linux environments, Azure and other cloud environments, SQL and Oracle databases.
• Experience with Netskope, Azure Purview, OneTrust or similar GRC tools is a plus.
• Experience with Operational Technology (OT) environments and securing manufacturing devices a plus.
• Strong knowledge & understanding of endpoint, server, network design and topologies.
• Strong understanding of a “hacker’s” mentality.

• Excellent written and oral communications skills; ability to lead discussions, present complex ideas to audiences of all sizes, and interact with all levels of the organization.
• Ability to self-manage, work independently with little direction and/or supervision but also work collaboratively in a team environment.
• Working knowledge of the following frameworks and regulations: ISO 27001/2, NIST 800-53, NIST CSF, CIS Benchmarks, ISF Standard of Good Practice, HIPAA Privacy Rule and Security Rule, MITTRE ATT&CK framework.
• Ability to prioritize and multitask and a work approach that supports flexibility and adaptability is paramount.
• Detail oriented and ability to think outside of the box to propose solutions to risks.
• Ability to communicate security risks to non-technical business stakeholders.

Estimated annual base salary range for this position is $110,000 – $140,000.

Base pay is only part of our total compensation package, which also includes an attractive annual discretionary bonus and robust suite of employee benefits for which you are eligible to participate in starting on your first day of employment.

Base pay offered will be determined on an individualized basis and we will consider your location, experience, and other job-related factors.

First Quality is committed to protecting information under the care of First Quality Enterprises commensurate with leading industry standards and applicable regulations.  As such, First Quality provides at least annual training regarding data privacy and security to employees who, as a result of their role specifications, may come in to contact with sensitive data.

First Quality is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, sexual orientation, gender identification, or protected Veteran status.