Essential Job Functions
The Security GRC Specialist II is a key member of the Governance, Risk Compliance (GRC) team, leading and executing various services within the team. This role requires expertise in Information Security, providing consulting to both technical and non-technical management and the user community, and performing essential risk management functions within the Security Governance department. Key GRC services include managing the lifecycle of policies and standards, overseeing the Security Vendor Risk program, managing the Security Awareness program, ensuring Controls Assurance, conducting vendor and client risk assessments, and administering GRC platforms and tools.
Current openings will focus on either Security Vendor Risk Management or Security Awareness.
Essential Functions
- Lead process improvements, enhance control maturity, and communicate risk across assigned GRC service activities, incorporating ISO 27001 principles for continuous improvement.
- Third-party Vendor Management: Respond to security assessments, questionnaires, and audits from clients and third-party business partners promptly. Document and perform assessments as needed and review contracts for security requirements.
- Policy Management: Write technical policies, standards, and communications. Lead the creation and maintenance of security policies, standards, processes, guidelines, and support documentation.
- Compliance Management: Lead and support processes to ensure IT systems meet cybersecurity and risk requirements. Conduct evaluations of IT programs or components for compliance with published standards, manage exceptions, and process requests for exceptions to security controls.
- Assessment Management: Ensure appropriate treatment of risk, compliance, and assurance from both internal and external perspectives.
- Advisory Services: Serve as a subject matter expert for Information Security, consulting with technical and non-technical management and staff.
- Security Awareness Management: Ensure security awareness training is aligned, defined, and executed. Evaluate cyber training/education courses and methods based on instructional needs.
- Administer the GRC technology platforms.
Qualifications & Requirements
Education, Work Experience, Skills
- Bachelor's degree or five (5) years of work experience in IT Security is required.
- Four (4) years of Information Security experience required, with hands-on technical experience preferred.
- Strong communication skills, including message creation and verbal presentations, with tact and diplomacy, are required.
- Strong knowledge of Security frameworks and technologies such as ISO 27001, NIST, SOC, SIG is required.
- Prior IT Security experience in the legal industry is preferred.
- Technical writing experience is required, with a preference for instructional content and educational writing.
- Strong knowledge of risk management principles and practices is required.
- Strong knowledge of security administration and role-based security controls is required.
- Three or more years of experience managing timelines and being self-directed is preferred.
- Experience in managing GRC tools (administrative and/or engineering) is preferred.
- Ability to interview, gather, and understand content from subject-matter experts.
- Maintain accurate records and manage client security and risk requests.
- Ability to act as the primary Security Subject Matter Expert (SME).
- Ability to facilitate and lead project and vendor risk assessments independently and provide guidance on secure design and operation.
- Ability to complete and assist in client security questionnaires and security assessments regarding the firm's security program and controls.
- Demonstrate the ability to create and maintain security policy, standard, guideline, and procedure documents.
- Demonstrate the ability to communicate technical topics effectively to varied audiences, including IT Subject Matter Experts, senior management, and non-technical users.
- Communicate succinctly and effectively.
- Strong organizational and problem-solving skills are required.
- Strong project and time management skills are required.
- Strong reading comprehension skills are required.
- Strong analytical ability with excellent written and verbal communication skills is required.
- Ability to work independently and as a team member is required.
Technologies/Software
- Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options.
- Broad experience and exposure to cloud-hosted services, applications, infrastructure, including architecture, log management, monitoring, and security configuration requirements.
- SharePoint administration is preferred for team intranet site management.
- Provide back-end support, report creation, and application updates for GRC platforms.
- Strong PC skills with Microsoft (Word, Excel, PowerPoint) required, with the ability to perform data analytics and generate succinct reports.
- Knowledge of host and network-based anti-malware technologies.
- Knowledge of authentication technologies and interactions between diverse authentication platforms, both on-site and remote.
- Knowledge of client and server firewall technologies and capabilities.
- Knowledge of security event management (SIEM), event correlation, and analysis technologies.
- Knowledge of data encryption technologies.
- Strong knowledge of Intrusion Detection and Intrusion Prevention technical capabilities.
- Knowledge of web filtering and email SPAM prevention techniques.
- Knowledge of vulnerability assessment and forensic investigation tools.
- Knowledge of mobile device security and Mobile Device Management solutions.
- Knowledge of Privileged Access Management technologies.
Certificates, Licensures, Registrations
- Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications are preferred.
Work Environment
- This job operates in a professional office environment.