GRC Associate- Strategy and Programs

Hamlyn Williams  New York City Metropolitan Area (Hybrid)
 

Position Summary:

This role supports the implementation and oversight of the Information Security Program by managing strategy, governance, risk, compliance, and data privacy functions. They leads cross-functional coordination on security initiatives, ensures alignment with regulatory requirements, and supports the CISO in driving key programs and metrics. Please note this role is 4X a week on site in Manhattan and come June they will move to 5X a week on site.

Key Responsibilities

Strategy & Program Management

• Align information security strategy with business objectives.
• Track strategic initiatives and key risk indicators (KRIs); conduct quarterly reviews.
• Provide end-to-end project management for CISO-led initiatives.
• Oversee core programs: Information Security, Training & Awareness, Phishing, Tabletop Exercises, and Data Privacy.

Governance & Policy

• Maintain and update security policies, procedures, and roles.
• Monitor compliance with CISO policies; track metrics and adherence.
• Support the Information Security Committee and its sub-committees.

Risk Management

• Maintain the TISR (Technology, Information, Security, Risk) framework.
• Conduct risk assessments for projects, third parties, and new activities.
• Oversee issue tracking and remediation from audits, exams, and control testing.
• Refresh risk taxonomies and controls annually.

Compliance

• Respond to audit and regulatory exam requests.
• Recommend policy/process improvements to meet OCC and other regulatory expectations.
• Collaborate with Legal, Risk, and Audit teams to ensure compliance.

Data Privacy

• Support compliance with privacy laws and regulations.
• Maintain privacy policies and monitor related risk assessments.
• Conduct privacy training and ensure integration into business processes.

Metrics & Reporting

• Manage operational, executive, budgetary, and board-level reporting.
• Develop dashboards and tracking tools for CISO-related metrics.

Qualifications

• Bachelor’s degree in Business, Risk, Computer Science, MIS, or related field.
• 3+ years of experience in Risk Management, Audit, IT/IS Operations, or Data Privacy
• 2+ years of experience executing IT/Information Security risk programs or policies.
• Familiarity with cybersecurity practices, infrastructure (e.g., AD, firewalls, UNIX), and tools (e.g., SIEM, DLP, XDR).