Manager, Technology Compliance and Risk Management
You will drive the technology compliance and risk program for Vision Critical and serve as a strategic business partner to corporate leadership to ensure that the program effectively detects and prevents violations of law, regulations and policies, and allows us to continually demonstrate the state of our compliance to internal and external stakeholders.
Under the direction of the Senior Director of Security, Privacy & Compliance you will be responsible for:
- Leading our annual SOC2 audits and related compliance program as well as other compliance related initiatives such as HIPPA/HITECH, GDPR and financial audits. This includes performing procedures/tests for readiness, collecting information and evidence, coordinating with our external auditors and enhancing control documentation.
- Working with our operational groups to help them craft solutions for identified gaps, which sometimes means getting into the weeds and understanding the specific technology options available.
- Planning and leading our internal IT audit schedule preparing action oriented reports backed by solid evidence (because crushing arguments with evidence is fun) as well as run our operational compliance programs including access governance and disaster response readiness.
- Creating and maintaining our governance framework which includes policies, standards, procedures and guidelines and engaging relevant stakeholders.
- Managing the ongoing identification, monitoring and documentation of risks to the business, driving risk mitigation, and reporting to management.
- Managing privacy and security impact assessments.
- Working with our procurement team to assess vendors and understand the services they provide to us, identify the risks associated with them, and tracking those risks until they are adequately mitigated.
- Assisting in the preparation of board and reporting material related to risk and compliance status.
- Assisting in the general operations and activities of the Security, Privacy & Compliance team.
As a risk and compliance professional, you are a communicative self-starter who has developed strong interpersonal, analytical and organizational skills and has proven to influence business partners and decisions to drive risk reduction initiatives. You are comfortable with ambiguity and are adept at setting a direction by leveraging your experience and own resources; you don?t mind at least a few plates in the air at the same time and can switch focus quickly to address the next initiative. You can find a way to manage risk without hindering the business. You can support the objectives of the business, users and customers while being prudent to compliance requirements. You are an exceptionally quick study and don?t need to be told how something works more than once. You are able to operate at the strategic and tactical level, talking to the business (in normal non-auditor English) while at the same time getting your hands dirty doing the actual work needed to deliver on a project. We expect you to extract understanding from our technology and operations experts and then use that knowledge, combined with your risk management and compliance expertise, to see the problems that they don?t.
The ideal candidate will have experience in these areas:
- Bachelor of Computer Science/Engineering Degree/Business Technology or equivalent
- A minimum of five years working experience in technology roles
- A minimum of five years of experience in a professional services/public audit firm or an internal IT audit role
- Delivered various compliance audits using frameworks such as HIPAA, SOC2 Type II, ISO27001/2
- Working and delivering independently at all levels of an organization from policy and governance to technology and operations
- Developing policies, standards and processes from concept to full documentation and implementation
- Performing risk assessments and developing risk reports for senior business audiences
- Working independently in complex business situations to develop solutions that ensure compliance
- Working with agile development organizations and devops teams
- Delivering advisory or audit work in at least the following domains: web application frameworks, operating systems, software as a service, security technology, access governance and software development methodologies
- Achieved a relevant certification such as a CISA, CISM or CISSP
- Using GRC tools (ZenGRC preferred but not required)
Experience in delivering privacy assessments and disaster recovery readiness tests would be seen as a plus but are not essential and can be learned on the job. If you breathe technology and dream compliance (which we admit is kind of weird) then we want you.
Come to the interview ready to talk about:
- Streamlining a SOC2 compliance program
- The difference between a firewall and a reverse proxy
- How to address compliance challenges in the cloud and in devops and agile cultures
About Our Working Relationship
We?ll provide reasonable support in helping you keep your certification current. We?ll challenge you both with the volume and speed of work meaning you?ll never be bored and always feel like you?re part of something meaningful. You?ll be surrounded by great people that deliver continuously and are willing to try new approaches to challenging issues; we are passionate technologists and experienced operations people which means you will learn from us as we learn from you. This isn?t always a 9 to 5 job, we?re growing fast and we?re global, but personal/family time won?t suffer and we?re accommodating to varying work schedules and arrangements. You will be part of a small team that has a diverse set of responsibilities whose roles and skills are distinct but complimentary from yours; together you will be mighty.
From professional sports teams to Fortune 100 companies, we work with some of the biggest brands in the world ? and so will you. We are a successful global software company with a start-up mentality. Our leadership team is always available, teams work side-by-side and fresh perspectives are not only encouraged, they are celebrated.
Vision Critical was born from the idea there had to be a better way for companies to connect with the people who matter most to them: their customers. The belief that people matter is the core of our culture.
We believe that people have wisdom that?s worth listening to, learning from and acting on. Be one of those people at Vision Critical. Join us!
IT Risk and Advisory Services Manager
Information Security Risk Manager