Cyber Risk - GRC Issue Management - Executive Director

Role Description

The Cyber Risk - GRC Issue Management role is responsible for designing, implementing, and operating a cyber risk governance issues management program coordinating across multiple regions aligning cybersecurity activities with business objectives, regulatory requirements, and enterprise risk appetite.

This role serves as the bridge between the CISO organization, technology teams, risk management as the second line of defense (2LOD), internal audit as the third line of defense (3LOD), and regulators, supporting the identification of cyber risks and managing identified issues within the Cybersecurity organization to closure.  Including: assessment, measurement, and tracking, sustainment and consistent reporting across the CISO organization.

This role will oversee the identification, tracking, and resolution of cybersecurity and compliance issues across the CISO organization. The role will continue to develop and enhance the cybersecurity issues management program and processes for documenting, prioritizing, and escalating risks and incidents to drive timely mitigation. This individual will collaborate with cross-functional teams to analyze root causes, implement corrective actions, and monitor progress on issue remediation. This individual will support the preparation of reports for leadership and stakeholders on issue management trends, status updates, and compliance outcomes.

Role Objectives

Cyber Governance

• Define and implement an issues management program, including identification of issues and mitigating controls, documentation of issues, planning and execution of remediation activities, with emphasis on sustainment of new technology and process controls.
• Establish and operate cyber risk forums, governance committees, and escalation paths
• Align cyber governance with broader technology risk and enterprise risk taxonomies
  Support board and executive‑level reporting on cyber risk posture and material exposures

Cyber Risk Management

• Own the issues management cyber risk lifecycle, including:
  • Evaluation of current issues management practices
  • Developing and implementing improvements to the processes.
  • Reporting progress toward closure of open risks
  • Review and approval of plans to address identified issues.
  • Monitoring  progress against those plans
  • Ensuring appropriate sustainability is included in planning
  • Verifying readiness for closure and submission.
  • Integrate outputs from:
    • Vulnerability management
    • Penetration testing
    • Application security
    • Cloud and data security assessments
    • Third‑party cyber risk
      
      

Metrics, Reporting and Data

• Review and approve cyber risk KPIs, KRIs, as they relate to issue closure.
• Translate technical risk data into business‑relevant insights
• Support aggregate and integrated reporting across technology risk and cyber risk
• Enable consistent risk data through GRC platforms and tooling

GRC Technology Enablement

• Define requirements for risk, issue, control, and compliance workflows
• Drive automation of, evidence collection, and reporting
• Ensure tooling aligns to governance models and risk taxonomy
  
  

Stakeholder Management

Partner closely with:

• CISO and cyber domain leaders across regions globally
• Enterprise Risk Management
• Internal Audit
• Legal, Compliance, and Privacy teams

Qualifications and Skills

• At least 10+ years of experience in cybersecurity, technology risk, or GRC.
• Strong understanding of cyber risk management frameworks (e.g., NIST CSF, ISO 27001, Regional Regulations, regulatory cyber expectations).
• Demonstrated experience operating in highly regulated environments, preferably financial services.
• Proven experience interfacing with regulators, auditors, and senior executives in a global organization.
• Experience documenting and successfully closing regulatory and audit issues.  
• Strong ability to translate technical risk into business risk and executive‑level messaging.
• Experience supporting cloud, AI, and emerging technology risk governance.

Preferred Certifications (not required)

• CISSP
• CISM
• CRISC
• CISA

Additional Requirements