Information Security Governance, Risk and Compliance (GRC) Lead

Overview

Information Security Governance, Risk and Compliance (GRC) Lead — O'Melveny & Myers LLP. The firm has an immediate opening for a remote GRC Lead in one of our Texas offices.

The Information Security GRC Lead serves as the subject matter expert for firmwide Information Security GRC initiatives, collaborating closely with the Information Security Officer. This role encompasses the development, implementation and ongoing coordination of GRC efforts. The GRC Lead is responsible for tracking information security risks, conducting risk analyses and mitigation options, coordinating information security metrics, and regularly tracking and reporting to Information Security leadership. The Lead enforces GRC rigor globally for firmwide information security obligations. The position involves implementing and advancing policies and a comprehensive control framework to execute the GRC strategy. The GRC Lead oversees the administration of standards and controls, risk management, third-party risk (TPRM), baseline security controls and technology compliance initiatives. The GRC Lead coordinates information security audits and assessments, including tracking, timely responses, and interactions with O'Melveny clients and external auditors. The GRC Lead will also assist with reviewing outside counsel guidelines. This position will develop a third-party risk management program, and assist with reviewing third-party risk, utilizing tools as well as reviewing due diligence documentation, such as questionnaires and SOC reports.

This position requires a deep understanding of ISO / IEC 27001, risk management methodologies, technical controls, and a proactive approach to addressing both operational and strategic risks. The GRC Lead collaborates with a cross-functional team of information security and information technology analysts to evaluate controls, map them to key performance indicators, measure effectiveness and produce timely reports for management. These reports are essential for identifying, evaluating and reporting on cybersecurity risks that may impact the business, ensuring informed decision-making. Strong business acumen and a diverse technical background are crucial for understanding emerging technologies and legacy systems considered business critical. The GRC Lead reports to the Information Security Officer.

Applications will be accepted from candidates who reside in the following states : AL, AZ, CA, CO, D.C., FL, HI, ID, IL, LA, MD, MA, MN, MO, NC, NH, NV, NJ, NY, OH, OR, PA, SC, TX, UT, VA, WA.

Responsibilities

• Lead firmwide Information Security GRC initiatives in partnership with the Information Security team.
• Assist and coordinate with the firm's ISO 27001 annual certification preparations, as well as with client audits.
• Be familiar with external requirements, such as outside counsel guidelines, and assist with tracking, review, and response, as needed.
• Oversee Information Security GRC activities and coordinate closely with the Information Security Officer.
• Serve as a subject matter expert and trusted advisor for leadership on Information Security GRC matters.
• Serve as the primary contact for responding to business unit inquiries regarding operational compliance.
• Collaborate with IT, legal, finance and operations to develop a cohesive Information Security GRC program.
• Partner with business units during solutions onboarding to ensure adequate controls are in place and enabled.
• Conduct regular risk assessments, analyzing emerging risks across the organization.
• Coordinate with stakeholders to implement effective risk mitigation strategies.
• Maintain a strategic and comprehensive GRC program that includes policies, standards, processes and guidelines.
• Stay updated on regulatory changes and industry standards, such as ISO, NIST, GDPR, HITRUST and HIPAA.
• Provide guidance to team members to ensure compliance with relevant laws and regulations.
• Deliver GRC reports to management, emphasizing compliance status, risk exposure and mitigation efforts.
• Oversee third-party and vendor risk as an integral part of the organization's risk management strategy.
• Document, communicate and enforce cybersecurity standards that balance risk with business operations.
• Document GRC activities, policies, assessments and corrective actions to ensure audit readiness.
• Implement process improvements using GRC tools and methodologies to drive productivity gains.
• Cooperate with internal and external auditors to maintain and implement controls that meet GRC requirements.
• Motivate functional areas to implement practices that comply with cybersecurity policies and standards.
• Provide leadership in collaboration with technical and business teams to strengthen business resiliency.
• Guide team to align with security, audit and risk management efforts in ongoing security program assessments.
• Assist Information Security with projects, as needed.
• Stay abreast of current technologies, developments, security compliance requirements, standards, and industry trends.
• Perform analysis of security threats and vulnerabilities.
• Utilize threat intelligence to anticipate and mitigate potential risks.
• Ensure secure handling of privileged accounts and credentials.

Qualifications

• Five years of experience in GRC or as a cybersecurity practitioner, including roles in security analysis, compliance, and risk management.
• Experience working in a distributed and hybrid office team.
• Understanding of information security and privacy frameworks : ISO / IEC 27001 is required, NIST, HIPAA, HITRUST, GDPR, and GLBA are optional.
• Bachelors degree in Cybersecurity, Computer Science, Data Science, or a related field.
• Experience conducting tabletop exercises, coordinating disaster recovery exercises, and other information security control tests is ideal.
• Excellent analytical and problem-solving abilities.
• Effective communication and interpersonal skills and ability to work independently and collaboratively in a multidisciplinary team environment. Excellent written and verbal communication skills.
• Candidate should be able to effectively interact with all levels of staff.
• Professional certifications are a plus (CISSP, CISM, CISA, CRISC or CGRC).

We offer an excellent salary and benefits package. For more information, or to be considered for this position, please apply online at www.omm.com. Response will be given to candidates who closely meet our qualifications.

EOE M / F / D / V. No phone inquiries please.