Jostens
Senior Manager, Governance, Risk & Compliance
Jostens, Minneapolis, Minnesota, United States, 55400
SENIOR MANAGER, GOVERNANCE, RISK & COMPLIANCE (GRC)
HYBRID POSITION | ONSITE THREE DAYS A WEEK AT JOSTENS’ CORPORATE OFFICE (BLOOMINGTON, MN)
ABOUT YOU:
As the Senior Manager, Governance, Risk & Compliance (GRC), you will lead the enterprise-wide GRC program, overseeing policy management, security risk processes, third-party risk, and compliance with critical regulatory frameworks such as PCI DSS, SOX ITGC, and SOC 2. This role is both strategic and hands-on requiring strong leadership, deep security expertise, and executive-level communication. You’ll collaborate cross-functionally with teams in IT, Legal, Audit, and business units to reduce risk, strengthen security posture, and ensure compliance across global operations.
YOU WILL:
Lead the Enterprise GRC Program. Oversee information security policy development, control monitoring, and compliance initiatives across the organization.
Own the Policy Lifecycle. Manage the creation, review, approval, and communication of security policies, ensuring adoption and alignment with frameworks.
Drive Cybersecurity Strategy. Align security initiatives with organizational objectives, regulatory requirements, and executive priorities.
Manage the Risk Registry. Lead risk identification, scoring, treatment planning, and ongoing tracking in collaboration with business and IT stakeholders.
Advance Third-Party Risk Management. Conduct vendor due diligence, assess ongoing risk, and ensure contract language meets security/privacy standards.
Coordinate Compliance Programs. Lead audit readiness and evidence management for PCI DSS Level 1, SOC 2, and SOX ITGC audits.
Oversee GRC Platforms. Manage tools like ZenGRC to automate control workflows, risk tracking, and policy approvals. Deliver Executive Reporting. Provide leadership and Board-level reporting using dashboards, metrics, KRIs, and business impact narratives.
Lead Security Awareness Programs. Oversee company-wide and targeted training programs, and champion a culture of security awareness.
Collaborate Cross-Functionally. Serve as a bridge between Legal, Audit, Engineering, IAM, and Security Operations, ensuring alignment and accountability.
Support Emerging Risk Areas. Contribute to governance programs related to AI, cloud security posture, OT/IoT, and business continuity.
Supervise & Develop Talent. Lead a GRC team based in the Dominican Republic, fostering professional growth and aligning resources to strategic goals.
Typical/expected % of overnight travel:
YOU HAVE: Education: Bachelor’s degree in Information Security, Computer Science, or related field required Experience: 8+ years of progressive Information Security experience, with at least 5 years in GRC-focused leadership roles. Team Leadership: Proven experience managing and mentoring security teams (3–5 direct reports, contractors, or consultants). Policy Management: Demonstrated ability to manage the full policy lifecycle (development, approval, publication, communication, and adoption). Risk Management: Direct experience with enterprise risk management programs, risk registry ownership, and risk reporting to executives. Control Assurance: Experience establishing and monitoring continuous control monitoring and assurance processes to validate control design and effectiveness. Compliance: Hands-on leadership of PCI DSS Level 1, SOX ITGC, and SOC 2 (Type 1 and Type 2) programs, including audit readiness and evidence management. Framework Knowledge: Strong knowledge of ISO 27001/27002, NIST CSF, and other security and risk frameworks. Third-Party Risk: Practical experience with third-party/vendor risk management and platforms such as OneTrust. Contract Review: Experience reviewing and negotiating security and privacy clauses in vendor and customer contracts, in partnership with Legal and Procurement Business Continuity: Familiarity with backup immutability, disaster recovery, and business continuity testing as part of compliance and risk assurance. Executive Reporting: Skilled at translating technical risks and control health into executive and board level reporting (KRIs/KPIs, risk heat maps, dashboards). Program Management: Strong ability to manage multiple projects, priorities, and compliance obligations simultaneously. Certifications: Relevant certifications such as CISSP, CISM, CISA, CRISC, PCI ISA, or equivalent. Communication: Exceptional ability to influence, present, and communicate risk concepts to both technical and non-technical stakeholders, including senior executives. Preferred Qualifications Industry Knowledge: Experience in manufacturing and/or retail industries. Privacy: Knowledge of privacy compliance requirements (CCPA/CPRA, GDPR) and alignment of security with privacy programs. Cloud/SaaS Security: Familiarity with SaaS and cloud platforms (AWS, M365, Salesforce, Snowflake). GRC Tools: Hands-on experience with enterprise GRC platforms such as ZenGRC, OneTrust. Emerging Tech: Awareness of AI governance, cloud security posture management, and OT/IoT security frameworks. Continuous Improvement: Experience in maturing security programs using industry frameworks such as NIST CSF maturity models. LOVE WHERE YOU WORK: We care about your health. We offer competitive healthcare (health, dental, vision, coverage) in addition to voluntary benefits including home and car insurance, pet insurance, flexible spending account, amongst many more. We invest in your future. Our 401K plan has immediate vesting, so you can start saving for retirement right away. We believe in flexibility. We offer a hybrid schedule with on-site work 3 days a week. We want you to unplug when needed. We believe in taking your time off without guilt and offer accrued paid time off and company paid holidays. We care about your development. We support tuition reimbursement after 6 months of service. We believe in pay transparency. The salary range is $144,500 - $176,500 with annual 20% bonus eligibility. Jostens is an Equal Opportunity Employer and complies with applicable employment laws. EOE/M/F/Vet/Disabled are encouraged to apply.
#J-18808-Ljbffr
YOU HAVE: Education: Bachelor’s degree in Information Security, Computer Science, or related field required Experience: 8+ years of progressive Information Security experience, with at least 5 years in GRC-focused leadership roles. Team Leadership: Proven experience managing and mentoring security teams (3–5 direct reports, contractors, or consultants). Policy Management: Demonstrated ability to manage the full policy lifecycle (development, approval, publication, communication, and adoption). Risk Management: Direct experience with enterprise risk management programs, risk registry ownership, and risk reporting to executives. Control Assurance: Experience establishing and monitoring continuous control monitoring and assurance processes to validate control design and effectiveness. Compliance: Hands-on leadership of PCI DSS Level 1, SOX ITGC, and SOC 2 (Type 1 and Type 2) programs, including audit readiness and evidence management. Framework Knowledge: Strong knowledge of ISO 27001/27002, NIST CSF, and other security and risk frameworks. Third-Party Risk: Practical experience with third-party/vendor risk management and platforms such as OneTrust. Contract Review: Experience reviewing and negotiating security and privacy clauses in vendor and customer contracts, in partnership with Legal and Procurement Business Continuity: Familiarity with backup immutability, disaster recovery, and business continuity testing as part of compliance and risk assurance. Executive Reporting: Skilled at translating technical risks and control health into executive and board level reporting (KRIs/KPIs, risk heat maps, dashboards). Program Management: Strong ability to manage multiple projects, priorities, and compliance obligations simultaneously. Certifications: Relevant certifications such as CISSP, CISM, CISA, CRISC, PCI ISA, or equivalent. Communication: Exceptional ability to influence, present, and communicate risk concepts to both technical and non-technical stakeholders, including senior executives. Preferred Qualifications Industry Knowledge: Experience in manufacturing and/or retail industries. Privacy: Knowledge of privacy compliance requirements (CCPA/CPRA, GDPR) and alignment of security with privacy programs. Cloud/SaaS Security: Familiarity with SaaS and cloud platforms (AWS, M365, Salesforce, Snowflake). GRC Tools: Hands-on experience with enterprise GRC platforms such as ZenGRC, OneTrust. Emerging Tech: Awareness of AI governance, cloud security posture management, and OT/IoT security frameworks. Continuous Improvement: Experience in maturing security programs using industry frameworks such as NIST CSF maturity models. LOVE WHERE YOU WORK: We care about your health. We offer competitive healthcare (health, dental, vision, coverage) in addition to voluntary benefits including home and car insurance, pet insurance, flexible spending account, amongst many more. We invest in your future. Our 401K plan has immediate vesting, so you can start saving for retirement right away. We believe in flexibility. We offer a hybrid schedule with on-site work 3 days a week. We want you to unplug when needed. We believe in taking your time off without guilt and offer accrued paid time off and company paid holidays. We care about your development. We support tuition reimbursement after 6 months of service. We believe in pay transparency. The salary range is $144,500 - $176,500 with annual 20% bonus eligibility. Jostens is an Equal Opportunity Employer and complies with applicable employment laws. EOE/M/F/Vet/Disabled are encouraged to apply.
#J-18808-Ljbffr