Churchill Downs Race Track is hiring: Director of Cybersecurity, GRC in Louisvil

Director Of Cybersecurity, Grc

The Director of Cybersecurity, GRC leads governance, risk, and compliance activities within the cybersecurity team. This role oversees cybersecurity policy management, regulatory compliance, legal contract reviews, and employee cybersecurity training. The manager ensures security practices meet regulatory and industry standards while supporting the organization's broader risk management goals.

The Director of Cybersecurity, GRC plays a critical leadership role in developing, implementing, and sustaining a comprehensive cybersecurity governance and compliance program. The role encompasses management of IT SOX and PCI DSS compliance, internal and external audits, privacy and cybersecurity contract reviews, and third-party security assessments. The manager also oversees the full lifecycle of cybersecurity policies, standards, and procedures, and drives security awareness through training programs. Working closely with Legal, Internal Audit, IT, and Privacy, this individual ensures cybersecurity initiatives align with corporate risk strategy and regulatory obligations while promoting a strong, risk-aware culture.

Ability to obtain racing and/or gaming licenses as required in any jurisdiction where CDI operates. The Gaming industry is highly regulated and as such demands an extensive background check to obtain a license. Must be 21 years of age or older.

Bachelor's degree in Cybersecurity, Information Systems, Risk Management, or related field is required.

58 years of experience in cybersecurity, with 3 years in a GRC or compliance-focused role is required.

Direct experience managing IT SOX and PCI DSS compliance activities is required.

Familiarity with legal contract language related to cybersecurity and data privacy is desired.

Strong project management experience is preferred.

Experience using GRC platforms (e.g., Audit Board, OneTrust, etc.) is preferred.

Professional certifications such as CISSP, CISM, CRISC, are preferred.

Deep understanding of cybersecurity governance, risk, and compliance best practices.

Strong knowledge of regulatory and industry standards including SOX, PCI DSS, GDPR, HIPAA, CCPA, and frameworks like NIST CSF and ISO 27001.

Proven ability to write, implement, and maintain cybersecurity policies and procedures.

Experience reviewing cybersecurity/privacy clauses in contracts and recommending risk mitigations.

Excellent communication and presentation skills; able to articulate complex risk issues to senior leadership.

Ability to manage multiple concurrent projects and regulatory timelines.

High attention to detail, critical thinking, and strong documentation skills.

Demonstrated leadership, mentoring, and collaboration skills.

Extended periods of sitting at a desk and working on a computer.

Regular use of a keyboard and mouse for typing and navigating software.

Viewing a computer screen for prolonged periods.

Ability to manipulate paperwork, including filing, sorting, and organizing.

Moving within the office environment to attend meetings, use office equipment, or interact with colleagues.

Occasional lifting of office supplies or paperwork (up to 20 pounds).

Speaking and listening to colleagues and clients in person, over the phone, or via video conferencing.

Working in a climate-controlled office environment with moderate noise levels.

Performing repetitive tasks such as data entry or document preparation.

Working under artificial lighting conditions typical of an office environment, which may include fluorescent or LED lighting.

Role is onsite five days a week at the Louisville, KY CDI headquarters office.