Blackstone Talent Group
Program Lead, Governance, Risk & Compliance (GRC)
Blackstone Talent Group, Vernon, California, United States
Program Lead, Governance, Risk & Compliance (GRC)
Blackstone Talent Group, an award‑winning technology consulting and talent agency, is seeking a Program Lead, Governance, Risk & Compliance (GRC) to join our Client’s team.
Key Responsibilities
Establish and mature the enterprise GRC program aligned to ISO 27001, SOX, NIST CSF, CIS Controls and relevant regulatory requirements.
Own the Information Security Management System (ISMS) lifecycle: scope definition, risk assessment, Statement of Applicability (SoA), control implementation, internal audit, management review, corrective actions, and surveillance/recertification readiness.
Define and maintain policies, standards, and procedures (e.g., access control, change management, vulnerability management, secure SDLC, incident response, supplier security).
Chair and coordinate governance forums (e.g., Risk & Compliance Steering Committee, Change Advisory Board, Management Review meetings).
Governance & Program Leadership
Establish and mature the enterprise GRC program aligned to ISO 27001, SOX, NIST CSF, CIS Controls and relevant regulatory requirements.
Own the Information Security Management System (ISMS) lifecycle: scope definition, risk assessment, Statement of Applicability (SoA), control implementation, internal audit, management review, corrective actions, and surveillance/recertification readiness.
Define and maintain policies, standards, and procedures (e.g., access control, change management, vulnerability management, secure SDLC, incident response, supplier security).
Chair and coordinate governance forums (e.g., Risk & Compliance Steering Committee, Change Advisory Board, Management Review meetings).
Risk Management
Implement enterprise risk management (ERM) for information and technology risks: risk identification, assessment (qualitative/quantitative), treatment plans, and risk acceptance with accountable owners.
Build third‑party/vendor risk management (TPRM) including due diligence, contractual controls, continuous monitoring, and remediation.
Integrate operational technology (OT) risk (ICS/SCADA, IIoT) into the enterprise risk register with pragmatic controls that do not disrupt production.
Compliance: ISO 27001 & SOX
Lead ISO 27001 certification journey: gap analysis, roadmap, control implementation, training/awareness, internal audits, and liaison with external certification bodies.
Own SOX ITGCs and application controls: design, documentation, testing coordination, remediation tracking, and Disclosure Committee reporting.
Align identity & access management, change management, computer operations, and IT service delivery to SOX and ISO control objectives; ensure evidence quality and audit readiness.
Coordinate with Finance/Accounting on financial reporting risks.
Audit & Assurance
Plan and execute internal audits (ISO 27001, policy compliance, control effectiveness) and coordinate external audits (SOX, ISO surveillance/certification, PCI).
Build defensible control evidence repositories, ensure sampling precision, and drive timely remediation of findings.
Develop and maintain control libraries, test plans, and mapping across frameworks (ISO/NIST, SOX ITGC, etc.).
Tooling, Automation & Metrics
Select, implement, and administer GRC platforms (e.g., Archer, Drata, Vanta, ServiceNow GRC, IRM, OneTrust) and integrate with ticketing, IAM, CMDB, SIEM, and ERP (e.g., SAP, Oracle).
Operationalize continuous control monitoring (CCM) and control analytics (e.g., access outliers, change exceptions, segregation of duties conflicts).
Define and publish KPIs/KRIs and Board/C‑suite dashboards: audit status, control effectiveness, residual risk, TPRM posture, policy adoption, incident trends.
Team Leadership & Vendor Management
Lead a hybrid, geographically distributed team of employees and vendor/consulting resources; set objectives, coach, and develop talent.
Build SOWs, manage budgets, and ensure vendor SLAs/KPIs and quality outcomes.
Foster a culture of accountability, transparency, and continuous improvement.
Training, Awareness & Change Management
Lead assessment and management of training and phishing campaign platform and process (e.g., SOX for IT engineers, ISO control owners, plant operations staff).
Drive change management communications to embed controls into daily operations without impeding manufacturing throughput.
Incident, BCP/DR & Privacy Alignment
Ensure incident response processes are governed, tested, and produce audit‑ready evidence.
Oversee BCP/DR governance (business impact analysis, testing cadence, lessons learned).
Partner with Legal/Privacy on data protection, records retention, and supplier agreements (e.g., CCPA).
Qualifications Education
Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred. Advanced degree (MBA, MS in Information Assurance) is a plus.
Experience
10–15+ years progressive experience in IT Audit/Controls, or Enterprise Risk; 5+ years leading GRC programs in public companies.
End‑to‑end ISO 27001 implementation experience (ISMS design through certification).
SOX 404 ITGC ownership experience, including scoping, control design, testing, and remediation across ERP (e.g., SAP/Oracle) and key business applications.
Demonstrated success in leading mixed teams of internal staff and vendor/consultants, including multi‑site and global operations.
Manufacturing/OT exposure: ICS/SCADA risk management, plant‑floor realities (safety, uptime, maintenance windows).
Hands‑on with GRC platforms, IAM, CMDB, SIEM/SOAR, vulnerability management, and evidence repositories.
Strong familiarity with NIST CSF, CIS Controls, and control mapping across frameworks.
Certifications (Preferred)
ISO/IEC 27001 Lead Implementer and/or Lead Auditor
CISA (Certified Information Systems Auditor)
CISM or CISSP
CRISC
CGEIT
ITIL Foundation
Skills & Competencies
Hands‑on control design and evidence creation; comfort reading logs, configs, and ERP control parameters.
Risk quantification (basic FAIR or scenario analysis) and pragmatic prioritization.
Stakeholder management with Finance, IT, Plant Ops, and external auditors.
Analytical and documentation excellence; precision in scoping, testing, and remediation tracking.
Clear executive communication—Board‑level reporting with drill‑down detail.
Change leadership—able to balance compliance rigor with manufacturing agility.
Success Metrics (12–18 Months)
Achieve ISO 27001 certification (or surveillance audit pass) within agreed scope.
Zero material weaknesses and timely SOX remediation of control deficiencies.
Established TPRM program with risk‑tiered vendor controls and SLA tracking.
Operational GRC platform with automated workflows and CCM for top controls.
Published KPI/KRI dashboards with trend improvements (e.g., access review cycle time, change exceptions, incident MTTR, audit finding closure rates).
Measurable policy adoption and training completion across IT and manufacturing sites.
Travel & Work Environment
10–25% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.
#J-18808-Ljbffr
Key Responsibilities
Establish and mature the enterprise GRC program aligned to ISO 27001, SOX, NIST CSF, CIS Controls and relevant regulatory requirements.
Own the Information Security Management System (ISMS) lifecycle: scope definition, risk assessment, Statement of Applicability (SoA), control implementation, internal audit, management review, corrective actions, and surveillance/recertification readiness.
Define and maintain policies, standards, and procedures (e.g., access control, change management, vulnerability management, secure SDLC, incident response, supplier security).
Chair and coordinate governance forums (e.g., Risk & Compliance Steering Committee, Change Advisory Board, Management Review meetings).
Governance & Program Leadership
Establish and mature the enterprise GRC program aligned to ISO 27001, SOX, NIST CSF, CIS Controls and relevant regulatory requirements.
Own the Information Security Management System (ISMS) lifecycle: scope definition, risk assessment, Statement of Applicability (SoA), control implementation, internal audit, management review, corrective actions, and surveillance/recertification readiness.
Define and maintain policies, standards, and procedures (e.g., access control, change management, vulnerability management, secure SDLC, incident response, supplier security).
Chair and coordinate governance forums (e.g., Risk & Compliance Steering Committee, Change Advisory Board, Management Review meetings).
Risk Management
Implement enterprise risk management (ERM) for information and technology risks: risk identification, assessment (qualitative/quantitative), treatment plans, and risk acceptance with accountable owners.
Build third‑party/vendor risk management (TPRM) including due diligence, contractual controls, continuous monitoring, and remediation.
Integrate operational technology (OT) risk (ICS/SCADA, IIoT) into the enterprise risk register with pragmatic controls that do not disrupt production.
Compliance: ISO 27001 & SOX
Lead ISO 27001 certification journey: gap analysis, roadmap, control implementation, training/awareness, internal audits, and liaison with external certification bodies.
Own SOX ITGCs and application controls: design, documentation, testing coordination, remediation tracking, and Disclosure Committee reporting.
Align identity & access management, change management, computer operations, and IT service delivery to SOX and ISO control objectives; ensure evidence quality and audit readiness.
Coordinate with Finance/Accounting on financial reporting risks.
Audit & Assurance
Plan and execute internal audits (ISO 27001, policy compliance, control effectiveness) and coordinate external audits (SOX, ISO surveillance/certification, PCI).
Build defensible control evidence repositories, ensure sampling precision, and drive timely remediation of findings.
Develop and maintain control libraries, test plans, and mapping across frameworks (ISO/NIST, SOX ITGC, etc.).
Tooling, Automation & Metrics
Select, implement, and administer GRC platforms (e.g., Archer, Drata, Vanta, ServiceNow GRC, IRM, OneTrust) and integrate with ticketing, IAM, CMDB, SIEM, and ERP (e.g., SAP, Oracle).
Operationalize continuous control monitoring (CCM) and control analytics (e.g., access outliers, change exceptions, segregation of duties conflicts).
Define and publish KPIs/KRIs and Board/C‑suite dashboards: audit status, control effectiveness, residual risk, TPRM posture, policy adoption, incident trends.
Team Leadership & Vendor Management
Lead a hybrid, geographically distributed team of employees and vendor/consulting resources; set objectives, coach, and develop talent.
Build SOWs, manage budgets, and ensure vendor SLAs/KPIs and quality outcomes.
Foster a culture of accountability, transparency, and continuous improvement.
Training, Awareness & Change Management
Lead assessment and management of training and phishing campaign platform and process (e.g., SOX for IT engineers, ISO control owners, plant operations staff).
Drive change management communications to embed controls into daily operations without impeding manufacturing throughput.
Incident, BCP/DR & Privacy Alignment
Ensure incident response processes are governed, tested, and produce audit‑ready evidence.
Oversee BCP/DR governance (business impact analysis, testing cadence, lessons learned).
Partner with Legal/Privacy on data protection, records retention, and supplier agreements (e.g., CCPA).
Qualifications Education
Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred. Advanced degree (MBA, MS in Information Assurance) is a plus.
Experience
10–15+ years progressive experience in IT Audit/Controls, or Enterprise Risk; 5+ years leading GRC programs in public companies.
End‑to‑end ISO 27001 implementation experience (ISMS design through certification).
SOX 404 ITGC ownership experience, including scoping, control design, testing, and remediation across ERP (e.g., SAP/Oracle) and key business applications.
Demonstrated success in leading mixed teams of internal staff and vendor/consultants, including multi‑site and global operations.
Manufacturing/OT exposure: ICS/SCADA risk management, plant‑floor realities (safety, uptime, maintenance windows).
Hands‑on with GRC platforms, IAM, CMDB, SIEM/SOAR, vulnerability management, and evidence repositories.
Strong familiarity with NIST CSF, CIS Controls, and control mapping across frameworks.
Certifications (Preferred)
ISO/IEC 27001 Lead Implementer and/or Lead Auditor
CISA (Certified Information Systems Auditor)
CISM or CISSP
CRISC
CGEIT
ITIL Foundation
Skills & Competencies
Hands‑on control design and evidence creation; comfort reading logs, configs, and ERP control parameters.
Risk quantification (basic FAIR or scenario analysis) and pragmatic prioritization.
Stakeholder management with Finance, IT, Plant Ops, and external auditors.
Analytical and documentation excellence; precision in scoping, testing, and remediation tracking.
Clear executive communication—Board‑level reporting with drill‑down detail.
Change leadership—able to balance compliance rigor with manufacturing agility.
Success Metrics (12–18 Months)
Achieve ISO 27001 certification (or surveillance audit pass) within agreed scope.
Zero material weaknesses and timely SOX remediation of control deficiencies.
Established TPRM program with risk‑tiered vendor controls and SLA tracking.
Operational GRC platform with automated workflows and CCM for top controls.
Published KPI/KRI dashboards with trend improvements (e.g., access review cycle time, change exceptions, incident MTTR, audit finding closure rates).
Measurable policy adoption and training completion across IT and manufacturing sites.
Travel & Work Environment
10–25% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.
#J-18808-Ljbffr