Manager Governance Risk & Compliance

Manager Governance, Risk & Compliance
3 days onsite, Toronto, ON
Estimated Duration: Fulltime

JOB SUMMARY:
To provide senior-level strategic and tactical guidance to the Director of Cyber Advisory as well as the Chief Information Security Office (CISO) in the execution of its mandate to establish and maintain a wide cyber program to ensure the client is adequately protected.

To provide leadership, guidance and manage the design, integration and implementation of cyber solutions that support the organization and the CISO’s strategic objectives.

To implement and oversee the Governance, Risk & Compliance Programs and socialize Risk Management principles across the organization to promote awareness and effective management of cyber risks.

To collaborate with other segments of the organization to manage cyber initiatives.

MAJOR RESPONSIBILITIES:

• Lead and enhanced the enterprise-wide Cybersecurity Governance, Risk, and Compliance (GRC) program, ensuring effective identification, assessment, treatment, and closure of cyber risks across the organization.
• Document, and operationalize cyber risk appetite and tolerance thresholds, ensuring risk treatment decisions, exceptions, and residual risk acceptance align with formally approved governance frameworks.
• Embed governance structures and accountability models across Divisions, Agencies & Corporations, ensuring clear ownership for risk remediation, control effectiveness, and compliance obligations.
• Implement, and continuously mature a NIST-aligned control framework, ensuring consistent application, monitoring, and reporting of control effectiveness across the enterprise.
• Lead the development, review, and lifecycle management of cybersecurity policies, standards, and procedures, ensuring alignment with regulatory, legal, and internal governance requirements and driving compliance through enforcement and attestation.
• Oversee and enhance the formal processes to track, manage, and close audit findings, remediation and treatment plans (RTPs), and compliance gaps, ensuring timely remediation, evidence-based closure, and executive reporting.
• Implement continuous control monitoring and periodic risk assessments, including effectiveness testing, to validate control performance and identify emerging risks, with integrated GRC reporting and dashboards.
• Develop, assess, and enforce information security controls to protect confidentiality, integrity, and availability (CIA), ensuring controls are measurable, auditable, and aligned with compliance requirements.
• Lead the organization’s response to increasing regulatory, audit, and third-party assurance demands, including ISO 27001/2, SOC 2, and other external assessments, ensuring audit readiness, evidence management, and successful certification/attestation outcomes.

QUALIFICATIONS/CERTIFICATIONS:

• Post-secondary degree in Business or Technology or a related discipline.
• Over seven years of senior-level experience in Information Security
• Extensive senior-level and expertise in Information Security or Governance, Risk & Compliance (GRC).
• Over five years of experience in Information IT Risk/Audit organizations
• Three years of experience with GRC tools
• Extensive experience preparing comprehensive reports and presentations for all levels of an organization.
• Experience in establishing strategy and implementation of GRC Programs.
• Experience leading transformative multi-year programs.
• Ability to engage with internal and external stakeholders diplomatically and professionally
• Strong understanding of security risks, threats, and vulnerabilities and the judgment to assess and articulate risk effectively
• Experienced with security control frameworks including NIST Cybersecurity Framework, SOC 2, NIST 80-53, ISO 27001, and PCI.
• Strong understanding of the terminology, concepts, IT controls and best practices across key risk areas including risk assessment methodologies.
• Knowledge of architectural design and implementation methodologies, including software, network, and infrastructure.
• Knowledge of network and information security methods, standards, architectures, policies and procedures.
• Preferred Certifications (any in the list):  CISSP, CRISC, CISM, CISA

SKILLS:

• Ability to work in transformative programs.
• Excellent leadership and organizational skills and the ability to work effectively with all level of stakeholders.
• Motivated self-starter demonstrating integrity, initiative and innovation qualities.
• Strong analytical ability where problems are typically unusual and difficult.
• Strong analytical skills and ability to prioritise and multitask.
• Excellent problem-solving skills with capability to identify solutions to unusual and complex problems.
• Ability to make quick decision.
• Strong business acumen with budgeting experience.
• Excellent understanding of audit and compliance standards.
• Experience with the audit process and performing risk-based audits.
• Ability to work with the broader IT organization and business management to align priorities and plans with key business objectives.
• Demonstrated capacity to lead under pressure, make decisions in ambiguous situations and drive cross functional collaboration in a short period of time.
• Demonstrated influence and persuasion skills, able to present to senior levels.
• Strong understanding of the business impact of security tools, technologies and policies.
• Ability to handle ambiguity and make decisions and recommendations with limited data
• Ability to prioritize and effectively manage competing priorities and projects.
• Ability to manage multiple initiatives while adhering to strict deadlines.
• Excellent communication and active listening skills with an aptitude for extracting and synthesizing complex information.
• Exceptional written and oral communication skills.
• Transferable skills, like communication and decision-making, are equally important.
• Being able to think on your feet and show good judgment are especially valuable in this field. “Security pros should always be ready to react to cyber-related incidents quickly.

ADDITIONAL COMMENTS/INFORMATION:
A normal work week is 35 hours, however, unforeseen situation may require extended hours of work with little or no prior notice. In case of a cyber incident or breach, rotation shift, continuous extended hours may be required with little or no prior notice.