Manager, Cybersecurity Governance and Risk
Arlington, Virginia
Hybrid
Full Time
$150k - $170k
Manager, Cybersecurity Governance and Risk
The Manager of Cybersecurity Governance and Risk oversees IT risk management (ITRM) initiatives to enhance transparency regarding risk impacts on the Firm. This role involves managing the Cyber Risk Register, issues log, facilitating the Risk Operating Committee (ROC), and supporting the Governance and Risk team in aligning with industry standards (e.g., NIST, ISO, COBIT) in compliance with applicable regulatory and client requirements.
The company is located in Washington D.C. and will be a hybrid model.
What You Will Be Doing:
This position doesn’t provide sponsorship.
The Manager of Cybersecurity Governance and Risk oversees IT risk management (ITRM) initiatives to enhance transparency regarding risk impacts on the Firm. This role involves managing the Cyber Risk Register, issues log, facilitating the Risk Operating Committee (ROC), and supporting the Governance and Risk team in aligning with industry standards (e.g., NIST, ISO, COBIT) in compliance with applicable regulatory and client requirements.
The company is located in Washington D.C. and will be a hybrid model.
What You Will Be Doing:
- Support the development, implementation, and management of the governance and risk strategic plan and roadmap, including refining the reporting structure and frequency for InfoSec stakeholders.
- Collaborate with the Controls and TPRM Managers to design, evolve, and oversee the development, maintenance, and evaluation of organizational InfoSec governance and risk procedures, processes, and guidelines in alignment with Firm and Client requirements.
- Act as a key advisor in identifying, managing, and communicating governance and risk across InfoSec policy domains, offering expertise to prioritize and address risks while supporting the adoption of IT Risk policies, standards, and guidelines enterprise-wide in collaboration with the Controls Manager.
- Manage the Cyber Risk and Issue Registers, including tracking remediation efforts, supporting monthly ROC meetings (agenda preparation, data calls, etc.), aggregating risk registers, and performing policy domain-to-control mapping to highlight prioritization and transparency into remediation needs.
- Partner with the Controls Manager and other stakeholders to identify, validate, and document deficiencies in ITRM governance, processes, and risk management practices. Propose remediations, enforce cross-functional POAM initiatives, and manage status reporting in line with prioritization requirements.
- Assist InfoSec’s TPRM and Client InfoSec Assessment activities, including assessment completion and quality control reviews, updating control narratives, and supporting reporting efforts to InfoSec leadership and stakeholders.
- Enhance risk methodologies and conduct/support risk assessments to identify risks across policy domains, pinpoint opportunities for control improvement, and mitigate risks effectively.
- Facilitate the definition and ongoing maintenance of InfoSec governance and risk metrics and measures.
- Lead or support additional related projects as assigned.
- Demonstrated project management skills and a strong understanding of technology-related operational risks.
- In-depth knowledge of current information security standards and frameworks (e.g., CSF, NIST, ISO), COSO framework, and the evolving cyber threat landscape.
- Strong understanding of operational risk from a technology perspective.
- Excellent analytical and problem-solving skills, with the ability to challenge current practices.
- Knowledge of governance, risk, and compliance (GRC) processes and technologies across governance, process, and technical domains.
- Experience conducting third-party assessments, including reviewing SOC2 Type 2 reports, SIG assessments, and penetration test results.
- Proven ability to build and maintain strong cross-departmental relationships.
- High-level technical understanding of security applications, platforms, and architectures.
- Bachelor’s degree in Information Security, Information Assurance, Computer Science, Information Systems, or a related field (two additional years of relevant experience may substitute for two years of college credits).
- A minimum of 7 years of combined experience in information technology, information security, and risk management.
- Relevant certifications (e.g., CISA, CISM, GSEC, CISSP, CRISC) are highly preferred.
- Advanced knowledge of risk management concepts, frameworks, and methodologies.
- Comprehensive understanding of information security concepts and technologies.
- Consulting experience is a plus.
- Familiarity with the operations of law practices.
- Advanced proficiency with MS Outlook, Word, Excel, Visio, and PowerPoint.
This position doesn’t provide sponsorship.