Director Governance Risk & Compliance

Job Description

The director of governance, risk management and compliance (GRC) provides leadership and direction for the company’s GRC requirements.

The director is responsible for establishing and maintaining the company’s overall IT and security GRC program, as well as for the company’s overall technology compliance.

The role includes implementation and maintenance of policies, as well as a comprehensive controls framework with global third-party risk management.

The director ensures the company’s technical systems and information assets are protected in accordance with compliance requirements.

Furthermore, the director is responsible for identifying, evaluating, and reporting on information security risks that are important for the business to be aware of and act on accordingly.

The director will work in tandem with cybersecurity, enterprise technology, legal and compliance leadership to ensure all technology conforms to the company’s desired compliance and security posture and to elevate the company’s security posture.

To be successful, the director of GRC must be able to influence and lead the GRC security strategy of the business within new and exisiting information system capabillities.

The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems used by lines o business and vendors.

The director will report executive security or risk management leadership within the organization.

Qualifications

• Act as a key point of contact when GRC team members identify risk to raise awareness with security management and business unit leads on a risk reduction plan.
• Play a key role in the vendor risk assessment process and ensure all business units follow and uphold process rigor.
• Create, prioritize, and manage the yearly scope of technology compliance obligations.
• Identify, document, and monitor to closure any gaps when compliance responsibilities are not met.
• Oversee findings brought forward through team analysis, requiring thorough documentation and recommendations to report to security leadership where gaps exist.
• Engage in continuous professional development with team management, honing direction as well as strategic plans.
• Maintain a high degree of knowledge with current and proposed security changes impacting regulatory, privacy and security industry best practice guidance.
• Effectively communicate knowledge of GRC controls across business units with a focus on, but not limited to, company practices, procedures, third-party integrations, product development and financials.
• Influence and validate metrics used in assessment of security program success and report them regularly to security and business leadership.
• Focus on principles aligning with enterprise risk management fundamentals within security and technology teams to maintain up-to-date configuration documentation for systems and processes.
• Lead a team to provide rigorous oversight of security systems and security configuration administration that reduces risk to enterprise systems and accounts.
• Appoint team members to stay abreast in incident response cases and track occurrence and resolution, with strict documentation and reporting.
• Guide team members to align with security, audit, and risk management leadership for ongoing security program assessments, as well as annual strategic technology and budgetary directives.
• Liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws.
• Provide leadership for disaster recovery and business continuity as they relate to security frameworks, compliance, and privacy laws.
• Inspire business units to adopt cybersecurity security controls to reduce the attack surface.
• Openly support the CISO, management team and executive leadership, even during tumultuous times. Perform other duties as assigned.

Additional Information

• Bachelor's degree in computer science, information assurance, MIS, or related field, or equivalent. Advanced degree not required, but an MBA or master's degree in information assurance / technology is preferred.
• At least 10+ years’ experience in cybersecurity in one or more roles, including security analyst, compliance and regulations, risk management or audit.
• 5 or more years’ experience managing distributed team personnel.
• Demonstrated leadership experience and thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, GDPR and GLBA.
• Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls.
• Preferably at least two years’ experience in Amazon Web Services (AWS), Google Cloud Platform (GCP) and / or Microsoft Azure cloud computing security configuration and management.
• Proven understanding of business focus and processes, and ability to inject cybersecurity into the business through teamwork and influence.
• Strong team and organizational management skills, and track record of delivering GRC projects under tight deadlines.
• High level of integrity and trustworthiness, as well as confidence to represent the company and security leadership with the highest level of professionalism.
• Demonstrated experience conducting tabletop exercises for business continuity.
• Capable of working with diverse teams and promoting a positive enterprise-wide security culture.
• Demonstrated project management, multitasking and organizational skills.
• Ability to obtain and preserve credibility with the team and external constituents through sustained industry knowledge.
• Ability to motivate teammates to achieve excellence and willingly share knowledge

Boyd Gaming is proud to be an Equal Opportunity Employer and does not discriminate against any employee or applicant for employment because of race, color, sex, age, national origin, religion, sexual orientation, gender identity, status as a veteran, and basis of disability or any other federal, state, or local protected class.