Position Summary:

The Director of Governance, Risk & Compliance will report to the Chief Information Security Officer and will lead the Governance, Risk & Compliance workstream on the Information Security team. This role is responsible for enhancing and expanding Ryan Specialty’s GRC portfolio to improve the company’s overall security and compliance posture. The ideal candidate will have detailed working knowledge of security technologies and leading practices, and familiarity in leading a team in maintaining compliance for a regulated business environment. This role will be responsible for leading all information security compliance efforts, working with relevant internal teams to ensure that all compliance obligations are understood, all relevant processes are fully established, and compliance is continuously tracked, measured, and reported on. Additionally, this role will lead the continuing maturation of Ryan Specialty’s cyber risk management efforts, consisting of internal risk management and external Third-Party risk management programs.

Candidates for this role must be collaborative in nature, acting as a true enabler of the business and partner to technology and other departmental leaders and teams, able to drive security outcomes through influence and partnership. Additionally, candidates must have an ability to seamlessly move from deep, detailed conversations to executive level briefings that explain challenging compliance, risk, and technical concepts succinctly.

Essential Functions:

• Lead, in partnership with CISO, the Cyber Governance, Risk and Compliance program, including articulating cyber risks in a business context, their impacts, and recommending mitigation 
• Collaborate with the VP of IT Risk Management to manage Information Security risks, including maintaining a risk register, assisting with self-assessments, and contributing to risk management strategies and processes 
• Create, maintain and continuously mature information security policies, standards, and controls; work with senior leaders to ensure that any impacts and associated work to remain compliant is included in Product and Technology roadmaps.
• Implement and oversee procedures and controls to assure compliance with applicable regulatory, legal, and contractual requirements
• Continue to mature the third party risk management process
• Support the business, procurement and legal teams regarding security requirements, including review of contractual elements pertaining to security, completing questionnaires, meeting with auditors, etc.
• Collaborate with regulatory compliance on the privacy program
• Participate in or lead security efforts related to M&A, including due diligence assessments and post-acquisition activities to fully integrate acquired entity into all security controls and processes
• In conjunction with IT Risk Management, oversee the remediation of information security related findings identified by Internal Audit, IT Risk, and Third Party Risk Assessments 
• Own the security awareness training program, including selection of courses, phishing campaigns, awareness campaigns and reporting
• Provide reporting and metrics to senior leadership
• Work within and across teams on cross functional projects
• If required, provide leadership for incident response activities

Education/Experience/Skills:

• 8+ years of cross-discipline Information Security/Information Technology experience
• 5+ years of leading a GRC function
• Experience applying security frameworks such as NIST CSF, CIS, etc. for self-assessments and working with auditors
• Subject matter expertise in developing and executing company-wide program, policies, procedure, and controls
• The ability to translate modern security technology practices (e.g., passwordless, CI/CD, encryption, etc.) to the language of auditors
• Understanding of the risks in cloud-native and on premise architectures 
• Compliance and audit strategies for cloud environments (IaaS, SaaS, etc.)
• Excellent executive presentation and communication skills
• Ability to lead through influence, including at executive levels
• Strong critical thinking skills with ability to challenge normal operations
• Experience working in a team-oriented, collaborative environment
• Completion of prior successful external audits, such as SOC 2, SOX, HIPAA
• Prior experience automating compliance controls
• Certification showing expertise in audit or risk management (e.g., CISA, CISM, CRISC)
• Insurance and/or financial services background is beneficial, but not required

Disclaimer