Head, Governance, Risk and Compliance (Head Security GRC)

The Head, GRC is a senior cybersecurity leader responsible for defining and operating the governance, risk and compliance strategy for the organization. This role partners closely with the CISO, technology leaders, legal, risk, compliance and business stakeholders to ensure cyber risk is governed effectively, regulatory obligations are met, and security controls are aligned to business priorities.

The role will lead policy and standards governance, cyber risk management, control assurance, audit and regulatory engagement, and third-party risk oversight while building a culture of accountability and continuous improvement.

• Lead and continuously improve the cybersecurity GRC framework, operating model, governance forums and reporting cadence.
• Own the lifecycle of cybersecurity policies, standards, procedures and exception management, ensuring alignment to business objectives and regulatory expectations.
• Establish and maintain a risk-based control environment aligned to recognized frameworks such as NIST CSF, ISO 27001 and other applicable regulatory requirements.
• Direct enterprise cyber risk assessments, risk treatment planning, control testing and issue remediation tracking.
• Oversee internal and external audits, customer assurance activities and regulatory examinations related to information security and cyber controls.
• Partner with legal, privacy, compliance and enterprise risk teams to interpret and operationalize changing cyber and data protection obligations.
• Oversee third-party cyber risk governance, including due diligence, control reviews and ongoing monitoring of critical suppliers.
• Develop meaningful metrics, KRIs and executive reporting to communicate cyber risk posture, compliance status and remediation progress to senior leadership.

Company Benefits:

• Health and Welfare Benefits: Medical, Dental, Vision, Health Savings Account, Commuter Benefits, Health Care and Dependent Care Flexible Spending Accounts, Accident Insurance, Critical Illness Insurance, Life Insurance, AD&D, Financial wellbeing support, Wellbeing Program and Work/Life Resources (including Employee Assistance Program).
• Leave Benefits: Paid Holidays, Annual Paid Time Off (includes paid state/local paid leave where required), Short-Term Disability, Long-Term Disability, Other Leaves (e.g., Bereavement, FMLA, ADA, Jury Duty, Military Leave, and Parental and Adoption Leave), Paid Time Off (Washington State only).
• Retirement Benefits: Salvage Plan (401k).
• Compensation: The salary benchmark for this role is US (New York): $220,000 – $250,000 – $280,000.

About You:

• You are a strategic and hands-on cybersecurity GRC leader who can translate regulatory, audit and risk requirements into practical actions for technology and business teams.
• You are comfortable operating at executive level while also driving program execution, control maturity and measurable outcomes.
• You bring strong judgment, clear communication and the ability to influence across complex stakeholder groups.
• Proven experience leading cybersecurity governance, risk and compliance programs in a complex enterprise environment.
• Strong knowledge of cybersecurity and control frameworks, including NIST CSF 2.0, ISO 27001, SOC 2 and relevant regulatory expectations.
• Demonstrated experience with cyber risk assessments, policy governance, control assurance, audit management and issue remediation.
• Ability to communicate cyber risk and control effectiveness in clear business terms to executives and non-technical stakeholders.
• Experience partnering with audit, enterprise risk, legal, privacy, procurement and technology teams.
• 10 years of experience in cybersecurity, information security, information technology, risk management or a related field.
• Relevant certifications such as CISM, CRISC or CISA are desirable.

We provide equal opportunity to all qualified individuals regardless of race, colour, religion, age, gender, gender expression, national origin, veteran status, disability, orientation, or any other legally protected categories. If you have a need that requires accommodation, please email us at talentacquisition@willisre.com.