IT Risk and Compliance Lead

Position Overview

We are seeking an experienced IT Risk and Compliance Lead to establish, maintain, and oversee our organization's information security and compliance framework. This role will be responsible for ensuring IT operations align with regulatory requirements, industry standards, and organizational policies while managing risk across the technology landscape.

Key ResponsibilitiesRisk Management

• Lead the identification, assessment, and mitigation of IT and cybersecurity risks across the organization
• Develop and maintain the IT risk register, tracking risk exposure and remediation efforts
• Conduct regular risk assessments of systems, applications, and infrastructure
• Partner with business units to evaluate technology risks associated with new initiatives and third-party relationships
• Implement and oversee the vendor risk management program for technology suppliers

Compliance & Governance

• Ensure compliance with relevant regulations and standards including SOC Type 1 and Type 2, ISO 27001, GDPR, HIPAA, PCI-DSS, or other industry-specific requirements
• Manage audit processes and serve as primary liaison with internal and external auditors
• Develop and maintain IT policies, standards, and procedures aligned with compliance requirements
• Monitor changes in regulatory landscape and assess impact on the organization
• Coordinate compliance activities across IT and business functions

Security & Controls

• Design, implement, and monitor IT controls framework to mitigate identified risks
• Oversee vulnerability management and remediation programs
• Conduct security control testing and effectiveness assessments
• Lead incident response planning from a compliance and risk perspective
• Collaborate with security teams to align risk priorities with security initiatives

Reporting & Communication

• Prepare executive-level reports on IT risk posture, compliance status, and key metrics
• Present findings and recommendations to senior leadership and board committees
• Develop key risk indicators (KRIs) and compliance dashboards
• Communicate complex technical risks in business terms to stakeholders at all levels

Required QualificationsExperience

• 7-10 years of progressive experience in IT risk management, compliance, audit, or related fields
• Demonstrated experience managing compliance programs for major frameworks (SOC 2, ISO 27001, NIST, etc.)
• Proven track record of successfully leading audit and assessment activities
• Experience conducting IT risk assessments and developing remediation strategies
• Background in vendor risk management and third-party assessments

Technical Skills

• Strong understanding of information security principles, controls, and best practices
• Knowledge of cloud security frameworks (AWS, Azure, GCP)
• Familiarity with security technologies including SIEM, vulnerability scanning, and access management tools
• Understanding of network architecture, system infrastructure, and application security
• Experience with GRC (Governance, Risk, and Compliance) platforms

Certifications

• One or more relevant certifications required: CISA, CRISC, CISSP, CISM, or equivalent
• Additional certifications are a plus: ISO 27001 Lead Auditor, CDPSE, or cloud security certifications

Soft Skills

• Excellent written and verbal communication skills with ability to influence stakeholders
• Strong analytical and problem-solving capabilities
• Ability to work independently and manage multiple priorities simultaneously
• Collaborative approach with ability to build relationships across technical and business teams
• Detail-oriented with strong organizational and project management skills

Preferred Qualifications

• Experience in a leadership or team lead capacity
• Industry-specific compliance experience relevant to our sector
• Experience implementing compliance automation and continuous monitoring solutions
• Understanding of DevSecOps and shift-left security practices