Information Security: GRC/ISRM Lead

Position at DNEG

DNEG’s expanding Information Security (InfoSec), Governance, Risk and Compliance (GRC) and Data Privacy programs have the requirement to add an experienced InfoSec Governance, Risk and Compliance (GRC) Lead to the expanding global team. The role will be responsible for successfully managing and steering the Information Security GRC and Privacy function within DNEG. The InfoSec team are responsible for ensuring that the confidentiality, integrity, and availability (CIA) of its, and client’s, confidential data, PII and systems and services are always maintained. It’s for this reason that an experienced InfoSec GRC function is required to work collaboratively with the team, peers, and business stakeholders to ensure that all the InfoSec GRC initiatives/projects are aligned, maintained, and managed effectively to meet the requirements of both tactical roadmap requirements and to the overall successful delivery of the wider InfoSec strategy.

1. Mandatory Requirements and Expectations

An experienced individual that works in a methodical and concise manner is required to successfully manage the InfoSec GRC and Privacy function at DNEG.

• Experience of working within a highly technical and multi-faceted InfoSec security program.
• Have excellent interpersonal, analytical, assessment and documentation skills which can be effectively utilized to develop and deliver against highly critical and GRC and Privacy assurance requirements.
• Working closely with the Information Security Program Manager (ISPM) to successfully prioritize, steer and deliver the GRC and privacy facets of the InfoSec program.
• Experience of working within multi-faceted audit environment.
• Demonstrable experience of delivering, maintaining, managing, and maturing a global GRC program to meet the requirements of a highly complex environment.
• Excellent track record of working with both internal and client driven auditable environments and ensure that control areas are effectively managed from a risk-based methodology.

2. Duties and Operational Responsibilities

• Manage, maintain, and mature the GRC and function within DNEG.
• Work proactively with the wider InfoSec team to ensure that all GRC and audit deliverables are suitably communicated and documented.
• Be able to work effectively in an independent capacity and as part of the InfoSec team.
• Utilize effective task management, communication, and leadership skills.
• Work in close partnership and collaborate with peers and internal technical teams.

3. Job Requirements

3.1 Mandatory Job Requirements

A successful candidate will meet the majority of the requirements listed below and will be able demonstrate suitable experience in competencies in each of the following:

• Five to Ten years, plus/minus, of working within, or leading, a GRC, Data Privacy and audit function.
• Have demonstrable experience with all the following key areas:
• Lead and mature the existing GRC program to ensure that identified CRM and InfoSec risks are suitably kept within DNEG’s risk tolerance level.
• Highly proficient with Risk Management methodologies and suitable application.
• Lead the assessment, evaluation and define risk mitigation solutions across the business and technical environments and identify areas of improvement.
• Take ownership of the ISMS policy framework and ensure that the control framework is suitable and meets requirements as set forth by industry and client driven audit requirements.
• Conduct onsite security audits and gap analyses across DNEG facilities to assess alignment with security frameworks.
• Mature and further develop the audit program and work collaboratively with peers and stakeholders to ensure that control deficiencies are suitably tracked and ultimately either mitigated or accepted.
• Demonstrable working knowledge of data privacy legislations, e.g., GDPR, and the applicability of applying mandated controls to minimize risk associated with privacy breaches etc.

• Highly motivated and bring a progressive and highly collaborative approach to the InfoSec GRC function.
• Knowledge of Information/Cyber Security processes and methodologies, e.g., ISO27001, CSA CCM etc.
• Experience of working collaboratively and effectively with a PMO function.
• Document and create qualitative and quantitative reporting relating to the GRC / Data Privacy roadmap.

3.2 Desired Job Requirements

A successful candidate will have experience with the desired requirements listed below and will be able demonstrate suitable experience in competencies in each of the following:

• Experience of working with and customizing automated risk management platforms and services.
• Prior experience working within either the film or media industry sector.
• Experience and demonstrable, high-level knowledge, of the following:
• Working within either a hybrid or cloud native environment and their associated risks that are applicable within this type of environment.

3.3 Education

• A bachelor’s degree in IT or Computer Science is desirable, but not essential.
• Any of the following Risk Management certifications, e.g., CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor etc.