The Director, Governance, Risk & Compliance (GRC) leads the organization's enterprise governance, risk, and compliance program, partnering closely with the CISO to strengthen security, regulatory compliance, and risk management across a multi-brand healthcare organization. This role is responsible for building and maturing GRC frameworks, leading enterprise risk and compliance initiatives, overseeing audit readiness, and driving data governance, third-party risk management, vulnerability management, and security awareness programs that support organizational growth and regulatory requirements.
Primary Responsibilities
- Develop and execute the enterprise GRC strategy, establishing governance, risk, and compliance frameworks aligned with ISO 27001, NIST, SOC 2, HIPAA, HITECH, and other applicable standards.
- Lead enterprise risk management, audit readiness, and compliance activities by maintaining risk registers, coordinating assessments, managing regulatory audits, and delivering executive reporting.
- Build and oversee enterprise programs for data governance, vulnerability management, third-party risk management, and security awareness, ensuring scalable processes and organizational adoption.
- Partner with Legal, IT, business leaders, and external stakeholders to strengthen privacy, regulatory compliance, policy development, and enterprise security practices across all brands.
- Lead and develop the GRC function by establishing operating models, building team capabilities, implementing governance processes, and driving continuous improvement initiatives.
This is a hybrid position, coming into the office 1x/quarter.
What You Bring to the Table:
Qualifications
- Bachelor's degree in Cybersecurity, Information Security, Information Technology, Business, or a related field required; advanced degree preferred.
- 10+ years of progressive experience in governance, risk, and compliance, including leadership of enterprise GRC programs or teams.
- Deep expertise in ISO 27001, NIST Cybersecurity Framework, NIST 800-series, SOC 2 Type II, HIPAA, HITECH, and enterprise risk management frameworks.
- Proven experience building or significantly maturing GRC programs, including risk frameworks, compliance processes, audit management, and policy development within complex, multi-entity organizations.
- Demonstrated experience managing enterprise audits, regulatory compliance, control mapping across multiple frameworks, and executive risk reporting.
- Professional certifications such as CISSP, CISA, CRISC, CISM, or HITRUST CCSFP preferred; experience with HITRUST, GRC platforms (Drata, ServiceNow GRC, OneTrust, Archer), healthcare compliance, or PE-backed organizations is highly desirable.
Skills
- Governance and risk management
- Regulatory compliance
- Audit and control management
- Data governance
- Policy development
- Executive communication
- Cross-functional leadership
- Strategic planning