Head, IT Governance, Risk & Compliance

Position Overview

The Head of GRC is accountable for the organization's cybersecurity risk posture, ensuring that security controls across applications, infrastructure, and platforms are effectively designed, implemented, and continuously enforced.

The role drives measurable risk reduction, strong control adoption, and clear accountability across teams, while governing cybersecurity policies, standards, and risk management. It includes oversight of risk exposure, audits, and operational embedding of security practices, requiring structured thinking, sound judgment, and strong stakeholder influence.

Roles & Responsibilities

Governance & Policy Management:

• Define and govern cybersecurity policies, standards, and control requirements aligned with regulatory and risk expectations.
• Own and continuously enhance the cybersecurity policy and standards framework, ensuring clarity, consistency, and effective translation into enforceable control requirements.
• Ensure regulatory obligations and governance frameworks (including MCMC, NACSA, ISO 27001, and NIST CSF) are operationalized through embedded controls and measurable practices, rather than documentation alone.
• Establish mechanisms to measure, monitor, and report compliance across technology environments, providing clear visibility into control effectiveness and risk exposure.
• Identify governance gaps and control deviations, require risk‑based remediation actions, track closure to completion, and escalate unresolved risks.
• Maintain complete, current governance documentation and control evidence to support regulatory supervision, internal assurance activities, and external audits.

People & Team Management:

• Lead, coach, and develop the GRC team to ensure strong delivery.
• Set clear objectives, manage performance, and conduct regular check‑ins and coaching to support delivery, capability growth, and accountability.
• Establish expectations for high‑quality documentation, disciplined processes, and timely delivery across all GRC activities.
• Guide and develop team members subject‑matter expertise in areas such as ISO 27001, risk assessment, and compliance testing, aligned to organizational priorities and regulatory expectations.
• Drive effective collaboration between the GRC function and engineering and operations teams to support risk‑based decision‑making and control adoption.
• Promote a structured, disciplined, and continuous‑improvement‑driven culture within the GRC function.

Cybersecurity Risk Management:

• Own and enforce the cybersecurity risk management framework and standards, ensuring consistent application across all technology domains
• Maintain an accurate, high‑quality cybersecurity risk register, providing clear visibility of material risks, risk ownership, and current treatment status.
• Provide independent challenge on risk ratings, mitigations, and acceptance decisions.
• Monitor remediation and escalate ineffective or delayed risk treatment.
• Enable early risk identification and assessment for new initiatives, system changes, cloud adoption, and third party or vendor engagements to prevent avoidable risk introduction.

Compliance & Audit Coordination:

• Act as the primary coordinator for external cybersecurity audits and assessments, including MCMC CoP, ISO 27001, ITGC, and SOC reports, ensuring effective planning, execution, and stakeholder engagement.
• Manage audit evidence and responses to ensure audit readiness.
• Oversee the corrective action process arising from audits and assessments, including issuance of corrective actions, tracking progress, follow‑up, and closure.
• Enforce compliance with approved cybersecurity policies, standards, and control requirements across the organization, and escalate material non‑compliance as required.

Cybersecurity Control Assurance:

• Own and operate the cybersecurity control assurance program, providing independent second‑line oversight of control design and operating effectiveness.
• Define assurance scope, testing methodology, and assessment frequency for key cybersecurity controls (e.g. hardening, MFA, patching)
• Perform control testing to identify gaps and weaknesses.
• Issue mandatory corrective actions, track remediation progress, verify effectiveness prior to closure, and escalate overdue or ineffective remediation.
• Identify and trend repeat control failures or systemic weaknesses, escalating material issues to senior management and relevant governance committees, including the Iron Gate Committee.
• Provide assurance opinions and recommendations to strengthen control effectiveness, reduce operational risk, and improve cybersecurity governance maturity.

Regulatory & Industry Engagement:

• Monitor and assess relevant regulatory and industry developments (including NACSA advisories, MCMC directives), evaluating impact on the organization's cybersecurity posture and governance requirements.
• Own and coordinate cybersecurity‑related regulatory submissions and disclosures, ensuring accuracy, completeness, and timely engagement with regulators.
• Ensure organizational readiness for regulatory reviews, supervisory assessments, and third‑party examinations by maintaining clear accountability, supporting evidence, and coordinated responses across relevant stakeholders.

Reporting & Metrics:

• Own and maintain monthly and quarterly cybersecurity governance dashboards covering key risk indicators, compliance status, audit outcomes, corrective actions, and control effectiveness.
• Provide governance reporting and briefings to management and committees.
• Define, track, and report governance performance metrics and OKRs, ensuring timely visibility of progress, issues, and emerging risk or control trends.

Role Focus & Operating Model:

• 30% Strategic governance and risk leadership: Setting governance direction, defining risk posture, and aligning key stakeholders.
• 40% Cross‑functional enforcement and decision‑making: Enforcing governance requirements, challenging decisions, and escalating issues across engineering and operations.
• 30% Oversight of execution and delivery quality: Overseeing GRC execution, quality, and team delivery without assuming first‑line ownership.

Baseline Success Measures:

• Risk governance discipline: ≥95% of material risks have owners and current assessments, with a declining trend in critical and high‑risk findings
• Control assurance effectiveness: ≥90% of key controls assessed as planned, with increased control effectiveness and declining repeat or ineffective controls.
• Remediation discipline: ≥85% of corrective actions closed on time, improved remediation SLA adherence
• Audit & regulatory outcomes: Year‑on‑year reduction in repeat audit findings and 100% on‑time regulatory and audit responses.
• Governance framework quality: 100% of policies reviewed on cycle, with declining policy exceptions

Your Traits:

• Structured and analytical: Applies disciplined thinking to governance, risk, and assurance challenges with strong attention to detail and decision quality.
• Clear and credible communicator: Effectively conveys risk, controls, and governance decisions to both technical teams and senior stakeholders.
• Risk-based enforcer: Upholds governance and control requirements while remaining pragmatic and outcome-focused.
• Execution-driven leader: Drives delivery with clear accountability, disciplined follow-through, and high standards.
• Highly organized and focused: Manages multiple priorities effectively across strategic and operational demands.
• Enterprise governance–oriented: Operates confidently within ERM, audit, and regulatory frameworks, aligning cybersecurity with broader governance structures.

Your Merits

Technical Proficiency:

• Cybersecurity governance & regulation: Strong expertise in ISO 27001, NIST CSF, and/or COBIT, with experience meeting regulatory and compliance requirements (e.g. SOC 2, PCI DSS, MCMC, NACSA).
• Risk, controls & technical depth: Solid grounding in cybersecurity risk assessment, IT controls, and cloud security, with the ability to challenge and validate controls across infrastructure, applications, and cloud.
• Policy & control design: Proven ability to develop clear, enforceable cybersecurity policies, standards, and controls aligned to practical implementation.

Experience:

• Senior GRC experience: 10–15 years of experience across cybersecurity, risk, governance, compliance, or IT audit roles, appropriate to a Head of GRC or equivalent senior leadership position.
• Enterprise program ownership: Demonstrated ownership of enterprise‑wide cybersecurity risk, compliance, or assurance programs, driving consistent outcomes across the organization.
• Leadership and influence: Proven ability to influence and challenge senior stakeholders, including Engineering, Infrastructure, and executive leadership (ExCo), on risk, control, and governance decisions.
• Technical credibility: Background in security operations, security engineering, or closely related technical roles, with comfort engaging deeply with engineering teams on control design, implementation trade‑offs, and risk‑based decisions.
• Audit and remediation leadership: Hands‑on experience managing internal and external audits, corrective action plans (CAPs), and sustained compliance with recognized security frameworks.
• Enterprise risk integration: Experience operating within an ERM structure and engaging effectively with risk, audit, and governance functions at enterprise level.
• Industry exposure: Experience in highly regulated industries (e.g. telco, financial services) is an advantage.

Certifications (Preferred):

• CISM, CRISC, CISSP (advantage)
• ISO 27001 Lead Implementer or Lead Auditor

Education:

• Bachelor's degree in Cybersecurity, Computer Science, or a related discipline.