Director, Security Compliance & Assurance
Job Description
Tripactions is looking for a Director with experience leading programs to achieve and maintain ISO 27001, PCI DSS, GDPR, SOC2 and other regulations or Compliance Frameworks. This position reports directly to Tripactions’s Chief Trust & Security Officer. This role will manage all Security Compliance & Assurance activities for Tripactions and will work across the company (Product, Engineering, HR, IT, Legal, etc.) performing internal audits, product assessments or other assurance and monitoring activities to ensure control requirements are implemented and operating effectively in accordance with relevant regulations and certification or framework requirements. This role will also play a crucial role engaging with external parties, including auditors and customers as needed.
The Director, Security Compliance & Assurance role is central to Tripactions's continued desire to expand and establish a Trusted compliance posture across the organization. You will work closely with senior leadership, product teams and functions in a highly visible role with significant impact on the overall direction of the company. This role will directly impact new commercial opportunities for the company.
As the Director, Security Compliance & Assurance, you will:
- Develop and Manage an Internal risk-based prioritized Compliance & Assurance Roadmap for all applicable laws, regulations or monitoring activities
- Motivate, mentor, challenge, inspire and grow the Compliance & Assurance team
- You and your team will perform planned periodic assessments/audits and testing activities against all applicable Security Compliance controls, policies, standards etc.
- Communicate audit findings from assessments or audits to Senior Leadership and supporting teams
- Develop a unified controls framework that will be applied company-wide
- Work very closely with many cross-functional teams to assist with understanding control gaps and integrating control requirements (HR, Finance, Legal, others etc.)
- Manage a team that will engage directly with Product Engineering and other organizational teams on compliance & audit engagements and assessments.
- Perform audit testing and Security Compliance activities while the team is being developed and evolved.
- Manage and communicate Compliance & Assurance timelines and roadmap to supporting teams and leadership.
- Drive project activities to ensure requirements and schedules are met on time and within budget.
- Develop an ongoing compliance & assurance function that maintains oversight of concurrent, company-wide programs and ongoing initiatives impacting Security Compliance.
- Develop metrics and reporting to demonstrate Compliance & Assurance status and progress.
- Communicate the Compliance & Assurance posture and effectiveness to Management on a scheduled basis.
- Work closely with the Security team on audit findings and related remediation
- Provide ongoing guidance and consultation to the organization to promote a progressive and sustainable Security & Compliance Assurance program.
- Develop an effective Customer Assurance Strategy and methodology.
- Develop an industry recognized audit methodology
- Use automation to test controls and implement exception reporting
- Develop an automated testing strategy using recognized automated tools and techniques
- Work in collaboration with Security to develop and implement a centralized audit evidence repository and GRC tool.
- Cross-train internal resources and develop team members skills and expertise
- Integrate ongoing changes to laws, regulations and frameworks as required into daily activities
Requirements:
- 7-9 years working experience within Data Security & Compliance
- 3-5 years of Security Compliance Experience in a Management role for (PCI DSS, ISO 27001, SOC2)
- 3-5 years of people management experience (Directly managing internal or external teams).
- Experience auditing against GDPR and other privacy related laws or regulations
- BS or MS in computer science or related field
- Expert understanding of PCI DSS, GDPR, ISO 27001, SOC, regulations and framework required
- Expert understanding of Cloud controls and environments
- Expert understanding and demonstrated execution of PCI DSS, GDPR, ISO 27001, SOC, testing and audit procedures required
- Strong understanding and experience auditing a cloud environment (AWS)
- Strong understanding of common compliance frameworks such as COBIT, COSO, ISO 27K, HITRUST and industry recognized guidance such as NIST
- A strong foundation in IT solutions development and deployment
- Practical understanding of IT Security Compliance, risk management and information security principles including access control, network security, information security architecture, information security operations, and leading practices and associated tools in a cloud environment (AWS).
- Strong analytical, diagnostic, critical thinking and project management skills
- Excellent problem-solving, negotiation and decision-making skills.
- Superb ability to represent data in graphical form
- Excellent written and oral communication skills
- Strong Engagement skills (Internal & External)
- Demonstrated experience managing Compliance activities as part of a company (not just in a consulting capacity)
- Successful demonstrated experience managing and working with auditors
- Successful demonstrated experience managing and working with internal cross-functional teams and product engineering groups
- Successful demonstrated experience communicating and reporting to Senior leadership
- Experience assessing and working with GRC tools
- Demonstrated experience creating Compliance policies & standards
- Positive, energetic personality, comfortable in front of groups/customers
- Experience performing integration and acquisition assessments as it related to Compliance requirements
- Demonstrated experience automating controls and applying an effective control automation strategy leveraging exception reporting
- Excellent verbal and written communication skills. Ability to cater communication to a wide range of technical, clinical, and cultural backgrounds. Strong Professional etiquette.
- CISA, CISM, CISSP, CSA CCSK, ISC(2) CCSP or other Information Security related designation required