Manager - Information Security Risk Management

Hearst Technology, Inc, Information Security Office seeks a Manager, Information Security Risk Management. The Manager, Information Security Risk Management is responsible for assessing risk and managing risk information for the organization and key business units. This position assesses information security risk within essential technology functions, key business processes, documentation, and collaborates with key business leaders to assist in reducing risk and maturing the overall control environment. This position will also support Audit and Compliance functions within Hearst, focusing on PCI and HIPAA.

Team Alignment: Governance, Risk, and Compliance (GRC) Team. The GRC Team is multi-faceted and focuses on driving business value. Our mission is to establish an integrated program that ensures the overall effectiveness of capabilities that impact information security across business units globally.

• Perform security risk reviews, risk assessments and gap assessments on key business processes and new and existing technologies. Subsequently, work with various business units, as needed, to ensure controls are adequate, appropriate, and effective and that mitigation and remediation plans are in place.
• Maintain the IT risk register and risk dashboard keeping risks, and their response plans up to date; will be required to work with cross-functional teams and businesses.
• Prepare detailed recurring risk management reports with associated metrics.
• Support the implementation of a risk program including enhancing processes supporting accountability, exception requests, and overall risk reduction in accordance with NIST and COBIT Cybersecurity frameworks.
• Support vendor due-diligence process and help define overall third-party risk management efforts.
• Support risk-focused governance entities such as forums and steering committees.
• Support internal and external audit processes for relevant compliance areas including NIST CSF, NIST 800-53, PCI-DSS, HIPAA, SOX, and other external and internal requirements.
• Support key capabilities and processes across the GRC function in support of the Hearst Information Security Office using an Agile methodology approach to delivering work products and key services.
• Work collaboratively with regional and global partners in other functional units; ability to navigate a complex organization; to influence and lead people across cultures at a senior level. Collaboratively interface with global IT and business partners to provide guidance and support.
• Design and implement improvements in risk-related documentation.
• Other related duties as assigned.

Who You Are:  As a mid-level position, comfort and experience with all aspects of governance, risk, and compliance is required.

Technical Skills

• Experience with IT governance, risk, and compliance management in a large global environment, while working with geographically dispersed, multidisciplinary teams.
• Experience conducting risk assessments and managing risk across departments and functions.
• Strong foundation in PCI and HIPAA compliance requirements and testing.
• Familiarity with an integrated risk management platform.
• Familiarity with security frameworks, particularly NIST and COBIT Cybersecurity Frameworks and HITRUST.
• Basic understanding and knowledge of technical fundamentals such as networking concepts, cloud computing, application development, and security best practices.
• Proficiency with Word, Excel, PowerPoint, JIRA, SharePoint.
• Experience with GRC and risk management platforms such as Prevalent and TruOps is desired.

Soft Skills 

• Strong work ethic with attention to detail and demonstrated analytical abilities.
• Attention to detail, verbal and written communication, and initiative; able to apply constructive feedback to enhance managing risk.
• Strong presentation skills with the ability to articulate complex problems and solutions through concise and clear messaging.
• Self-motivated with excellent planning and organizational skills; and the ability to prioritize tasks to meet deadlines and effectively manage changing priorities.
• Professional customer orientation with a strong commitment to providing a high standard of customer satisfaction.
• Ability to deliver client-ready documentation and participate in relevant client meetings; able to work across teams effectively and efficiently.
• Working understanding of project management principles, processes, and documentation.
• Ability to collaborate with internal and external stakeholders.

Qualifications

• Bachelor's Degree in Information Technology, Computer Science, or equivalent.
• Minimum 5 years of relevant experience in a risk management role with at least 2 years of practical experience in Audit and Compliance.
• Industry standard certification such as CISA, CRISC, CISM, ARM, CISSP, ISO 27001, ISO 27005 is desired.

In accordance with applicable law, Hearst is required to include a reasonable estimate of the compensation for this role if hired in New York City.  The reasonable estimate, if hired in New York City, is $135,000 - $150,000.  Please note this information is specific to those hired in New York City.  If this role is open to candidates outside of New York City, the salary range would be aligned to that specific location.  A final decision on the successful candidate’s starting salary will be based on a number of permissible, non-discriminatory factors, including but not limited to skills and experience, training, certifications, and education.  Hearst provides a competitive benefits package, including medical, dental, vision, disability and life insurance, 401(k), paid holidays and paid time off, employee assistance programs, and more.