Cyber Governance, Risk & Compliance Manager

Definition

Under general direction the Cyber Governance Risk & Compliance Manager develops implements manages and maintains VTAs cyber security governance risk and compliance (GRC) programs.

Distinguishing Characteristics

This single-position classification is characterized by full managerial responsibility for cyber security compliance and regulatory initiatives within VTA. The incumbent oversees GRC strategy incident response cyber policy enforcement and risk mitigation activities across all technical environments. This position requires significant expertise in security frameworks (e.g. NIST ISO-27001) regulatory compliance and real-time threat monitoring as well as the ability to lead cross-functional collaboration across business units and external agencies. The incumbent leads cyber policy implementation risk management and incident response efforts to protect the agencys digital assets and ensure compliance with industry and regulatory standards.

The ideal candidate for the Cyber GRC Manager position is a strategic detail-oriented professional with a strong background in cybersecurity governance risk management and regulatory compliance. They bring a deep understanding of cybersecurity frameworks such as NIST ISO/IEC 27001 CIS and COBIT and can translate complex security principles into actionable business practices.

They are adept at leading cross-functional teams to identify assess and mitigate information security risks and have a proven track record of developing and maintaining GRC programs that align with enterprise objectives and evolving regulatory requirements. This candidate is comfortable presenting to executive leadership audit committees and regulatory bodies offering both high-level strategy and operational clarity.

Highly Desired Qualities and Experience:

• 710 years of experience in cybersecurity with 35 years focused on governance risk and compliance.
• Strong knowledge of data privacy laws and standards (e.g. HIPAA GDPR CCPA FISMA).
• Experience leading vulnerability management practices in a transit environment.
• Hands-on experience with risk assessment methodologies security audits and compliance reporting.
• Expertise in policy development control frameworks vendor risk management and third-party assessments.
• Familiarity with tools such as Archer GRC ServiceNow GRC RSA or similar platforms.
• Relevant certifications such as CISSP CISA CRISC CGEIT or CISM are strongly preferred.
• Excellent communication and interpersonal skills to collaborate across IT legal internal audit and business teams.
• Demonstrated ability to manage multiple projects and prioritize effectively under tight deadlines.

Leadership & Culture Fit:

• Forward-thinking with a proactive approach to anticipating and mitigating risks.
• A mentor and team leader capable of guiding junior analysts and fostering a culture of security awareness.
• Values integrity transparency and accountability in every aspect of the role.

This division oversees VTAs safety and transit system security and law enforcement functions which include oversight of the Protective Services Department management of contracted security services provided by Allied Universal Security administration of VTAs contract with the Sheriffs Department for sworn law enforcement personnel and Cyber Security.

Typical Tasks

• Develops and implements protocols to safeguard digital files and information systems against unauthorized access modification and destruction;
• Ensures adherence to established cyber security protocols across the agency;
• Plans assigns directs manages and reviews the work of assigned subordinate staff;
• Selects supervises trains motivates evaluates and disciplines staff;
• Supervises real-time monitoring of VTAs networks applications email systems and server infrastructure to detect and respond to security intrusions;
• Coordinates incident response efforts and ensures effective resolution of security breaches;
• Supports the enhancement of VTAs Cyber Security program in alignment with industry standards such as NIST Cyber Security Framework ISO-27001 CIS Controls and MITRE ATT&CK;
• Collaborates with internal teams and external partners on cyber security best practices compliance requirements and incident investigations;
• Oversees the implementation and maintenance of cyber security policies and a comprehensive controls framework to protect technical systems and information assets;
• Conducts ongoing risk assessments across the agency to identify and mitigate cyber security threats ensuring 24/7 vigilance in identifying mitigating and responding to threats;
• Recommends and implements risk management strategies to strengthen cyber resilience;
• Plans and deploys cyber security measures and controls across VTAs infrastructure;
• Evaluates and recommends security tools technologies and countermeasures to mitigate emerging threats;
• Manages internal and external cyber security audits;
• Interprets audit findings documents results and oversees the implementation of corrective actions;
• Leads investigations into security breaches conducts root cause analyses and develops incident response plans;
• Implements security-by-design principles using frameworks such as OWASP;
• Ensures timely and effective incident response to minimize impact on VTAs operations and reputation;
• Ensures compliance with VTA policies and procedures regarding equal opportunity and discrimination and harassment prevention;
• Performs related duties as required.

Employment Standards

Sufficient education training and experience in the field of strategic planning and policy and program development which demonstrates possession of the following knowledge and abilities.

Development of the required knowledge skills and abilities is typically obtained through a combination of training and experience equivalent to graduation from an accredited college or university with a four-year degree in computer science information technology cyber security or a related field; and six (6) years of increasingly responsible experience in cyber security operations including significant involvement in the implementation and oversight of compliance frameworks risk mitigation strategies and incident response procedures for a public or private sector organization.

Knowledge of:

• Industry-standard cyber security frameworks (e.g. NIST ISO-27001 CIS Controls MITRE ATT&CK);
• Federal and state laws and regulations relevant to information security;
• Cyber security auditing reporting and risk management techniques;
• Security technologies and tools including intrusion detection SIEM encryption endpoint protection and vulnerability management;
• Cyber forensics malware analysis and incident response procedures;
• Principles of information governance network security architecture and cloud security models;
• Data privacy laws and regulations (e.g. HIPAA CCPA CPRA GDPR);
• Principles and practices of supervision management conflict resolution and employee training and development.

Ability to:

• Plan direct supervise and evaluate the work of professional and technical personnel;
• Stay abreast of federal directives related to data privacy and information security;
• Define problem areas evaluate recommend and implement solutions to complex issues and problems;
• Design manage and enforce effective cyber security governance frameworks and protocols;
• Identify analyze and mitigate digital threats across enterprise systems;
• Lead investigations conduct forensic reviews and implement response plans post-incident;
• Interpret and apply complex regulatory requirements to VTAs systems and operations;
• Develop and deliver cyber security training and awareness initiatives;
• Effectively communicate security risks and solutions to technical and non-technical audiences;
• Collaborate across departments and with external vendors to ensure cohesive security standards;
• Establish and maintain cooperative working relationships with those contacted in the course of work;
• Maintain composure and sound judgment during high-pressure security incidents.

Working Environment/Conditions and Physical Demands

Work Environment and Physical Effort:

Good Conditions

Primarily Sedentary Work

Work Locations:

Office or similar indoor environment Frequently

Exposures:

Minimal exposure to environmental factors