Lead Governance Risk & Compliance Auditor

Position Summary

The Lead Governance Risk & Compliance Auditor position is responsible for evaluating conformance of information security safeguards with security and privacy control frameworks, laws, policies, and customer requirements. This position is part of the Risk & Compliance team, segregated from other business units in order to maintain objectivity in its audit oversight role. This position can work onsite at our corporate campus in Neenah, WI, hybrid or fully remote.

Job Responsibilities

• Leads internal and external audits and risk assessments for SOC 2 Type II, ISO 27001, PCI-DSS and other standards. Evaluates suitability of security measures to protect company information, recommends improvements, and issues deficiency notices as needed. Evaluates, monitors, and consults on resulting corrective action plans and remediation efforts. 
• Coordinates and manages the completion of penetration tests with external consultants and internal resources, and the development, implementation, and monitoring of related corrective action plans, and distribution of resulting reports to interested parties. 
• Develops and reviews policies, guidance, and training for information security, and provides consulting services promoting overall achievement of corporate security objectives and compliance with regulatory and customer requirements. 
• Maintains security incident response plans and metrics. Leads evaluation of security incident reports, and execution of incident response efforts, including task management, resource coordination, after action reviews, and incident documentation. Participates in business continuity efforts by leading annual security incident tabletop exercises, generating a post-exercise review, and by driving preparation of business impact assessments. 
• Advises and assists with achieving compliance with federal and state privacy and information security laws, including California Consumer Privacy Act (CCPA). 
• Assesses information security and privacy practices of vendors/suppliers to ensure company requirements are being met.  
• Reviews and advises legal team on information security requirements in proposed customer and vendor contracts. 
• Advises on and responds to customer requests for information about the company’s security strategy and practices. 
• Evaluates external environment trends in threats, technology, security, and compliance. Recommends changes to risk profile, policies, procedures, and other guidance. Produces and performs information security training for associates. Promotes company awareness of information security. 
• Triages security policy exceptions. Evaluates and consults on the business risks and proposed compensating controls. Follows up on approved exceptions expiring.  
   

Qualifications

Experience

• 5+ years' experience in an information/data security role. 
• Experience with SOC 2 Type II, ISO 27001, and privacy frameworks, designing controls, and auditing to the frameworks. 
• Experience addressing security and compliance terms in commercial contracts. 
• Experience completing security questionnaires and evaluating vendor assessments. 
• Experience using GRC tools, such as AuditBoard. 

Education

• Bachelor’s degree in computer science, information security, or related field. 
• CISSP, CRISC, CISM, GIAC, and/or CEH certification preferred. 

Other Skills/Qualifications

• Outstanding interpersonal, written and verbal communication and presentation skills. 
• Strong analytical, problem-solving, and conflict management skills. 
• A curious, courageous, and practical mindset that can balance compliance with ethical and business needs. 
• Eager to gain a comprehensive understanding of the business. 
• Ability to work cross-functionally, with many teams, including sales, infrastructure, security, and product teams. 
• Ability to influence and lead business partners and supporting teams. 
• Knowledge of risk management concepts, such as risk appetite/tolerance, risk mitigation, compensating controls, etc. 

Physical Requirements

Work is performed primarily in a standard office environment.  Work involves operation of personal computer equipment for extended periods of time.