Information Security Governance Leader

Job Description:

Information Security Governance Leader

The Information Security Governance (ISG) Leader is a senior leadership role responsible for shared ownership along with US stakeholders for establishing, maintaining, and maturing the enterprise-wide information security governance framework. This individual will serve as a key advisor to BISO and senior leadership, ensuring the organization's security posture is aligned with regulatory obligations, industry standards, and business objectives. The role spans three core pillars: risk and compliance, policy and standards, and audit and assurance.

Key Responsibilities

 Information Security Governance & Policy Management

• Own and maintain the cybersecurity policy framework, ensuring policies are current, effective, and enforceable.
• Lead annual policy reviews and updates to reflect regulatory, business, and threat‑landscape changes.
• Ensure policies and standards align with applicable laws and regulations (e.g., NYDFS) and industry frameworks (e.g., NIST).
• Provide governance guidance on policy interpretation and applicability across business initiatives.

Risk Management & Security Assurance

• Provide governance oversight for security risks introduced through new initiatives, platforms, or architectural changes.
• Review architecture diagrams and security design / threat assessments to validate security‑by‑design principles.
• Identify and document risks where control gaps exist and ensure appropriate mitigation plans are defined and tracked.
• Support Third‑Party Risk Management (TPRM) by evaluating security integration and control effectiveness.

Technology & Innovation Governance

• Act as a security governance advisor for technology governance and innovation governance processes.
• Review and assess submissions through the Tech Governance process, including pre‑innovation, contracts, and design decisions.
• Partner with architecture, legal, and risk teams to ensure security requirements are embedded early in the lifecycle.

Regulatory, Audit & Customer Assurance

• Serve as a primary point of contact for customer and client security engagements, including:
• SOC 2 and assurance responses
• Security questionnaires and RFP responses
• Support regulatory exams and internal/external audits by providing governance artifacts, evidence, and control narratives.
• Ensure consistent, defensible security governance responses across customers and regulators.

Metrics, Reporting & Executive Communication

• Define, collect, and report security governance metrics across the organization.
• Lead the automation of security metrics to improve accuracy and scalability.
• Prepare and present metrics and insights into Security Working Groups and Risk Committees.
• Track and report on key indicators such as phishing campaign results and security awareness effectiveness.

Security Awareness & Culture

• Own and oversee mandatory awareness training programs
• Lead and expand the security awareness ecosystem, including:
  • Security Champions program
  • Cybersecurity Awareness Month initiatives
  • Design, deploy, and analyze phishing simulation campaigns to strengthen workforce resilience.
  • Foster a culture of shared accountability for information security across the enterprise.

Qualifications & Experience

• Experience: 10+ years of experience in information security, Governance Risk and Compliance (GRC) roles
• Certifications: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CISA (Certified Information Systems Auditor) are highly preferred.
• Framework Knowledge: Deep understanding of ISO 27001, NIST, and SOC 2.
• Soft Skills: Strong leadership, communication, and ability to influence stakeholders without direct authority

Location:

This position can be based in any of the following locations:

Current Guardian Colleagues: Please apply through the internal Jobs Hub in Workday