Cybersecurity Jobs List logo

Cybersecurity Jobs List

  1. Home
  2. Jobs
  3. United States
  4. Illinois
  5. Northfield
  6. Compliance
  7. Senior Cybersecurity Specialist GRC
CO
College of American Pathologistscap.org

Senior Cybersecurity Specialist GRC

$118k – $150k YearlyNorthfield, Illinois, United StatesFull-time10h ago

Who we are? As the world's largest organization of board-certified pathologists and leading provider of laboratory accreditation and proficiency testing programs, the College of American Pathologists (CAP) serves patients, pathologists, and the public by fostering and advocating excellence in the practice of pathology and laboratory medicine worldwide.

Our Culture

  • CAP employees make a meaningful difference by partnering with colleagues customers and members on challenging and rewarding work
  • CAP provides its employees with an energetic and collaborative work environment and encourage opportunities to further develop their skills—offering reimbursement for educational programs and participation in events that enhance your skills
  • We offer a generous compensation and benefits package, 401K, and more -- visit Careers at the CAP for more details

Brief Description The Senior Cybersecurity Specialist – Governance, Risk & Compliance (GRC) provides senior-level leadership and subject matter expertise in the development, governance, and oversight of the organization’s security risk and compliance program.

This role owns and maintains the enterprise security governance framework, policy lifecycle, and risk management processes. The Senior Cybersecurity Specialist – GRC establishes control requirements, ensures traceability to regulatory and framework obligations, and advises business and technology stakeholders on security risk and compliance matters.

Operating in an advisory and governance capacity, this role does not perform operational execution of controls. Business and technology owners retain responsibility for implementation and risk acceptance decisions.

The Senior Cybersecurity Specialist – GRC:

  • Owns and maintains the enterprise security risk register and policy lifecycle.
  • Defines and governs security standards aligned to the enterprise security framework and applicable regulatory requirements.
  • Facilitates risk assessments and communicates security risks in business terms.
  • Coordinates audit and compliance activities and oversees remediation tracking.
  • Establishes and governs third-party security risk management practices.
  • Leads governance scoping activities for initiatives impacting the GRC domain.
  • Develops and reports key performance indicators related to governance, risk, and compliance maturity.
  • Escalates material risks through established governance channels and supports formal risk documentation processes.

Source of Supervision Reports directly to: Senior Manager Security Operations

Direction Exercised The Senior Cybersecurity Specialist – Governance, Risk & Compliance provides governance guidance and subject matter leadership to:

  • Business unit leaders and system owners
  • Technology and infrastructure teams
  • Application development teams
  • Project managers and enterprise initiatives
  • Managed service providers
  • Third-party vendors and external partners
  • Internal audit and compliance stakeholders

Specific Duties

Primary duties and responsibilities:

Governance & Policy Management

  • Owns and maintains the enterprise information security policy lifecycle, including development, review, approval coordination, and periodic updates.
  • Develops and maintains security standards and control documentation aligned to the enterprise security framework and applicable regulatory requirements.
  • Ensures policies and standards are clearly communicated and accessible to business and technology stakeholders.
  • Partners with leadership to ensure security governance structures align with organizational objectives.

Risk Management & Advisory

  • Owns and maintains the enterprise security risk register.
  • Facilitates risk assessments in collaboration with business and technology stakeholders.
  • Communicates security risks in clear business terms, including likelihood, impact, and recommended mitigation strategies.
  • Escalates material risks through established governance channels.
  • Supports the maturation and formalization of enterprise risk acceptance processes.

Compliance & Audit Coordination

  • Coordinates enterprise security audit activities, including internal and external assessments.
  • Serves as primary liaison for security-related audit inquiries and evidence collection.
  • Oversees tracking and reporting of remediation commitments resulting from audits and assessments.
  • Ensures control documentation supports traceability to regulatory and framework requirements.

Third-Party Risk Governance

  • Establishes and maintains third-party security risk management standards and procedures.
  • Reviews and evaluates vendor security documentation and assessment results.
  • Advises business owners on third-party security risks and required mitigating controls.
  • Tracks remediation commitments and risk documentation related to third-party engagements.

Practice Ownership and Project Oversight

  • Owns and maintains security standards, control requirements, and guidance within the assigned security practice domain.
  • Leads security scoping activities for enterprise initiatives involving controls within the assigned practice area.
  • Defines security requirements, deliverables, and acceptance criteria for initiatives impacting the practice domain.
  • Oversees alignment of implementation plans to established security standards.
  • Collaborates with project managers and business stakeholders to ensure security milestones are defined, tracked, and documented.
  • Escalates material deviations from established standards and supports formal risk documentation where appropriate.

Metrics & Reporting

  • Develops and maintains key performance indicators and metrics related to the assigned security practice domain.
  • Provides periodic reporting on control maturity, risk posture, and initiative progress.
  • Communicates practice-level performance insights to security leadership and relevant stakeholders.

Contacts The Senior Cybersecurity Specialist has contact with:

  • Vendors (frequently)
  • Staff members of other departments (frequently)
  • Managed services provider resources (frequently)
  • Legal counsel (occasionally as required)
  • IS cross-functional teams (daily)
  • IS and corporate management (occasionally as required)
  • Various CAP business units (frequently)

Knowledge/Skills Required/Preferred

Personal:

  • Strong written and verbal communication skills
  • Ability to influence without direct authority
  • Strong analytical and critical thinking skills
  • Ability to translate technical risk into business impact
  • High attention to detail and documentation discipline

Professional:

  • Strong understanding of enterprise risk management principles
  • Experience developing and governing policy frameworks
  • Experience coordinating audits and regulatory assessments
  • Ability to manage multiple initiatives simultaneously
  • Proven ability to lead through influence in matrixed environments

Technical:

  • Familiarity with enterprise security frameworks (e.g., NIST)
  • Understanding of regulatory and compliance obligations
  • Knowledge of risk assessment methodologies
  • Understanding of third-party risk management practices
  • Working knowledge of application, infrastructure, and cloud security principles sufficient to assess control adequacy

Education / Experience

Education:

  • Bachelor’s degree in information systems, cybersecurity, business, or related field, or equivalent experience.

Experience:

  • Minimum 8–10 years of experience in information security, governance, risk management, compliance, or related discipline.
  • Demonstrated experience leading policy development, risk assessments, and audit coordination activities.
  • Experience working within matrixed organizations.

Certifications (Preferred):

• CISSP

• CISM

• CISA

• CRISC

Additional Criteria

  • Schedule flexibility to allow for availability required during the CAP’s non-business hours for activities such as resolution of critical issues or outages, managing off-hours maintenance, meetings with offshore teams, or other critical business needs.
  • Travel required when necessary; expected to be less than 10%.
  • This position requires candidates to reside within 75-miles of Northfield, IL and fulfill in office requirements.

Salary: $118,000 - $150,000

Equal Opportunity Employer The CAP is an equal opportunity/affirmative action employer, providing equal employment opportunities (EEO) to all employees and qualified applicants for employment without regard to race, creed, color, religion, sex, gender identity and/or expression, national origin, age, ancestry, disability or genetic information, military status, sexual orientation, marital status, citizenship status, order of protection status, homelessness, or any other characteristic protected by federal law and the applicable state and local laws governing nondiscrimination in employment in every location in which the company has facilities. Applicants have rights under Federal Employment Laws: Family and Medical Leave Act Equal Employment Opportunity Employee Polygraph Protection Act

Categories

Compliance
Cybersecurity
Governance, Risk, and Compliance (GRC)
Information Security
Risk Management

Skills

Application Security
Audit Coordination
CISA
CISM
CISSP
Cloud Security
Governance, Risk, and Compliance (GRC)
Information Security
Infrastructure Security
NIST
Policy Lifecycle Management
Regulatory Compliance
Risk Assessment
Risk Management
Third-Party Risk Management