Manager, GRC - Clayco

About Us

Clayco is a full-service, turnkey real estate development, master planning, architecture, engineering, and construction firm that safely delivers clients across North America the highest quality solutions on time, on budget, and above and beyond expectations. With $5.8 billion in revenue for 2023, Clayco specializes in the "art and science of building," providing fast track, efficient solutions for industrial, commercial, institutional, and residential related building projects.

The Role We Want You For

Under the direction of the CISO, the Governance, Risk Management, & Compliance (GRC) Manager is a process-oriented, Risk-focused leadership role that ensures that all Risk exposure to Clayco Information Assets is identified, documented, communicated, and treated to an acceptable level across the Clayco organization. This role will also manage the GRC team’s efforts to educate Clayco Employees on current user-relevant threats and Risks, ways to identify them, and their proper responses which includes simulated testing to measure retention and gaps.

The GRC Manager will also regularly evaluate operating environments, processes, capabilities, controls, and configurations for their compliance levels relative to Clayco’s current policies, adopted Frameworks and Standards, and any applicable Laws, Regulations, or contractual commitments. This includes contribution to our quarterly assessment and reporting of Clayco’s Cybersecurity Posture Maturity.

Any travel is usually planned in advance, but issues may arise which warrant immediate travel to one or more satellite locations.

The Specifics of the Role

• Ensures that ALL identified Risks, vulnerabilities, non-compliance, and misconfigurations are captured, assessed, prioritized, and communicated in a timely and effective manner to ensure foreseeable, negative impact to the Business is avoided
• Manages and contributes to the Enterprise Risk Register, ensuring Risk statements are documented, Risks are entered with appropriate quantification, rating, and tracking with regular reporting on high-severity risks to leadership
• Manages and contributes to the Controls Catalog to ensure that control objectives align with our adopted Frameworks and Standards as well as any Regulatory or contractual requirements
• Manages and contributes to Third-Party Risk Management (TPRM) by evaluating Vendor Risk, maintaining Vendor assessments, and managing protocols to ensure appropriate treatment of Risk is communicated and executed for reduction to acceptable levels
• Manages and contributes to the analysis, benchmark testing, monitoring, and occasional audit of production Systems and Services configuration and control deployment to determine compliance with Policies, Regulations, and contractual commitments
• Manages and contributes to the tracking, monitoring, and reporting on performance metrics and status of remediation action plans including the escalation of inadequate response
• Manages and contributes to the Security Awareness Program to include curation of online training content, Phishing simulation campaigns, and coordination of engagement events and associated communication to the user base for Cybersecurity-related special events
• Coordinates and contributes to Third-Party audits and assessments to gather and submit discovery and transactional responses and artifacts as required per engagement
• Identifies and reports findings, trends, and activities that may indicate a need for change in policies, procedures, internal controls, or training
• Collaborates cross-functionally with other Information Technology teams and Business Stakeholders across the Organization
• Disseminates changes in related Regulations or Security Frameworks and Standards, and the application of such changes to current policies, procedures or processes to appropriate staff
• Contributes to major organizational initiatives to ensure new Systems and Services align with existing policies, regulations, and contractual commitments

Requirements

• 8+ years’ experience in GRC, Information Security, or Audit & Compliance roles
• 3+ years’ experience in a Management or Lead capacity within GRC or similar discipline
• Bachelor’s degree in Information Technology, Cybersecurity, or related field (Master’s preferred) or equivalent experience.
• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk & Information Systems Control (CRISC), GIAC Critical Controls Certification (GCCC), and Certified NIST Cybersecurity Framework 2.0 Lead Implementer (CSF LI); current status or obtained within 12 months of assuming role
• Strong understanding of requirements to ensure effectiveness and compliance with all applicable Regulations, Frameworks, and Standards (ITAR/EAR, CCPA/CPRA, NIST 800-171 & CSF, CIS Critical Controls as well as familiarity with PCI DSS and HIPAA)
• Strong experience leveraging auditing principles and methods to evaluate policies, processes, Systems, and Services to identify business risks and control gaps
• Experience drafting and implementing policies and processes to ensure compliance
• Experience in Enterprise Client-Server, Cloud, & IoT Hybrid environments and knowledge of how various technologies and processes interact and behave.
• Experience with administering compliance programs and maintaining a Risk Register and related GRC tools to track and communicate identified Risks and recommended treatments
• Knowledge of statistics, reporting and analytical tools to analyze and solve complex problems
• Operate with strong integrity with ability to handle projects of a sensitive & confidential nature
• Exceptional communication skills, capable of translating technical details into business insights for diverse audiences.
• Ability to thrive in a fast-paced environment.

Some Things You Should Know

• No other builder can offer the collaborative design-build approach that Clayco does.
• We work on creative, complex, award-winning, high-profile jobs.
• The pace is fast!

Why Clayco?

• Best Places to Work – St. Louis Business Journal, Los Angeles Business Journal, Phoenix Business Journal.
• ENR – Top Midwest Contractors (#1), Top Design Build Contractors (#4), Top 400 Contractors (#23), ENR – Top Green Builders (#5).

Compensation and Benefits

• Competitive Annual Salary: Based on qualifications, skills, training, experience, and location.
• Discretionary Annual Bonus: Subject to company performance and individual contribution.
• Comprehensive Benefits Package Including: Medical, dental and vision plans, 401k, generous PTO and paid company holidays, employee assistance program, flexible spending accounts, life insurance, disability coverage, learning & development programs and more!