Senior Cybersecurity Governance, Risk and Compliance (GRC) Manager

Description

• Own and evolve BECU’s enterprise-wide Cybersecurity Governance, Risk & Compliance (GRC) program, ensuring every cyber risk is visible, quantified, and woven into BECU’s broader enterprise risk strategy.
• Architect and fully operationalize BECU’s PCI-DSS compliance program across all payment channels—card-present, e-commerce, mobile, and emerging fintech partnerships—translating the standard’s 12 requirements into repeatable controls, evidence libraries, and automated dashboards.
• Translate complex federal and state regulations (FFIEC, GLBA, SOX, PCI DSS, NIST CSF) into plain-language policies, standards, and control procedures that business, IT, and third-party teams can execute without friction.
• Serve as the authoritative voice on cyber risk for senior leadership, board committees, and regulators; deliver crisp risk briefings, heat-maps, and trend analyses that influence strategic decisions and capital allocation.
• Build and maintain the enterprise Cyber Risk Register—cataloging threats, vulnerabilities, control gaps, and residual risk scores—then drive remediation road-maps that balance security rigor with member experience and operational agility.
• Design KPIs and KRIs that measure control effectiveness, incident trends, and compliance posture; automate collection via GRC platforms and present actionable insights to executives and auditors on a weekly cadence.
• Provide “credible challenge” to control owners across business lines, IT, and third-party vendors; conduct deep-dive assessments, tabletop exercises, and root-cause analyses that turn audit findings into measurable improvements.
• Partner with Legal, Compliance, and Internal Audit to manage regulatory examinations, external audits, and third-party attestations—ensuring zero surprises and sustained compliance with evolving mandates.
• Lead cross-functional working groups to embed security-by-design into product development, vendor onboarding, cloud migrations, and digital transformation initiatives.
• Oversee exception management workflows—documenting risk acceptance, mitigation timelines, and residual exposure—while maintaining an auditable trail for examiners and senior management.
• Drive enterprise security awareness and culture change by collaborating with HR and Corporate Communications to create engaging training content, phishing simulations, and metrics that prove behavioral improvement.
• Continuously refine policies, standards, and guidelines to reflect emerging threats, new technologies (e.g., open banking APIs, real-time payments), and BECU’s strategic roadmap.
• Mentor junior GRC analysts and cultivate a center of excellence that elevates cybersecurity maturity across the credit union ecosystem.
• Champion automation—leveraging GRC tools, SOAR, and data analytics—to reduce manual effort, accelerate evidence collection, and scale oversight as BECU grows beyond 1.5 million members and $30 billion in assets.
• Influence vendor risk management by defining security requirements in RFPs, conducting due-diligence assessments, and monitoring ongoing compliance through continuous control monitoring dashboards.
• Ensure seamless integration between cybersecurity risk and enterprise risk functions, enabling a unified view that supports capital planning, insurance decisions, and board reporting.

Requirements

• Bachelor’s degree in Information Security, Computer Science, or related field (or equivalent experience) plus 7+ years of progressive cybersecurity, compliance, or IT audit experience, including hands-on ownership of PCI DSS compliance and Cardholder Data Environment (CDE) controls.
• Deep, practical expertise with GRC frameworks—FFIEC, GLBA, PCI DSS, SOX, NIST CSF—and proven ability to operationalize them in a complex, highly regulated enterprise.
• One or more advanced certifications: CISSP, CCSP, CISM, GIAC, CISA, CRISC, PCIP, ISA, or QSA (or equivalent) strongly preferred.
• Demonstrated success influencing senior stakeholders, translating technical risk into business impact, and driving cross-functional remediation without formal authority.
• Hands-on proficiency with GRC platforms, risk quantification methodologies, and automation of evidence collection, reporting, and exception workflows.

️ Benefits

• Target pay range of $152,300–$186,100 annually (full range $118,200–$220,200) plus performance-based incentives tied to risk-reduction and compliance outcomes.
• Comprehensive medical, dental, vision, life, disability, and AD&D insurance for employees and eligible family members, plus HSA, FSA, and dependent-care flexible spending options.
• 401(k) with employer match and an additional employer-funded retirement plan to accelerate long-term financial security.
• 160 hours of PTO accrued per year (6.16 hours per pay period) plus ten paid holidays and a culture that actively encourages unplugged time off.

Apply tot his job Apply To this Job