GRC Director (468956) POST NUMBER: 470324

• GRC Strategy / Roadmap – Develops / Maintains / Executes the BT GRC Strategy and Multi-Year Roadmap in Alignment With Organizational Information Security and Business Objectives, Including Defining Strategic Direction / Governance Structure / Control Standards / Risk Appetite Alignment
• Policy / Standards Governance – Develops / Maintains Policies / Processes / Procedures / Standards Supporting GRC and Cybersecurity Requirements based on Selected Regulatory / Industry Frameworks | Collaborates With Business Units / Legal / HR to Ensure Consistent Policy Enforcement / Awareness / Lifecycle Management / Version Control
• Enterprise Risk Management – Manages the BT Risk Management Program (Risk Identification / Inherent and Residual Risk Assessment / Control Evaluation / Mitigation Planning / Executive Reporting) | Maintains and Regularly Updates the Centralized Risk Register for Leadership Visibility and Board-Level Reporting
• Regulatory / Privacy Alignment – Ensures GRC Strategy Incorporates Security / Privacy Frameworks | Adapts to Legislative / Regulatory Changes | Monitors National / State / Local Privacy Laws and Data Governance Requirements | Translating Requirements into Control / Policy Updates
• Compliance Program Execution – Translates GRC Requirements into Actionable Control Guidance for Stakeholders | Identifies Compensating Controls / Gaps | Maintains a Compliance Calendar Tracking Policy Reviews / Annual Security Training / Risk Assessments / Control Testing / Evidence Collection
• Remediation / Risk Treatment – Drives Remediation Plans / Risk Treatment Strategies in Collaboration with Technology / Business Leaders | Tracks Corrective Actions / Validates Control Enhancements | Ensures Alignment with Internal Standards / External Regulatory Obligations
• Audit Leadership – Leads / Supports Internal / External Audits (Readiness Assessments / Control Walkthroughs / Evidence Compilation / Remediation Tracking) | Serves as Primary PoC for Third-Party Auditors / Assessors / Regulatory Examiners

• Own the BT GRC strategy, multi-year roadmap, policies, processes, and standards.
• Lead the full enterprise risk management program (identification / assessment / mitigation / risk register / leadership reporting).
• Champion the NIST transition and drive organizational change as a true catalyst, not just a maintainer.
• Manage audit prep / readiness / remediation and be the primary contact for external auditors.
• Build / Scale a small team (starting with 2 direct reports: Risk Manager Risk Analyst), make cases for growth, and partner closely with Legal / Cybersecurity / Business Units to translate complex requirements into actionable guidance.
• Ensure sustainable compliance, proactive risk treatment, and education across teams (including sales / marketing on privacy trends).

• GRC Director / Leadership (5 years) – Building / Scaling Enterprise GRC Programs | Oversight of Multi-Framework Environments / Executive Reporting / Board-Level Risk Communication
• Enterprise GRC Program Development – Proven Track Record of Standing-Up / Growing Comprehensive GRC Programs from Ground-Up in Complex / Large-Scale / Regulated Environments | Establishing Governance Structures / Control Libraries / Risk Methodologies / Reporting Cadence
• Multi-Framework Compliance Oversight (direct hands-on) – Managing Concurrent Compliance Initiatives Across PCI DSS / SOC 2 Type 2 / FedRAMP (Low or Moderate) / HIPAA or Similar Privacy Regulations | Coordinating Control Harmonization / Evidence Strategies / Continuous Monitoring Across Frameworks
• ERM (expertise) – Risk Identification / Qualitative & Quantitative Risk Assessment / Mitigation Planning / Risk Treatment Strategies / KRIs & KPIs / Ongoing Monitoring | Maintenance of Executive-Level Risk Register with Clear Escalation / Reporting Mechanisms
• Cybersecurity Framework Strategy – Transitioning Organizations Between Maturity Models (CIS Controls to NIST Cybersecurity Framework) | Control Mapping / Gap Analysis / Organizational Change Management
• Audit / Assurance Leadership –Leading Audit Readiness / Control Walkthroughs / Remediation Programs / Evidence Governance | Serving as Primary Executive PoC for External Auditors / 3PAOs / Assessors Across Multiple Regulatory Frameworks
• Policy / Control Operationalization –Develop / Document / Operationalize Enterprise-Wide Policies / Standards / Procedures / Technical Control Baselines | Ensuring Scalability / Sustainability / Alignment With Business and Regulatory Objectives
• Change Leadership / Organizational Influence – Drive Enterprise Adoption of GRC Practices Across Business Units / Technology / Legal / Leadership | Leading Cultural Transformation Beyond “Check-the-Box” Compliance
• GRC Team Development – Building / Leading Small-to-Medium GRC / Risk Teams | Conducting Capability Assessments / Defining Roles & Competencies / Creating Business Cases for Headcount & Tooling Investment
• Privacy / Data Governance Expertise (strong understanding) –Privacy / Data Protection / Health Information Handling Requirements | Translating Complex Regulatory Obligations into Practical Guidance for Non-Technical Stakeholders (Sales / Marketing / HR)

• Nonprofit / Healthcare / Highly-Regulated Industry Experience

Vaco by Highspring values a diverse workplace and strongly encourages women, people of color, LGBTQ+ individuals, people with disabilities, members of ethnic minorities, foreign-born residents, and veterans to apply.

EEO Notice

Vaco by Highspring is an Equal Opportunity Employer and does not discriminate against any employee or applicant for employment because of race (including but not limited to traits historically associated with race such as hair texture and hair style), color, sex (includes pregnancy or related conditions), religion or creed, national origin, citizenship, age, disability, status as a veteran, union membership, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, political affiliation, or any other protected characteristics as required by federal, state or local law.

Vaco by Highspring and its parents, affiliates, and subsidiaries are committed to the full inclusion of all qualified individuals. As part of this commitment, Vaco by Highspring and its parents, affiliates, and subsidiaries will ensure that persons with disabilities are provided reasonable accommodations. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or to receive other benefits and privileges of employment, please contact HR@vaco.com .

Vaco by Highspring also wants all applicants to know their rights that workplace discrimination is illegal.

By submitting to this position, you agree that you will be giving Vaco by Highspring the exclusive right to present your as a candidate for the foregoing employment opportunity. You further agree that you have represented information about yourself accurately and have not affirmatively misrepresented your qualifications. You also agree to maintain as confidential, to the fullest extent permitted by law, any information you learn from Vaco by Highspring about the position and you will limit disclosure of information about the position only to the extent necessary to perform any obligations in furtherance of your application. In exchange, Vaco by Highspring agrees to exercise reasonable efforts to represent you through all solicitation, job screening and resume dispersal.

Privacy Notice

Vaco by Highspring and its parents, affiliates, and subsidiaries (“we,” “our,” or “Vaco by Highspring”) respects your privacy and are committed to providing transparent notice of our policies.

• California residents may access Vaco by Highspring HR Notice at Collection for California Applicants and Employees here.
• Virginia residents may access our state specific policies here.
• Residents of all other states may access our policies here.
• Canadian residents may access our policies in English here and in French here.
• Residents of countries governed by GDPR may access our policies here.

Pay Transparency Notice

Determining compensation for this role (and others) at Vaco by Highspring depends upon a wide array of factors including but not limited to:

• the individual’s skill sets, experience and training;
• licensure and certification requirements;
• office location and other geographic considerations;
• other business and organizational needs.

With that said, as required by local law, Vaco by Highspring believes that the following salary range referenced above reasonably estimates the base compensation for an individual hired into this position in geographies that require salary range disclosure. The individual may also be eligible for discretionary bonuses.