Cyber Security GRC Manager

Candidates must be authorized to work in the United States without the need for current or future visa sponsorship.

We are seeking a highly motivated and experienced GRC Manager to lead and mature our cybersecurity governance, risk, and compliance program across a complex retail ecosystem supporting 60,000+ associates, thousands of brick-and-mortar stores, distribution centers, corporate offices, datacenters, and multi-cloud environments .

This role will play a critical part in supporting our ongoing divestiture and Transition Services Agreement (TSA) journey initially, helping establish independent governance structures while ensuring continued alignment with shared services and transitional operating models.

The GRC Manager will partner closely with internal stakeholders, legacy service providers, and Business Process Outsourcing (BPO) partners to ensure risk visibility, compliance assurance, and control ownership clarity across both transitional and steady-state environments.

The ideal candidate is both strategic and execution-oriented , capable of operating effectively in environments undergoing transformation while building scalable governance frameworks for the future state.

• Lead the enterprise cybersecurity governance framework aligned to NIST CSF / NIST 800-53 / ISO 27001 .
• Support the design and maturation of governance structures as the organization transitions through TSA toward a standalone operating model.
• Own and maintain the cybersecurity policy, standards, and control framework lifecycle.
• Establish governance forums and reporting cadence with executive leadership.
• Drive maturity roadmap aligned to organizational risk appetite and separation milestones.
• Ensure governance processes are embedded across internal teams, TSA providers, and BPO partners.

• Manage the enterprise cyber risk program including risk identification, assessment, treatment, and reporting.
• Assess risks related to shared services, transitional architectures, and separation activities.
• Facilitate risk assessments across cloud, retail stores, supply chain, datacenters, and enterprise applications.
• Maintain enterprise risk register and track remediation progress across internal teams, TSA providers, and BPO partners.
• Partner with architecture and engineering teams to embed risk-based decision making during separation initiatives.

• Lead compliance efforts across relevant frameworks including:
• PCI DSS
• SOX ITGC
• Privacy / Data Protection requirements
• State and federal regulatory obligations
• Support compliance activities during TSA including shared control environments and inherited controls.
• Coordinate internal and external audits and manage evidence collection.
• Ensure continuous compliance monitoring across environments including controls operated by TSA and BPO providers.
• Validate adherence to contractual security and compliance obligations.

• Oversee vendor risk assessments across SaaS, supply chain, TSA providers, and service partners.
• Serve as the primary GRC liaison for cybersecurity BPO providers and transitional service providers.
• Monitor vendor, TSA, and BPO risk posture, performance metrics, and remediation activities.
• Partner with procurement and legal on risk reviews and contractual security requirements.

• Establish governance cadence with BPO partners including operational reviews and risk forums.
• Define and monitor security KPIs/KRIs and SLAs tied to BPO services.
• Ensure clear accountability and control ownership between internal teams, TSA providers, and BPO.
• Support continuous improvement initiatives with BPO providers to enhance control maturity.

• Develop and maintain cyber risk dashboards and KPIs/KRIs aligned to separation milestones.
• Provide regular reporting to executive leadership and governance councils.
• Translate technical risk into business impact for decision making.

• Partner with Security Operations, Engineering, Privacy, Legal, Internal Audit, and IT.
• Support secure transformation…