GRC Director

GRC Director (468956)

Location: Dallas, TX 75231 (onsite 2-3 days per week)

Position Type: Direct-Hire

Hourly / Salary: $160K-$180K+ (based on experience level)

Vaco is currently seeking a GRC Director for a Direct-Hire opportunity that is located in Dallas, TX 75231 (onsite 2-3 days per week). The GRC Director will serve as the SME responsible for developing and implementing the enterprise cybersecurity operations and GRC initiatives. The GRC Director will work closely with internal / external leaders within Business Technology, Legal, Compliance, and Privacy.

The GRC Director will work closely with the BT Cybersecurity team, understanding GRC and business requirements, tying technical concepts to enterprise and business risk.

• GRC Strategy / Roadmap – Develops / Maintains / Executes the BT GRC Strategy and Multi-Year Roadmap in Alignment With Organizational Information Security and Business Objectives, Including Defining Strategic Direction / Governance Structure / Control Standards / Risk Appetite Alignment
• Policy / Standards Governance – Develops / Maintains Policies / Processes / Procedures / Standards Supporting GRC and Cybersecurity Requirements based on Selected Regulatory / Industry Frameworks | Collaborates With Business Units / Legal / HR to Ensure Consistent Policy Enforcement / Awareness / Lifecycle Management / Version Control
• Enterprise Risk Management – Manages the BT Risk Management Program (Risk Identification / Inherent and Residual Risk Assessment / Control Evaluation / Mitigation Planning / Executive Reporting) | Maintains and Regularly Updates the Centralized Risk Register for Leadership Visibility and Board-Level Reporting
• Regulatory / Privacy Alignment – Ensures GRC Strategy Incorporates Security / Privacy Frameworks | Adapts to Legislative / Regulatory Changes | Monitors National / State / Local Privacy Laws and Data Governance Requirements | Translating Requirements into Control / Policy Updates
• Compliance Program Execution – Translates GRC Requirements into Actionable Control Guidance for Stakeholders | Identifies Compensating Controls / Gaps | Maintains a Compliance Calendar Tracking Policy Reviews / Annual Security Training / Risk Assessments / Control Testing / Evidence Collection
• Remediation / Risk Treatment – Drives Remediation Plans /Risk Treatment Strategies in Collaboration with Technology / Business Leaders | Tracks Corrective Actions / Validates Control Enhancements | Ensures Alignment with Internal Standards / External Regulatory Obligations
• Audit Leadership – Leads / Supports Internal / External Audits (Readiness Assessments / Control Walkthroughs / Evidence Compilation / Remediation Tracking) | Serves as Primary PoC for Third-Party Auditors / Assessors / Regulatory Examiners

This role is a newly created Director-level position, reporting to the National SVP of Cybersecurity Technology, focusing on building and leading a comprehensive GRC Program from the ground-up in the Business Technology / Cybersecurity Team. Right now, GRC work is fragmented and reactive among busy leaders with no dedicated owner, while they maintain heavy compliance obligations (PCI DSS / FedRAMP Low / SOC 2 Type
2) and prepare for HIPAA as the next big requirement. They are also shifting their cybersecurity benchmark from CIS Controls to the more organizationally aligned NIST Cybersecurity Framework. This is a high-impact, change-agent role for a seasoned GRC leader with proven experience standing up programs in complex environments. It's about transforming how this organization governs risk and compliance at an enterprise scale to support its ambitious mission, perfect for someone who thrives on building growth, influencing cross-functionally, and driving real organizational evolution.

• Own the BT GRC strategy, multi-year roadmap, policies, processes, and standards.
• Lead the full enterprise risk management program (identification / assessment / mitigation / risk register / leadership reporting).
• Champion the NIST transition and drive organizational change as a true catalyst, not just a maintainer.
• Manage audit prep / readiness / remediation and be the primary…