Cybersecurity Governance, Risk & Compliance Expert

The Cybersecurity Governance, Risk and Compliance Expert has significant responsibility for City and County of San Francisco Cybersecurity Program. The responsibilities include cybersecurity strategy, cybersecurity governance, security risk management, security compliance, 3rd party security assessments, Payment Card Industry compliance, and regulatory attestations. This position leads program management for the Cybersecurity Team and is responsible for cross organization resource and budget planning. The position requires representing the Chief Information Security Officer (CISO) and liaising with City’s department on behalf of the City’s Cybersecurity Program. The position may also supervise staff.

Essential Job Duties and Functions:

  • Serve as a primary security risk liaison for City Departments, including executive stakeholders. Liaise with business and technology leaders to ensure visibility to and understanding of security risks. Develop strong relationships with key stakeholders to ensure risk management oversight is understood and managed appropriately.
  • Oversee Information Security Governance, including preparing reports and materials for the City Information Security Governance Committee.
  • Provide recurring risk reports to the CISO, Business Stakeholders and IT leadership teams.
  • Develop and report relevant utilization and efficacy metrics for security teams including dashboards, reports and KPIs.
  • Formally documents and maintains the security risk strategy, risk assessment process and annual risk treatment efforts for the City.
  • Oversee and facilitate the development of risk assessments and mitigation strategies for the City Departments.
  • Lead Information Security program budget planning.
  • Support the Information Security policy life-cycle.
  • Create and maintain risk, threat and controls library based on NIST 800-53, ISO 27002 and other standards and regulations, and provide guidance to City departments.
  • Maintain the Information Security Risk Register and GRC tools.
  • Manage action plans in response to information security risk assessment, tracks status, and report to security leadership.
  • Interact with internal audit, third party auditors, and appropriate regulatory bodies and participate in all internal and external audit projects.
  • Perform related job duties as assigned.


Minimum Education Level: Bachelor's

Eight (8) years of professional experience in IT Systems, which must include:
1. Five (5) years of Information Assurance experience; AND
2. Three (3) years of Risk Management experience; AND

Supervisory Experience:

Three (3) years of experience directly supervising professionals
Highly Desirable Qualifications:
  • Three (3) years or more of cybersecurity leadership experience, delivery large and complex cybersecurity projects.
  • Understanding of NIST 800-30x, HIPAA, PCI and other relevant regulatory requirements as they relate to information security.
  • Experience with formal information security risk assessment methodologies, including FAIR, ISO 31000, and NIST 800-39.
  • Experience with developing and implementing various security control standards (e.g., NIST CSF, PCI DSS, NIST 800.30) at large complex organizations.
  • Experience translating emerging IT and business trends into meaningful risk reduction opportunities.
  • Ability to manage budgets, monitor program progress and adjusts resources and priorities accordingly
  • Experience with common audit methodologies.
  • Experience working with GRC products.
  • Successful candidates will have the ability to work autonomously and be able to bridge the gap between technical knowledge and stakeholder engagement in order to influence strategy and information security management.
  • Experience working both independently and in a team oriented, collaborative environment.
  • Recognize complex problems, analyze situations and provide suggested/implemented resolution(s).
  • Ability to interact professionally with a diverse group including executives, managers and subject matter experts.
  • Ability to apply critical thinking to process improvement and measurement on behalf of the Security Team.
  • Flexibility to conform to shifting priorities through analytical and problem-solving capabilities.
  • Exhibit excellent written and oral communications skills and professionalism.
  • Experience as a project manager in a multi-departmental organization.

Special Requirements:

  • Criminal Justice Information Services (CJIS) Security Clearance may be required. (See Security Clearances and Background Investigations below).
  • Must maintain a valid driver license.
Posted: January 18, 2019
<< Back to Job-Board