GRC Policy and Governance Lead

Social network you want to login/join with:

Business Area

Information Security

Job Title

IT & Cyber Governance and Policy Lead

Scope and Coverage

Global

Outline Purpose of Role

This role will:

• Implement, develop, and own IT and cyber governance processes and forums in alignment with the IT and Information security operations and risk framework.
• Maintain and improve the IT and information security policy framework, including policies, standards, and processes.
• Help drive a robust security posture for a large, complex organization, trading globally within a constantly evolving threat environment.

Impact of Role

• Implement governance framework to enforce and manage IT and cyber policies across all JD entities.
• Promote good security hygiene and controls within the JD Sports business culture.

Reports to

Global Head of Governance, Risk and Compliance within the Information Security Function.

Direct Reports

Individual contributor, potentially managing a GRC Analyst and overseeing seconded resources, contingent workers, and systems integrators.

The job holder will develop, implement, and maintain IT and cyber governance frameworks, policies, and standards to ensure effective deployment and enforcement across the technology organization. Responsibilities include:

IT and Cyber Policy Framework:

• Assess organizational entities to determine policy requirements.
• Maintain and improve the policy framework for continuous enhancement.
• Establish governance structures with clear roles, responsibilities, and processes.
• Align governance with JD Sports policies and security strategy.
• Define policies, standards, and guidelines following best practices.
• Harmonize policies across entities for consistency.
• Manage policy lifecycle, ensuring reviews and updates.
• Analyze incidents for policy gaps and improvements.
• Report on policy adherence, breaches, and risks.
• Explore automation for policy enforcement.

Stakeholder Engagement and Advisory:

• Communicate policy requirements to internal stakeholders and suppliers.
• Collaborate with vendors to ensure policy adherence.
• Develop compliance regimes aligned with the 3 lines of defense.
• Work with HR, legal, procurement to embed controls in processes.
• Address non-compliance issues with risks and mitigation strategies.
• Provide training on policies and best practices.
• Build relationships to ensure policy effectiveness.
• Serve as SME for governance and policies.

• Bachelor’s degree in Cybersecurity, IT, Compliance, or related.
• 5+ years in governance frameworks, policy development, or compliance.
• Certifications like CISSP, CISM, CRISC preferred.
• Deep understanding of cybersecurity frameworks (NIST, ISO 27001) and risk management.
• Experience with controls development, threat modeling, and vulnerability management.
• Knowledge of third-party risk management.
• Understanding of regulatory frameworks (GDPR, PCI-DSS, etc.).
• Awareness of operating systems and database technologies.
• Experience with cloud environments (AWS, Azure, GCP).
• Familiarity with Agile practices and advanced cybersecurity technologies.

The job holder should possess:

• Ability to clarify ambiguity in complex organizations.
• Strong analytical and decision-making skills.
• Excellent communication skills for diverse audiences.
• Proven collaboration and leadership abilities.
• Effective stakeholder management and policy enforcement skills.