Cybersecurity GRC Lead

Dear All,

NextEra is looking for a dynamic resource for Cybersecurity GRC Lead role.

The resource is responsible for establishing and managing the organization’s security governance framework, cyber risk management program, and regulatory/compliance posture. This role partners with business leaders, technology teams, and auditors to ensure security controls are designed, implemented, measured, and continuously improved. The position leads risk assessments, compliance readiness, policy/standards governance, third-party risk oversight, and audit execution—driving measurable security outcomes aligned to business objectives.

• Define and maintain the Information Security Governance model, including policies, standards, procedures, and control baselines.
• Own security exception management process and ensure compensating controls and approvals are documented.
• Establish security KPIs/KRIs and dashboard reporting for leadership and stakeholders.
• Drive security program maturity using frameworks such as ISO 27001/27002, NIST CSF, NIST 800-53, and/or CIS Controls.

• Lead enterprise cyber risk assessments, including:
• IT and cloud risk assessments
• Application and infrastructure risk reviews
• Threat and control gap analysis
• Maintain a risk register, define risk treatment plans, and track remediation closure with accountable owners.
• Facilitate risk acceptance decisions with leadership using consistent criteria and risk scoring.
• Ensure alignment between cyber risks and business continuity / resilience priorities.

• Manage compliance and assurance activities for applicable standards and regulations such as:
• ISO 27001, SOC 2, PCI DSS (if relevant), GDPR (if applicable), and local regulatory requirements
• Plan and execute internal audits, coordinate external audits, and manage audit evidence collection and response.
• Ensure continuous compliance through control testing, remediation management, and governance forums.
• Lead creation of Statement of Applicability (SoA), control narratives, and audit-ready documentation.

• Implement and manage third-party security due diligence and assurance:
• Security questionnaires, risk scoring, contract security clauses
• Review of SOC reports, penetration tests, and security attestations
• Track vendor risks and remediation plans, ensuring alignment with procurement and legal teams.
• Establish minimum security requirements for suppliers and outsourced services.

• Own the security awareness program and role-based training.
• Conduct phishing simulations and targeted training to reduce human risk.
• Promote security-by-design practices in collaboration with engineering/IT teams.

• Act as the GRC subject matter expert advising senior management on compliance and risk posture.
• Build strong partnerships across IT, Legal, Privacy, Risk, Audit, Procurement, and Business units.
• Mentor junior GRC analysts and coordinate cross-functional control owners.

Experience

• 12+ years in cybersecurity with strong focus on GRC, risk management, compliance, audit, or assurance.
• Hands-on experience implementing or managing security frameworks (ISO/NIST) and running audits.

• Strong understanding of:
• Security controls (identity/access, logging, endpoint, vulnerability, encryption)
• Cloud governance (Azure/AWS/GCP), SaaS controls, shared responsibility model
• Secure SDLC governance and application risk basics
• Familiarity with tools like GRC platforms (e.g., ServiceNow GRC, Archer), risk registers, and audit evidence workflows.

• CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Lead Auditor, CCSP, PMP/PRINCE2 (any combination is fine)

• Strong communication, audit/evidence discipline, stakeholder management
• Ability to translate technical risk into business impact and executive-level reporting