The Director, Information Security Governance, is responsible for the strategic leadership and operational oversight of the organization’s Information Security Governance, Risk, and Compliance (GRC) functions. This role ensures a robust, risk-based, and business-aligned information security posture across the enterprise. The Director will develop, execute, and continuously enhance governance programs, policies, and processes that align with the NIST Cybersecurity Framework, regulatory obligations, and organizational objectives. This position is both strategic and hands-on—requiring expertise in cybersecurity risk management, policy governance, third-party oversight, regulatory compliance, and leadership of a multidisciplinary security team. The Director supports the Vice President, Security (CISO) to liaise with executive stakeholders, including the Risk Committee, Executive Committee, and Board of Directors. Responsibilities: 1 . Information Cybersecurity Awareness and Testing Design and oversee a comprehensive cybersecurity awareness and testing program covering onboarding, monthly micro-trainings, quarterly phishing simulations, and annual enterprise-wide training. Deliver targeted training for executives, business units, and the Board of Directors, incorporating role-based risk scenarios and regulatory expectations. Measure training effectiveness through metrics and Key Risk Indicators (KRIs) for continuous program improvement. 2. Third-Party Risk Management (TPRM) – Security Posture Assessments Lead the Information Security evaluation and continuous monitoring of third-party vendors, ensuring robust due diligence and risk scoring against security posture standards and procedures. Develop and manage the vendor security assessment lifecycle, integrating findings into enterprise risk reporting and procurement processes. 3. Information Security Policy and Standards Management Maintain and expand the Information Security Policy and Standards library to align with evolving business operations, regulatory changes, threats, and frameworks (NIST, SOC2, OSFI, ISO 27001, etc.). Oversee policy governance and internal communication to ensure organizational compliance and understanding. 4. Cybersecurity Incident Response Program Lead the development, testing, and maintenance of the Cybersecurity Incident Response Plan (CIRP) and oversight of playbook updates in partnership with the Information Security Operations team. Facilitate regular tabletop exercises simulating real-world attack scenarios, driving executive participation and readiness. 5. Business Enablement Support revenue growth by leading the security response to RFPs, participation in client meetings, and due diligence requests, enabling sales opportunities. Lead client assurance efforts, including security audit responses and TPRM assessments, reinforcing trust and compliance assurance with customers. 6. Information Cybersecurity Risk Management Program Develop and operationalize a comprehensive Cybersecurity Risk Management framework aligned to NIST CSF. Oversee the execution of security risk assessments and quantification models to measure and report risk exposure across business units. Lead ongoing security control testing for systems, applications, and third parties to validate security control design and effectiveness, ensuring risk mitigation. 7. Information Security Governance Program Architect and execute a governance model that aligns with corporate strategy and risk appetite, ensuring consistent oversight of security programs and compliance obligations. Maintain governance documentation, charters, and processes reflecting continuous improvement and audit readiness. 8. Information Security Control Framework Develop and manage a centralized Control Library mapping to regulatory, policy, and framework requirements. Oversee periodic control testing, validation, and maintenance activities, ensuring transparency and traceability to audit results. 9. Business Continuity Program (BCP) Oversee development, implementation, and testing of Business Continuity and Disaster Recovery programs. Conduct Business Impact Assessments (BIAs), Process Impact Analyses (PIAs), and dependency mapping across systems, processes, and vendors. Lead BCP tabletop exercises and training to ensure operational resilience during crises. 10. Regulatory, Audit, and Compliance Stakeholder Act as the primary Information Security stakeholder in SOC2, OSFI, CLHIA, and other regulatory audits. Manage relationships with external auditors and internal risk teams to ensure timely, accurate evidence submission and remediation tracking. Support annual cybersecurity insurance renewals through risk data aggregation and reporting. 11. Government of Canada – Protected B Program Serve as the Alternate Company Security Officer (ACSO) responsible for safeguarding sensitive government information and ensuring compliance with federal contract security requirements. 12. Data Governance Data Loss Prevention (DLP) Collaborate with the Data Governance Committee to design and enforce DLP strategies. Guide the implementation of security controls to detect, prevent, and respond to data exfiltration risks. 13. Access Reviews and Audit Readiness Oversee periodic access attestation reviews for critical systems and applications. Ensure compliance with audit standards and integration of results into enterprise KRI dashboards and Risk Committee reporting. 14. Reporting and Executive Communication Develop, author, and present quarterly Information Security performance and compliance reports to the Risk Committee, Executive Team, and Board of Directors. Track progress against key deliverables, KRIs, and program OKRs. 15. Strategic Planning and Roadmap Development Lead the creation and ongoing management of the Information Security Governance Roadmap, ensuring alignment with enterprise IT, risk, and organizational strategy. Identify emerging risks, regulatory changes, and technological trends to inform forward-looking governance objectives.