Director, Information Security Governance, Risk & Compliance (GRC)

Director, Information Security Governance, Risk & Compliance (GRC)

Life Unlimited. At Smith+Neb, we design and manufacture technology that takes the limits off living.

Smith+Neb is seeking an experienced Director of Information Security Governance, Risk & Compliance (GRC) to lead and evolve our global GRC function. Reporting to the Chief Information Security Officer, this role will have full accountability for defining, implementing, and continuously improving the Information Security and IT GRC strategy across the enterprise.

This leader will strengthen compliance, reduce information and technology risk, and enable business success-supporting Smith+Neb's ambition to be a leader in the medical technology industry. The role requires a strategic mindset, strong execution capability, and the ability to balance assertive leadership with empathy and collaboration.

The Director of Information Security Governance, Risk & Compliance will define, own, and execute the global Information Security and IT GRC strategy, ensuring alignment with Smith+Neb's business objectives and risk appetite. This role will lead, build, and develop a high‑performing global GRC organization, including teams in low‑cost regions, and translate complex regulatory and risk requirements into scalable, measurable programs.

The Director will oversee the governance and compliance landscape by monitoring evolving cyber security laws, regulations, and industry standards, defining and maintaining global information security policies, and deploying appropriate audits and controls to ensure sustained compliance. This includes providing clear, concise reporting, metrics, and insights to executive leadership and key stakeholders.

The role is accountable for designing and operating enterprise‑wide IT and Information Security risk management programs. This includes identifying, assessing, documenting, and managing technology, security, and third‑party risks, maintaining a comprehensive enterprise risk register, and ensuring risks are effectively communicated and managed.

The Director will lead the global IT SOX compliance program, ensuring strong IT General Controls and successful delivery against leadership‑defined KPIs, while partnering closely with internal and external audit teams. In addition, the role will define and maintain IT computer system validation and IT quality assurance programs to meet global regulatory and compliance expectations.

Working in close partnership with Product Security, Commercial, and R&D teams, the Director will ensure compliance programs support customer assurance and commercial growth, including cyber and privacy certifications, audits, and customer tender responses. The role will also lead regulatory intelligence efforts to identify, monitor, and comply with applicable cyber security, privacy, and disclosure requirements worldwide.

This role works in close collaboration with Corporate Finance and Business Teams to align GRC strategy with business objectives and risk tolerance. The Director partners extensively with Internal Audit, Compliance, and Legal teams to ensure regulatory alignment, audit readiness, and effective governance. Strong relationships are also maintained with Corporate IT, Commercial, R&D, and Product Security teams to embed security and compliance into technology operations, product development, and customer‑facing activities.

What will you need to be successful?

• Bachelor's degree in Information Systems, Computer Science, IT Audit, or a related field, or equivalent professional experience.
• 10+ years of experience in GRC, IT Information Security, Information Risk Management, and/or IT Audit.
• Proven experience building, managing, and leading global teams.
• Extensive experience managing Sarbanes‑Oxley (SOX) compliance and IT controls.
• Strong knowledge of IT General Controls and audit practices.
• Hands‑on experience with GRC platforms and metric‑driven continuous improvement.
• Security and risk frameworks (e.g., NIST CSF, ISO 27002, CSA).
• Privacy and regulatory requirements (e.g., GDPR, HIPAA, PCI, and other global privacy regulations).
• Third‑party risk management (internal and outsourced models).
• Policy development, governance, and lifecycle management.
• Data security, disaster recovery, and information governance.
• Security and privacy contract review processes.
• Management of GRC KPIs and executive‑level reporting.

Certifications (Preferred)

• CISA, CISM, CRISC
• ISO 27001 Lead Auditor

Core Competencies

• Excellent written and verbal communication skills.
• Strong stakeholder management skills, with the ability to influence senior leaders.
• Ability to balance assertiveness with empathy and collaboration.
• Highly organized with strong attention to detail and problem‑solving skills.
• Ability to operate independently in a complex, global matrix environment.
• Strong understanding of information security, GRC, and medical device industry trends.
• Business‑oriented mindset with a focus on enabling growth and innovation.

Benefits & Compensation

Anticipated base compensation range for this position is £115,000–£125,000 annually, depending on candidate qualifications. Additional compensation may include bonus, medical, dental, and vision coverage, pension scheme, share options, car allowance, and various wellness offerings.

#J-18808-Ljbffr