Senior Director, Governance and Risk

Senior Director Governance and Risk   College Board –   Risk Management   Location:   This is a remote role. Candidates who live near CB offices have the   option   of being fully remote or hybrid (Tuesday and Wednesday in office). All CB employees   are required to   occasionally travel to meet in person for business purposes.   Role Type :   This is a full-time position   About the Team     The Information Security Governance Risk and Compliance (ISGRC) team at the College Board works closely with other teams across the organization to assess and certify the security of  College  Board’s information systems and processes. This dedicated team facilitates information security governance and compliance by assessing College Board’s vendors, reviewing and negotiating contractual commitments to information security, planning for disaster response and recovery, testing system strength using industry-recognized frameworks (ISO 27001, PCI-DSS and SOC2) and obtaining related compliance certifications, implementing information security policies, promoting security awareness and training, and testing the acumen of College Board employees through robust and innovative training and phishing campaigns.        About the Opportunity      As the Senior Director, Information Security Governance & Risk, you will operationalize the vision set in collaboration with other Senior Team members and approved by Executive Leadership .    The Senior Director will oversee delivery across Security Policy, Security Awareness, Business Continuity, Vendor Risk Management, and the Information Security Risk Register .    Your role is to ensure execution of Governance and Risk functions through a team of practitioners .    You will work closely with stakeholders from Legal, Procurement, Information Security Office, Privacy, and Business Stakeholders .     In this role, you will:     Manage Governance and Risk (50%)   Security Policy & Governance Operations   Ensure policies and standards are   maintained , updated, and operationalized by the organization.   Oversee policy communication, awareness, and   exception   processes.   Drive consistency in governance practices across the organization.   Security Awareness Execution   Ensure effective delivery of the organization’s security awareness program.   Oversee targeted training and campaigns aligned to key risk areas.   Monitor engagement and   effectiveness   metrics.   Business Continuity Coordination   Ensure coordination of Business Continuity and Disaster Recovery governance activities.   Oversee execution of BIAs, plan updates, and testing exercises.   Track and drive remediation of identified gaps.   Technology Risk Register   Ensure the team   maintains   an accurate   and actionable Information Security Risk Register.   Oversee consistent risk identification, assessment, and documentation practices.   Drive accountability for   timely   risk   remediation and escalation.   Support development of risk reporting for senior leadership consumption.   Vendor Risk Management (VRM)   Ensure consistent, high-quality execution of the third-party risk assessment program.   Drive increased assessment throughput and reduced cycle times through team performance and process optimization.   Oversee standardized approaches for SOC 2 reviews, control analysis, and risk evaluation.   Ensure effective coordination with Procurement and business stakeholders.   Experience with or exposure to continuous monitoring capabilities (e.g., external risk signals, ongoing vendor posture tracking) to enhance third-party risk visibility is a plus.   Process Optimization & Automation (20%)   Identify   and prioritize opportunities to scale Governance and Risk processes using automation and AI Agents.   Ensure successful implementation of tooling and workflow improvements (e.g.,   OneTrust , KnowBe4).   Drive reduction of manual effort across assessments, evidence review, and reporting.   Promote a culture of continuous improvement within the team.   Establish and monitor KPIs/KRIs to track team performance and program effectiveness.   Identify   gaps and ensure implementation of scalable, sustainable improvements.   Team Leadership (20%)   Manage and lead a team of four that   is   responsible for Security Policy, Security Awareness, Business Continuity, Vendor Risk Management, and the Information Security Risk Register .    Ensure you:    Set vision and priorities for the team, track and manage progress to goals, and provide coaching and support to ensure team members meet and exceed goals, remain engaged, and contribute meaningfully to our mission and impact.   Negotiate Security Reviews   (10%)   Review Data Security language in critical procurement contracts.   Review security requirements   in   RFPs.   Develop risk language for state contracts.   About You     8-10+ years of progressive experience leading Governance and Risk functions.    CRISC certification   required .  All other security certifications (e.g., CISM, CISSP)   optional   and preferred.  Bachelor’s   degree   required .  Preference will be given to advanced degree s.   Proven ability to support and deep practical knowledge of Security Policy, Security Awareness, Business Continuity, Vendor Risk Management, and Information Security Issue Management .     Comfortable with change, a strong people leader and operator who can build structure, drive accountability, and increase program capacity through disciplined execution, process improvement, and the use of automation and AI.   Ability to work effectively across technical and non-technical teams, including Legal, Procurement, Information Security, Privacy, engineering, operations, and business stakeholders, building trust and alignment while driving agreement on risk decisions, ownership, and remediation.     Exceptional written and ver