Deputy CISO

WHO WE ARE

Relation Insurance is a leading, innovative company with a strong commitment to excellence and a passion for delivering cutting-edge solutions to our clients. As a key player in the insurance market, we pride ourselves on our dynamic culture, collaborative environment, and continuous drive for success. With a rich history and a bright future ahead, we are looking for exceptional individuals to join our team and contribute to our ongoing growth and success.
 

WHAT WE’RE LOOKING FOR

The Deputy CISO, Governance, Risk & Compliance (GRC) is a senior security leader responsible for executing the organization’s enterprise governance, risk, and compliance program end-to-end. The individual in this role operates with full responsibility and accountability for GRC outcomes, including successful audit completion, regulatory compliance, customer assurance, and third-party risk management.

The Deputy CISO, GRC serves as the primary security compliance authority for auditors, regulators, and customers and is expected to independently drive results, ensure completion of regulatory obligations, and maintain audit-ready security governance across the enterprise.

A GLIMPSE INTO YOUR DAY

• Leads and executes the enterprise governance, risk, and compliance program end-to-end.
• Operates across multiple regulatory frameworks simultaneously, ensuring successful delivery of compliance and risk outcomes.
• Serves as the primary point of contact for auditors, regulators, and customers on security and compliance matters.
• Represents the organization as the accountable security compliance leader in regulatory examinations, customer diligence reviews, and external assurance engagements.
• Leads enterprise audit and regulatory readiness through gap analysis, control design, policy development, evidence collection, and timely remediation closure, ensuring successful audit completion across SOC 1, SOC 2, NYDFS Part 500, HIPAA, and GDPR.
• Ensures timely closure of audit findings and remediation of control gaps through completion.
• Responsible for writing, maintaining, and enforcing all security and compliance policies, standards, and procedures.
• Retains ownership of control intent, rationale, and narrative consistency across audits, regulators, and customer engagements.
• Performs security and privacy risk assessments, control testing, and remediation tracking through completion.
• Responsible for maintaining enterprise data mapping, documenting data flows, systems, and third-party processors.
• Leads vendor privacy and security risk assessments involving regulated and personal data.
• Partners with legal and business stakeholders to ensure privacy governance requirements are met.
• Responsible for the enterprise third-party risk management program, including vendor assessments, monitoring, and remediation follow-through.
• Independently completes customer security questionnaires (SIG, CAIQ, and custom SAQs) and provides security narrative responses for RFPs and customer due diligence inquiries.
• Independently develops accurate, clear, and consistent security narratives grounded in sustained understanding of the organization’s technical and risk environment, without repeated reliance on technical or engineering resources.
• Partners with IT, Engineering, Legal, Privacy, Risk, and business leadership to obtain evidence and implement controls, while retaining accountability for control interpretation and compliance outcomes.
• Provides executive-ready reporting on audit status, compliance posture, remediation progress, and enterprise risk.
• Leverages AI-assisted tools and automation to improve efficiency, consistency, and scale across GRC execution, while exercising sound judgment in regulated and confidential environments.
• Continuously identifies opportunities to streamline GRC processes through tooling, automation, and workflow optimization.
• Performs other projects, duties, and tasks, as assigned.

WHAT SUCCESS LOOKS LIKE IN THIS ROLE

• Bachelor’s degree in Computer Science, Information Technology, Cybersecurity or other related field. Master’s degree in Cybersecurity or Information Systems preferred.
• Minimum 8 years of progressively responsible experience in information security, cybersecurity risk management, or related roles.
• Relevant certifications (CISSP, CISM, CISA, CRISC, HCISPP, CCSK, ISO 27001 LA/LI, or equivalent).
• Prior experience as a Deputy CISO, Head of GRC, Director of GRC, or Principal GRC Lead preferred.
• Experience supporting highly regulated industries such as financial services or healthcare preferred.
• Demonstrated ability to operate as the accountable GRC leader in enterprise, audit, and regulator-facing environments.
• Extensive hands-on experience leading SOC programs from readiness through audit completion.
• Demonstrated experience managing HIPAA Security Rule compliance.
• Practical working knowledge of GDPR, including data mapping and vendor privacy risk management.
• Deep knowledge of SOC 1, SOC 2, NYDFS Part 500, and third-party risk management.
• Proven ability to independently manage audits, write policies, collect evidence, and respond to auditors and customers.
• Strong understanding of enterprise IT environments, cloud platforms, SaaS architectures, identity, networking, logging, and security controls.
• Exceptional written and verbal communication skills; comfortable interfacing with executives, auditors, regulators, and customers.
• Highly organized with the ability to manage multiple concurrent audits and regulatory obligations.
• Ability to travel as required by business need.

WHY CHOOSE RELATION?

• Competitive pay.
• A safe and healthy work environment provided by our robust benefit program including family health and wellness programs, 401K, employee assistance programs, paid time off, paid holidays and more.  
• Career advancement and development opportunities.

.

Note: The above is not all encompassing of the full position description. 

Relation Insurance Inc. provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.

.