Information Security Manager (GRC)
Delivering one-of-a-kind cloud technology, accompanied by award winning customer service, Paylocity is a software development company in a category of its own.
The Information Security Manager (GRC) will play an instrumental role in implementing Paylocity’s information security policies, standards, and procedures and will work collaboratively with the entire organization to ensure that these documents are adhered to. Reporting to the Chief Information Security Officer, this position will also work closely with a variety of internal stakeholders (Chief Financial Officer, Senior Vice President of Operations, Senior Vice President of Product Development, and the Treasurer, to name a few) to execute Paylocity’s information security strategy in relation to governance, IT risk management, and compliance. The manager in this key role will also ensure that Paylocity’s security processes are properly designed and are functioning effectively and that the organization maintains its compliance with all applicable legal, regulatory, and contractual requirements. In addition, the role will be responsible for ensuring that Paylocity properly identifies, assesses, and manages its information risks.
Are you the leader we are looking for?
Who you are:
• Passionate about information security, privacy, IT governance, risk management and compliance
• An evangelist regarding the importance of information security
• Committed to an ongoing partnership with other high profile groups within the organization to insure information security objectives are being understood and embraced
• Established presence within the information security community
• Ability to anticipate problems and recommend decisive action
• Excellent communication skills (both written and oral)
• Ability to work collaboratively across the organization
• Values their role as an advisor and business enabler more than their role as a rule enforcer
• Self-driven, creative, and resourceful
• A leader that inspires your team to accomplish more than they believed they were capable of
How we work:
• Casual, collaborative environment which embraces and operates under our shared principles
• Complete transparency with open, honest discussions about our progress
• Close working relationships across all areas of the organization
• Focus on outcomes and learning
What we offer:
• A strong commitment to information security both financially and organizationally
• An existing talented and passionate information security team
• The chance to meaningfully contribute to a vast market opportunity
• A collaborative environment where our information security team is empowered to help steer the direction of the organization
• A place to contribute your security knowledge company-wide through communities of practice with our product development team
• Annual training allowance to learn new things and bring it back to the team
• Flexible remote work arrangements
• Employee Stock Purchase Program (ESPP) which enables employees to share in the long-term growth and future success of the company
• Experience leading corporate-wide initiatives for meeting security related standards (e.g., ISO 27001 certification, SSAE-18 SOC 2 audits, HIPAA audits, etc.) including process control design and testing.
• Prior experience managing a team of security professionals.
• Deep knowledge of risk management, IT governance, and regulatory compliance processes.
• Experience creating, implementing, maintaining, monitoring, and enforcing security awareness and third party oversight / vendor risk management programs.
• Well versed in federal and state legal and regulatory requirements related to information security and privacy, e.g., HIPAA, HITECH Act, state data protection and breach notification laws, etc.
• Familiarity with the information security issues affecting financial service organizations and cloud based application service providers.
• Understands the tenants of IT risk management (threat management, vulnerability management, and risk treatment).
• Possess at least one of the following professional designations (or one of similar stature):
o Certified Information Systems Security Professional (CISSP)
o Certified Information Security Manager (CISM)
o Certified Information System Auditor (CISA)
o Certified Information Security Manager (CISM)
o Certified in the Governance of Enterprise Information Technology (CGEIT)
• Bachelor’s degree in information security, information assurance, computer science, management information systems, computer information systems, or a related discipline.
During the last three months, you would have:
• Served as a subject matter expert for information security (specifically in the domains of risk management, IT governance, and regulatory compliance).
• Collaborated with an array of internal partners from finance, product development, human resources, legal, etc. and the executive leadership team to ensure that security and compliance requirements are met.
• Managed (in some cases drafting) Paylocity’s information security and privacy related policies, standards, and procedures.
• Assessed corporate wide compliance with Paylocity’s policies and standards and taken action to remediate non-compliance.
• Ensured that Paylocity is properly evaluating information security risks through a risk assessment framework that assesses the potential impact of threats to the business and Paylocity’s vulnerability to these threats and recommends controls to reduce risks to levels that align with the organization’s risk tolerances and appetite.
• Designed and implemented a program to collect and report information security related performance metrics and key risk indicators.
• Oversaw Paylocity’s business continuity planning, disaster recovery planning, and third party oversight programs as well as periodic exercises and tests.
• Managed Paylocity’s vulnerability management program by collecting vulnerability data, tracking the status of vulnerabilities, and reporting on vulnerabilities.
• Ensured that Paylocity continues to comply with all applicable legal and regulatory requirements (especially the Sarbanes-Oxley Act), maintains unqualified opinions in its SSAE-18 SOC 1 and SOC 2 audit reports, maintains its ISO 27001 certification, and continues to identify, assess, and manage its information risks.
• Provided our executive leadership team with timely updates to ensure awareness of information security risks.
• Identified compliance objectives and mapped program deliverables to the requirements.
• Participated in designing and deploying a company-wide security awareness program that is tailored to the needs of specific roles within the organization and is measurable and auditable.
• Represented Paylocity in the information security arena through vendor relations and participation in professional organizations.
• Managed the agenda for Paylocity’s Information Security Steering Committee (ISSC) meetings and chaired Paylocity’s Information Risk Operating Committee (IROC) meetings.
• Provided guidance, feedback, and mentoring to the existing members of the Policy, Governance, Risk, and Compliance team and inspired them to continuously improve their performance.
• Managed the deployment of Policy, Governance, Risk, and Compliance team resources across numerous initiatives and day to day activities, ensuring high quality deliverables and completion of projects on time and at (or under) budget.
• Worked closely with the Chief Information Security Officer and the other members of the information security leadership team to devise and then execute against Paylocity’s overall information security strategy.
• Glassdoor's Employees Choice Award in 2014
• 7-time Winner on Chicago Area's 101 Best and Brightest Companies to Work For
• Inc Magazine listed Paylocity as an Inc 5000 Fastest Growing Privately Held Firm from 2007-2013
• Ranked #14 on Built in Chicago Top 100 Digital Companies for 2014
• Ranked #24 on Forbes 2013 List of Top 100 Digital Companies in Chicago
• Ranked #38 on Crain's Fast Fifty List of Chicago's Fastest Growing Companies in 2014
• Ranked #334 on Deloitte's 2014 Technology Fast 500 List of Fastest Growing Companies in North America