Our culture lifts you up—there is no ego in the way. Our common purpose? We all want to win for our customers. We aim to always be evolving, dynamic, and ambitious. We believe in the power of genuine connections. Each employee is a part of what makes us unique on the market: agile and dedicated.

Time Type Regular

Job Description Lead Specialist, Security GRC Position Summary As the Lead Specialist for Governance, Risk, and Compliance (GRC), you will operate as a senior individual contributor driving the maturity of our information security program. You will take ownership of critical GRC processes, including security and IT policy development, framework implementation, risk assessment, maintain a risk register, regulatory monitoring, audit management and reporting. A key component of this role is providing mentorship to junior analysts and directly contributing to the continuous improvement of the organization's overall security governance, risk posture and compliance.

Key Responsibilities Strategic GRC Leadership & Program Management

• Lead the development, review, and continuous improvement of information security policies, standards, baselines, and guidelines, ensuring they are comprehensive, enforceable, and strategically aligned.
• Drive the implementation and operationalization of security governance frameworks (e.g., NIST CSF, ISO 27001) across diverse organizational functions, acting as a primary subject matter expert.
• Contribute to the development of the Information Security strategy and roadmap based on observed security gaps and evolving GRC requirements.
• Provide expert guidance and interpretation of security policies and standards to IT teams, business units, and project teams.
• Contribute to GRC program maturity assessments and the development of strategic improvement plans.

Advanced Risk Management & Influence

• Lead and execute complex security risk assessments (e.g., enterprise-wide, application-specific, third-party) to identify, analyze, and evaluate security risks to information assets and business processes.
• Develop detailed risk reports and mitigation strategies, articulating complex architectural risks clearly and influencing enterprise-level risk decisions by highlighting their potential business impact to executive stakeholders.
• Produce and maintain comprehensive risk assessments for each business project.
• Develop detailed risk reports and mitigation strategies, articulating technical risks clearly to both technical and non-technical stakeholders, including executive leadership.
• Develop and manage the organization's Third-Party Risk Management (TPRM) program, including the establishment of processes for vendor risk assessment, due diligence, ongoing monitoring, and contract management from a risk perspective.
• Develop detailed risk treatment plans and provide actionable recommendations for risk mitigation, working closely with asset owners and technical teams to ensure effective implementation.
• Maintain and enhance the security risk register, ensuring accurate tracking of risks, controls, and mitigation progress.

Compliance & Audit Management

• Oversee the lifecycle of security exception and approval requests, ensuring thorough documentation, appropriate routing, tracking, timely resolution, and actively contributing to the development and enforcement of exception policies and standards, providing guidance to requestors and approvers.
• Manage and coordinate responses to internal and external security audits (e.g., SOC 2, ISO 27001, PCI DSS, regulatory exams), acting as a primary liaison with auditors and facilitating evidence collection.
• Oversee the tracking, remediation, and validation of audit findings and non-conformities, working with responsible teams to ensure timely and effective closure.
• Drive compliance initiatives for relevant laws and regulations such as PIPEDA, US and Canadian Privacy laws, and other industry-specific mandates.
• Develop and deliver comprehensive compliance reports to management and other stakeholders.

GRC Tooling & Automation

• Optimize the utilization of the GRC management solution to enhance automation, streamline workflows, and improve reporting capabilities for risk, compliance, and policy management.
• Track the effectiveness of GRC initiatives and identify areas for improvement; collaborating with technical teams to implement solutions.
• Develop and maintain complex dashboards and reports within the GRC tool to provide real-time insights into the organization's GRC posture.

Mentorship & Collaboration

• Provide mentorship and guidance to junior GRC analysts, assisting in their professional development and the execution of their tasks, fostering a collaborative team environment.
• Collaborate extensively with cross-functional teams including IT, Legal, Internal Audit, Privacy, and various business units to embed GRC principles into daily operations.
• Communicate complex GRC concepts and findings clearly and concisely to diverse audiences, from technical staff to senior management.

ACADEMIC TRAINING

• Bachelor's degree in Information Security, Business Administration, or a related field (or equivalent practical experience).
• Preferred certifications: CISA, CRISC, CISSP, or other GRC-related.

SPECIFIC COMPETENCIES

• Solid and demonstrable understanding of information security principles, risk management methodologies, and compliance frameworks, with the ability to apply them independently.
• Excellent written and verbal communication skills, with the ability to effectively communicate risk and compliance concepts to various audiences, including executive leadership.
• Proven experience in leading and executing security risk assessments, including identifying, analyzing, and recommending mitigation strategies for risks.
• Significant experience in independently leading and conducting compliance self-assessment activities related to frameworks such as PCI DSS, GDPR, HIPAA, SOC 2, or others relevant to the organization.
• Strong analytical and problem-solving skills with a keen attention to detail and the ability to think critically about complex issues.
• Strong organizational and project management skills, with the ability to manage multiple tasks and deadlines effectively.
• Demonstrated ability to work independently and take ownership of assigned responsibilities.
• Experience in mentoring or providing guidance to junior team members.
• Familiarity with GRC tools and technologies is an asset.

KEY PERFORMANCE INDICATORS (KPIs) Success in this role will be measured by the leadership in GRC initiatives, efficiency of program execution, and tangible improvements in the organization's security posture and compliance.

• Audit & Compliance Program Excellence:

• Audit Finding Closure Rate: Percentage of critical/high audit findings remediated within agreed-upon timelines.

• Compliance Efficiency: Measurable reduction in time or resources spent per cycle due to process improvements and preparedness.

• Regulatory Compliance Score: Consistent achievement or improvement of compliance scores against defined regulatory frameworks (e.g., zero material non-conformities in key external audits).

• Risk Management Program Effectiveness:

• Risk Mitigation Success: Percentage of high/critical risks identified during assessments that are effectively mitigated or accepted according to plan.

• Proactive Risk Identification: Measurable increase in the identification of emerging or previously unknown high/critical risks.

• Third-Party Risk Reduction: Quantifiable reduction in the risk profile of critical third-party vendors through effective assessment and management.

• Governance & Process Maturity:

• Policy & Standard Adoption Rate: Percentage of key security policies and standards effectively implemented and adhered to across relevant teams.

• GRC Process Efficiency: Measurable reduction in manual effort or cycle time for key GRC processes (e.g., risk assessment completion, policy review) due to improvements and automation.

• GRC Program Maturity Advancement: Contribution to the measurable increase in the organization's GRC program maturity level (e.g., assessed against NIST CSF or ISO 27001 maturity models).

• Leadership & Influence:

• Positive feedback from internal stakeholders (e.g., IT, Business Unit Leads, Internal Audit) on the clarity, accuracy, and actionable nature of GRC guidance and support.

• Documented instances of effective mentorship leading to skill development among junior GRC team members.

Location :

Montréal, QC

Company Cogeco Communications Inc.

At Cogeco, we know that different backgrounds, perspectives, and beliefs can bring critical value to our business. The strength of this diversity enhances our ability to imagine, innovate, and grow as a company. So, we are committed to doing everything in our power to create a more diverse and inclusive world of belonging.

By creating a culture where all our colleagues can bring their best selves to work, we’re doing our part to build a more equitable workplace and world. From professional development to personal safety, Cogeco constantly strives to create an environment that welcomes and nurtures all. We make the health and well-being of our colleagues one of our highest priorities, for we know engaged and appreciated employees equate to a better overall experience for our customers.

If you need any accommodations to apply or as part of the recruitment process, please contact us confidentially at inclusion@cogeco.com