Director of Information Security - Governance Risk and Compliance

Position Overview:

Fanatics is actively seeking an accomplished and motivated Director of Information Security Governance, Risk and Compliance (GRC) who shares our commitment to information security as a cornerstone in safeguarding our organization. It is an exciting opportunity to be part of a fast-paced environment that pushes you to learn while doing. This role needs to be both strategic and intensely focused on GRC with an emphasis on process, scalability, and automation to ensure our security posture aligns seamlessly with business objectives. We value experience in collaborating with key stakeholders, understanding regulatory requirements, and implementing effective security strategies.

Key Responsibilities Will Include:

Governance

• Develop and maintain an information security governance framework.
• Establish and enforce security policies, standards, and procedures.
• Provide guidance on security best practices and industry standards.
• Collaborate with executive leadership to ensure security strategies align with business objectives.

Security Risk Management

• Lead the security team’s risk management efforts.
• Conduct risk assessments to identify and evaluate security risks.
• Develop and implement risk mitigation strategies and action plans.
• Monitor and report on risk metrics and trends to senior management.

Compliance

• Ensure the organization's compliance with relevant laws, regulations, certifications, assessments and industry standards including PCI-DSS, ITGCs, SOC1, SOC2, CCPA, CPRA, GDPR, among others.
• Facilitate regular third-party compliance assessments and audits.
• Collaborate with legal and regulatory affairs to address compliance requirements.
• Stay abreast of changes in relevant laws and regulations affecting security.

Security Strategy

• Contribute to the development of the organization's overall security strategy.
• Provide strategic direction for security initiatives and projects.
• Collaborate with other departments to integrate security into business processes.
• Assess emerging technologies and trends for their impact on security.

Vendor and Third-Party Risk Management

• Assess and manage security risks associated with third-party vendors.
• Maintain and enhance the vendor risk management program.
• Ensure third-party compliance with security standards.
• Collaborate with legal to ensure third-party contracts reflect security and compliance requirements.

Reporting and Communication

• Provide regular updates and reports on security, risk, and compliance to senior management.
• Communicate security strategies and priorities to all stakeholders.
• Act as a liaison between technical security teams and executive leadership.

Leadership

• Lead and manage a team of security professionals.
• Foster a collaborative and high-performing security team.
• Provide mentorship and professional development opportunities.

Continuous Improvement

• Identify opportunities for process improvement within the security GRC function.
• Stay informed about industry trends and best practices.
• Implement continuous improvement initiatives to enhance security posture.

Values and Behaviors

• Demonstrate entrepreneurial spirit, strong communication skills, humility, and comfort working in and contributing to a dynamic and cross-functional team environment.

Who you are

• 10+ years of experience in information security (or 6 years of experience and a relevant bachelor’s degree), with a focus on GRC.
• Strong understanding of governance, quantitative risk management, and compliance frameworks.
• Experience in collaborating with and influencing key stakeholders.
• Strong technical background including full-stack software development, system architecture, and security fundamentals.
• Relevant certifications (e.g. CISSP, CISM, CRISC, CISA, CIPP/US) preferred.
• Exceptional communication skills and the ability to convey complex security concepts to non-technical stakeholders.