Governance, Risk, and Compliance Specialist

About NY Creates:

NY Creates serves as a bridge for advanced electronics, leads projects that advance R&D in emerging technologies, and generates the jobs of tomorrow. NY Creates also runs some of the most advanced facilities in the world, boasts more than 3,000 industry experts and faculty, and manages public and private investments of more than $25 billion - placing it at the global epicenter of high-tech innovation and commercialization.

Job Description:

Job Description for Governance, Risk, and Compliance Specialist

JOB SUMMARY

The Senior Governance, Risk, and Compliance Specialist (GRC) is the organization's authoritative governance, risk, and compliance strategist and execution lead, responsible for maturing and operationalizing a risk-aware, evidence-driven GRC program across NY Creates (NYC). This role owns the full lifecycle of enterprise risk assessments and risk register governance, third-party vendor risk management, cybersecurity policy and standards framework, internal audit program design and execution, and training and awareness strategy.

With advanced expertise in quantitative and qualitative risk modeling, control framework mapping, regulatory interpretation, and audit defense, the Senior GRC Specialist drives cross-functional alignment, automates compliance workflows, and delivers executive-ready risk intelligence that directly informs strategic decision-making. The incumbent operates with strategic foresight, diplomatic influence, and rigorous analytical discipline to ensure NYC's continuous compliance with NYC's NIST 800-171, CMMC 2.0, NSPM-33, ITAR/EAR, compliance posture in a federally funded research environment.

Job Responsibilities include but are not limited to:

• Lead enterprise risk assessment program: design methodology, facilitate workshops, perform threat modeling, quantify likelihood and impact, and maintain dynamic risk register with residual risk tracking and KRIs.
• Own third-party risk management framework: develop tiering model, author due diligence questionnaires, lead evidence reviews, negotiate contractual security clauses, and enforce continuous monitoring via automated feeds.
• Architect and govern cybersecurity policy hierarchy: author, socialize, and enforce policies, standards, and procedures; ensure bi-directional traceability to NIST 800-53, CMMC 2.0, and CIS Controls.
• Design and execute internal cybersecurity audit program: scope annual plan, perform control testing, issue findings with root cause analysis, and validate remediation effectiveness.
• Strategize and scale training and awareness program: develop role-based curriculum, integrate gamified phishing simulations, measure cultural maturity, and report behavioral risk trends to leadership.
• Produce integrated GRC dashboards and board-level reports: risk heatmaps, compliance posture, control effectiveness, vendor risk exposure, and audit readiness.
• Lead preparation for external assessments: CMMC Joint Surveillance, DIBCAC audits, and insurance cyber risk evaluations; serve as primary point of contact.
• Implement and administer enterprise GRC platform: configure risk, policy, vendor, and audit modules; automate workflows, evidence collection, and reporting.
• Chair risk committee meetings: present new risks, challenge mitigation plans, and secure executive approval for risk acceptance or treatment strategies.
• Drive GRC process automation and integration with ITSM, SOAR, and CMDB for real-time compliance visibility and control validation.
• Mentor Junior GRC Specialist and cross-functional control owners; establish GRC Center of Excellence and internal audit training pathways.
• Critical thinking to perform scenario-based risk analysis, challenge assumptions, and align compliance with mission objectives.
• Ability to translate technical control failures into business impact and regulatory exposure.
• High degree of initiative, dependability, and ability to influence without authority across all organizational levels.
• Effective oral & written communication skills, including policy authorship, audit report writing, and C-level risk presentations. 
• Other reasonable duties as assigned.

Requirements:

. Minimum Requirements for Governance, Risk, and Compliance Specialist

• Minimum of six (6) years of progressive GRC, risk management, or cybersecurity compliance experience with at least four (4) years in a senior or lead GRC role within regulated research, federal contractor, or critical infrastructure environments.
• Bachelor's degree in Cybersecurity, Risk Management, Business Administration, Law, or a related field from an accredited institution; Master's degree or JD preferred.

Advanced GRC certifications required (at least two):

• CMMC Certified Assessor/Professional (CCA/CCP)
• ISACA Certified in Risk and Information Systems Control (CRISC)
• (ISC)² Certified Information Systems Security Professional (CISSP) - Governance domain
• ISACA Certified Information Security Manager (CISM)
• Shared Assessments Certified Third-Party Risk Professional (CTPRP)

Expert-level knowledge of compliance frameworks and control standards:

• NIST 800-171 Rev 2 / CMMC 2.0 (all practice families)
• NIST 800-53 Rev 5 (moderate/high baseline)
• NIST Cybersecurity Framework v2.0
• CIS Controls v8
• ISO 27001: 2022 Annex A
• Proficiency with enterprise GRC platforms:
• Risk register and treatment workflow automation
• Policy lifecycle management with approval routing
• Vendor risk tiering and continuous monitoring
• Audit management and evidence repository
• Quantitative risk analysis: FAIR model, Monte Carlo simulation, annualized loss expectancy (ALE), and risk appetite calibration.
• Experience leading CMMC Level 2+ assessments, achieving Authority to Operate (ATO), or defending findings in federal audits (DIBCAC, DCAA).
• Proven track record reducing open high-risk findings by 75%+, achieving 100% training compliance, and automating 80%+ of evidence collection.
• Experience drafting contractual security addendums and negotiating with Fortune 500 vendors and federal agencies.
• Demonstrated ability to build and lead a GRC function with measurable maturity improvement (e.g., from NIST CSF Tier 2 to Tier 4).
• Knowledge of information security management frameworks such as the NIST Cybersecurity Framework, NIST Special Publication 800-171, or CIS 18 Critical Security Controls.

This position is contingent on the satisfactory completion of a background check.

Preferred Requirements

Additional preferred certifications:

• GIAC Governance, Risk and Compliance (GSTRT)
• IAPP Certified Information Privacy Professional (CIPP/US)
• NIST Cybersecurity Framework Lead Implementer

Don't meet every requirement? At NY Creates we are dedicated to building a welcoming workplace. If you are excited about working for NY Creates but your experience doesn't exactly align perfectly with the job description, we encourage you to apply anyway, you might still be a perfect fit or a fit for another role at NY Creates.

Benefits

• Medical, Vision, and Dental
• Competitive Pay and PTO
• Flexible Heath Spending and Dependent Care Accounts
• Basic / Optional Life Insurance
• Post-Retirement Health Insurance
• Employer contribution of 7% of earnings to a Basic Retirement plan after meeting one year of service.
• Optional employee contributed retirement account

Location:  257 Fuller Road, Albany, NY 12203

Salary Range: $120,000 - $160,000

**Posted salary rates are determined upon experience and education

Additional Information:

NOTE: Some positions require access to export-controlled commodities, technical data, technology, software, or restricted programs where U.S. Government authorization may be required.  
 
For positions requiring such access, offers of employment are contingent upon the employer being able to obtain the necessary authorization, including, if required, an export license from the U.S. Department of Commerce's Bureau of Industry and Security, the U.S. Department of State's Directorate of Defense Trade Controls, or other government agencies. The decision to pursue an export license application is at The Research Foundation for SUNY's sole discretion. Proof of status may be required prior to employment in connection with necessary authorizations.  
 
Employment is with the Research Foundation for SUNY. The Research Foundation is an Equal Opportunity Employer, including individuals with disabilities and protected veterans.
 
In compliance with the Americans with Disabilities Act (ADA), if you have a disability and require a reasonable accommodation to apply please call Human Resources at 518-437-8686.

recblid hkf31f7mw14s1qv5emlo09bw7zukml