Cyber GRC Program Manager

at SAIC Corporation
Location Austin, TX
Date Posted March 25, 2021
Category Default
Job Type Full-time



About SAIC

SAIC is a premier technology integrator solving our nation's most complex modernization and readiness challenges across the defense, space, federal civilian, and intelligence markets. Our robust portfolio of offerings includes high-end solutions in systems engineering and integration; enterprise IT, including cloud services; cyber; software; advanced analytics and simulation; and training.

Position Summary

SAIC is seeking a GRC Program Manager to join our team supporting state agencies within Texas. This position will be dedicated to a single agency as staff augmentation and will be focused on assisting that agency with building out a GRC program. This role requires an experienced, motivated and collaborative approach to achieve the desired business outcomes. The role is expected to be remote.  Job responsibilities include:

  • Collaborates with matrixed or multi-discipline teams across the agency in security-related decision-making; consults and negotiates with stakeholders to provide information security services to meet customer needs with automated or business improvement solutions consistent with agency plans, standards, and guidelines; defines and implements new or revised methods that effectively meet agency needs.
  • Oversees the ongoing development and implementation of information and cybersecurity policies, standards, guidelines, and procedures to ensure information security capabilities cover current threat capabilities.
  • Lead the development and implementation of the risk management function of the information security program to ensure information security risks are identified and monitored.
  • Perform business impact analysis and develop the risk register.
  • Work with IT and business teams to perform security and compliance assessments on new and existing systems, processes, and technology.
  • Recommend programmatic and technical directions and operate with a high degree of independence in matters relating to the investigation, impact, and analysis of security incidents, decisions regarding risk, and measures for computer and network security.
  • Work with Internal/External Auditor Offices and outside consultants as appropriate on required security assessments and audits. Coordinate and track all information technology and security related audits including scope of audits, units involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the agency in its best light. Provide guidance, evaluation and advocacy on audit responses.
  • Consults and coordinates with other risk management representatives to assess risk exposures and develop plans to mitigate risks.
  • Perform periodic gap assessments to validate compliance on an ongoing basis.
  • Assists in advising management and users regarding security configurations and procedures.
  • Develops and manages information security and risk management awareness and training programs. Trains users and promotes security awareness.
  • Performs cybersecurity incident detection, analysis, and prevention.
  • Support vendor due-diligence process and help to lead and define overall third-party risk management efforts.
  • Work with various business units to ensure security controls are adequate, appropriate, and effective.
  • Interacts in both oral and written communications with all levels of System staff including; IT staff, developers, executive staff, general counsel, auditors, as well as technology vendors and contractors, in matters related to information security and security awareness materials.
  • Stay up to date and informed on developing regulatory concerns and changing IT and information security trends to include IRS pub 1075, CJIS, HIPAA, and various NIST pubs (i.e. 800-53).
  • Responsible for preventing data loss and service interruptions by researching new technologies to effectively protect the agency network.
  • Creation and maintenance of incident response playbooks and runbooks aligning with industry best practices and cybersecurity toolsets.
  • Document, prioritize, recommend, and report on vulnerability mitigation and security enhancement actions and plans.
  • Identify and communicate current and emerging security threats.
  • Assist with the rollout of new security technologies and the training of security team members.
  • Provides training and knowledge transfer to Full Time Employee (FTE) staff on information security procedures.  Assists in the organization and delivery of training, as needed, for all employees regarding company security and information safeguarding.
  • Perform other duties as assigned.



  • Education: Bachelor’s from an accredited four-year college or university with major coursework in information technology security, computer information systems, computer science, management information systems, cybersecurity or a related field is generally preferred; experience in the following (or closely related) fields may be substituted for the required education on a year-for-year basis: cybersecurity, information technology security, computer information systems, computer science, management information systems; may substitute an advanced degree in a related field for two of the required years of experience; Master’s Degree highly desired.
  • Ability to share meaningful insights about the context of an organization’s threat environment that improve its risk management posture.
  • Ability to establish and always maintain effective and professional working relationships with others in the course and scope of conducting business.
  • Ability to resolve complex security issues in diverse and decentralized environments; to learn, communicate, and teach new information and security technologies; and to communicate effectively.
  • Ability to gather, assemble, correlate, and analyze facts; to devise solutions to problems; to market the security program; to prepare reports; to develop, evaluate, and interpret policies and procedures; to communicate effectively; and to provide guidance to others.
  • Ability to operate with a high degree of independence regarding project management activities, including development of project plans and budget/resource estimates.
  • Assists in developing program policies, procedures, standards, and manuals in accordance with program objectives and goals.
  • Conducts risk assessments, testing, threat analyses and audits of computer systems, IT infrastructure and security processes; recommends system and procedural changes to avoid security breaches; Supports ongoing compliance activities by researching and evaluating security policies and practices, industry standards and regulations. Conduct frequent testing of simulated cyber-attacks to look for vulnerabilities in the computer systems and take care of these before an outside cyber-attack. Work with technology and business teams to develop and document risk mitigation action plans, along with recommendations to reduce information security risk within their areas.
  • Certified Information Security Systems Professional (CISSP) or equivalent (i.e. Certified Information Security Manager (CISM))
  • Experience in the creation and roll-out of enterprise-wide security awareness and training programs to educate the workforce on security awareness best practices; a plus is experience with phishing simulators
  • Knowledge of software development life cycle methodologies to include as SAST and DAST tools for secure application development as part of DevSecOps. Ensure effective coverage of application vulnerability methods including static and dynamic code analysis, application testing, and penetration testing.
  • Develops and recommends plans to safeguard computer configurations and data files against accidental or unauthorized modification, destruction, or disclosure and to meet emergency data processing needs. Work with stakeholders to ensure disaster recovery plans are up to date and meet compliance standards.
  • Experience with information system security management, information security, troubleshooting, information systems, quality assurance and control, SQL, network security, cyber threat modeling
  • Experience building and working with Incident Response Playbooks aligned with industry best practices and cybersecurity toolsets as well as analyzing, reporting, and remediating advanced threats to the network.


  • Experience conducting and managing audits and assessments.
  • Significant knowledge and experience with any of the federal and state legal, privacy, and regulatory compliance standards such as HITRUST, HIPAA, ISO27001, SOC2, FedRAMP, PCI-DSS, GDPR, CCPA, IRS Safeguards Program, FERPA, CJIS, TAC202, etc. compliance.
  • Demonstrated experience in identifying the root cause of an incident and recognize the key elements to investigate to get to the root cause of an incident
  • Skill in creating and conducting trainings and providing guidance to staff in the development and integration of new or revised methods and procedures.
  • Knowledge of configuration management, change control/problem management integration, risk assessment and acceptance, exception management and security baselines (e.g. CIS Baselines, NIST, vendor security technical implementation guides, etc.)
  • Experience with IT GRC/IRM platforms (ServiceNow, OneTrust, MetricStream, Galvanize, RSA Archer, etc.).
  • Experience working with security management tools (e.g., vulnerability scanners, file integrity monitoring, configuration monitoring, etc.) network monitoring, malware, data loss prevention technologies and perimeter technologies (e.g., router, firewalls, web proxies and intrusion prevention, endpoint detection response etc.).
  • Experience reviewing third-party contracts for cyber and information security compliance.
  • Managing and supporting user facing security technologies (MDM, Endpoint Security Technologies, E-mail Security Gateways, SIEM, DLP, CASB, and Authentication).
  • Develop, configure, document, maintain, and utilize enterprise security tools to identify, alert, and responds to security alerts and events in order to maintain the security of our data systems.
  • Review alerts and data collected from data security systems on a daily basis and report findings. Must have extensive experience with Security Information and Event Management (SIEM) tools to include management of dashboards and security tool integrations.
  • Familiarization with cloud computing to include the risks and benefits of using a vendor’s remote servers to store, manage and process an organization’s data.
  • Analysis experience and operational understanding of network equipment, network services, and network/system monitoring tools
  • Analysis experience and operational understanding of one or more major operating systems (Microsoft Windows, Linux, or Mac)
  • Desired Certifications: Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); Certified Ethical Hacker (CEH); Security Certified Professional (OSCP); Cybersecurity vendor related trainings and certifications

Two or more of the following certifications or trainings:

  • Certified Information Systems Auditor (CISA)
  • Certification and Analysis Professional (CAP)
  • Systems Security Certified Practitioner (SSCP)
  • Certified in the Governance of Enterprise Information Technology (CGEIT)
  • Certified Information Privacy Professional (4 different versions CIPP IT, CIPP Government and CIPP Canada and only CIPP)
  • Global Information Assurance Certification Certified Incident Handler (GCIH)
  • SANS GIAC: "Intrusion Prevention", "Incident Handling", "Vulnerability Assessment", “Forensics”, "Risk Management", or "IT Auditor"

Target salary range: $150,001 - $175,000. The estimate displayed represents the typical salary range for this position based on experience and other factors.


SAIC is a premier technology integrator solving our nation's modernization and readiness challenges. Our offerings across defense, space, civilian, and intelligence markets include high-end solutions in engineering, IT, and mission outcomes. We integrate the best components from our portfolio with our partner's ecosystem to deliver innovative and effective solutions. We are 25,500 strong; driven by mission, united by purpose, and inspired by opportunities. Headquartered in Reston, VA, SAIC has annual revenues of nearly $7.1 billion. For information, visit or Working at SAIC for benefits details.SAIC is an Equal Opportunity Employer empowering people no matter their race, color, religion, sex, gender identity, sexual orientation, national origin, disability, or veteran status. We strive to create a diverse, inclusive and respectful work culture that values all.

Drop files here browse files ...