Title:  Director of Cybersecurity, GRC

JOB SUMMARY

The Director of Cybersecurity, GRC leads governance, risk, and compliance activities within the cybersecurity team. This role oversees cybersecurity policy management, regulatory compliance, legal contract reviews, and employee cybersecurity training. The manager ensures security practices meet regulatory and industry standards while supporting the organization’s broader risk management goals.

The Director of Cybersecurity, GRC plays a critical leadership role in developing, implementing, and sustaining a comprehensive cybersecurity governance and compliance program. The role encompasses management of IT SOX and PCI DSS compliance, internal and external audits, privacy and cybersecurity contract reviews, and third-party security assessments. The manager also oversees the full lifecycle of cybersecurity policies, standards, and procedures, and drives security awareness through training programs. Working closely with Legal, Internal Audit, IT, and Privacy, this individual ensures cybersecurity initiatives align with corporate risk strategy and regulatory obligations while promoting a strong, risk-aware culture.

ESSENTIAL DUTIES AND RESPONSIBILITIES

• Manage compliance programs related to IT SOX, PCI DSS, and other relevant security standards.
• Lead and coordinate cybersecurity and data privacy reviews of legal contracts, working with Legal, Procurement, and Business stakeholders.
• Own the development, maintenance, and governance of cybersecurity policies, procedures, and standards.
• Conduct and track employee cybersecurity awareness and training programs, including compliance and phishing simulations.
• Coordinate and manage third-party vendor security reviews using standardized assessment tools (e.g., SIG, CAIQ).
• Lead risk assessments and maintain the cybersecurity risk register; develop mitigation plans in collaboration with stakeholders.
• Ensure compliance with cybersecurity and privacy regulations (e.g., NIST CSF, ISO 27001, CCPA, etc.).
• Support internal, external, and regulatory audits, including evidence collection and remediation tracking.
• Develop and report cybersecurity compliance and risk metrics to senior leadership.
• Other duties as required.

REGULATORY

Ability to obtain racing and/or gaming licenses as required in any jurisdiction where CDI operates. The Gaming industry is highly regulated and as such demands an extensive background check to obtain a license. Must be 21 years of age or older.

EDUCATION AND EXPERIENCE

• Bachelor’s degree in Cybersecurity, Information Systems, Risk Management, or related field is required.
• 5–8 years of experience in cybersecurity, with 3 years in a GRC or compliance-focused role is required.
• Direct experience managing IT SOX and PCI DSS compliance activities is required.
• Familiarity with legal contract language related to cybersecurity and data privacy is desired.
• Strong project management experience is preferred.
• Experience using GRC platforms (e.g., Audit Board, OneTrust, etc.) is preferred.
• Professional certifications such as CISSP, CISM, CRISC, are preferred.

SKILLS AND ATTRIBUTES

• Deep understanding of cybersecurity governance, risk, and compliance best practices.
• Strong knowledge of regulatory and industry standards including SOX, PCI DSS, GDPR, HIPAA, CCPA, and frameworks like NIST CSF and ISO 27001.
• Proven ability to write, implement, and maintain cybersecurity policies and procedures.
• Experience reviewing cybersecurity/privacy clauses in contracts and recommending risk mitigations.
• Excellent communication and presentation skills; able to articulate complex risk issues to senior leadership.
• Ability to manage multiple concurrent projects and regulatory timelines.
• High attention to detail, critical thinking, and strong documentation skills.
• Demonstrated leadership, mentoring, and collaboration skills.

PHYSICAL REQUIREMENTS & WORKING CONDITIONS

• Extended periods of sitting at a desk and working on a computer.
• Regular use of a keyboard and mouse for typing and navigating software.
• Viewing a computer screen for prolonged periods.
• Ability to manipulate paperwork, including filing, sorting, and organizing.
• Moving within the office environment to attend meetings, use office equipment, or interact with colleagues.
• Occasional lifting of office supplies or paperwork (up to 20 pounds).
• Speaking and listening to colleagues and clients in person, over the phone, or via video conferencing.
• Working in a climate-controlled office environment with moderate noise levels.
• Performing repetitive tasks such as data entry or document preparation.
• Working under artificial lighting conditions typical of an office environment, which may include fluorescent or LED lighting.
• Role is onsite five days a week at the Louisville, KY CDI headquarters office.