GRC Manager

Voleon is a technology company that applies state-of-the-art AI and machine learning techniques to real-world problems in finance. For nearly two decades, we have led our industry and worked at the frontier of applying AI/ML to investment management. We have become a multibillion-dollar asset manager, and we have ambitious goals for the future.

Your colleagues will include internationally recognized experts in artificial intelligence and machine learning research as well as highly experienced finance and technology professionals. The people who shape our company come from other backgrounds, including concert music performances, humanitarian aid, opera singing, sports writing, and BMX racing. You will be part of a team that loves to succeed together.

In addition to our enriching and collegial working environment, we offer highly competitive compensation and benefits packages, technology talks by our experts, a beautiful modern office, daily catered lunches, and more.

As a GRC Manager, you will own and operationalize governance, risk, and compliance within the Information Security organization, reporting directly to the CISO. This is a security GRC role — distinct from the firm's trade compliance function — focused on building an information security risk management program from the ground up. You will transform an existing risk assessment framework and methodology into a living program with a formal risk register, policy lifecycle, control inventory, and security compliance posture. This role sits at the intersection of security engineering, operational risk, legal, and investor relations — requiring both the technical depth to engage credibly with a strong InfoSec engineering team and the communication skills to translate complex security posture into business language for leadership, auditors, and investors.

This is not a checkbox compliance role. You will need genuine security expertise to write accurate policies grounded in how systems actually work, conduct meaningful risk assessments, and partner with security engineers on control design and gap remediation. You will serve as the primary interface between InfoSec (first line) and the firm's Operational Risk, Internal Audit, Legal, and Compliance functions (second/third line) — owning the three-lines-of-defense relationship on behalf of the CISO organization.

Responsibilities

• Own and operationalize the information security risk management program — complete the risk register, drive quarterly (at minimum) risk assessment processes, maintain and evolve the existing risk assessment methodology

• Own the security policy lifecycle: creation, review, updates, and enforcement across the organization

• Serve as the primary interface between InfoSec (first line) and Operational Risk, Internal Audit, Legal, and Compliance (second/third line)

• Own the monthly cybersecurity check-in with Operational Risk — review open items, emerging risks, KRI status, incident escalation reporting

• Build and maintain a comprehensive control inventory mapped to risk scenarios; track control effectiveness and identify gaps

• Organize and streamline the vendor risk / DDQ process; formalize vendor risk tiering and review cadence

• Create and maintain security program materials for investor due diligence — translate technical security capabilities into business and risk language

• Support audit processes — own the preparation and maintenance of audit materials

• Navigate cyber insurance policy evaluation and procurement if required

• Drive convergence toward compliance standards (SOC 2, ISO 27001, or equivalent) based on firm needs and investor expectations

• Partner on data privacy requirements as they intersect with information security — including GDPR and cross-border data handling considerations as the firm's regulatory footprint evolves

• Provide governance perspective on business continuity and disaster recovery as it relates to information security — assess gaps, push for maturity, and ensure BC/DR considerations are integrated into the risk program

• Document security processes, procedures, and operational workflows — build the institutional knowledge base

• Evaluate and potentially implement automated compliance tooling to reduce manual evidence collection burden

• Connect risk reduction to investment decisions — help the CISO articulate security program ROI to leadership through BLP planning and PKR alignment

Requirements

• 7+ years of experience in information security with meaningful GRC depth — not pure audit/compliance without security engineering exposure

• Demonstrated ability to write security policies grounded in technical reality — you understand how systems, identity, networks, and applications work, not just what controls should exist on paper

• Experience building or significantly maturing a risk management program: risk registers, risk assessments, control mapping, remediation tracking

• Familiarity with risk assessment methodologies (bow-tie, FAIR, NIST RMF, or equivalent)

• Experience interfacing with operational risk, internal audit, legal, and compliance functions — comfortable navigating multi-stakeholder governance relationships

• Strong understanding of security controls across infrastructure, identity, endpoint, cloud, and application layers

• Experience creating investor-facing or board-level security materials — ability to translate technical posture into business risk language

• Excellent written and verbal communication — policies, risk narratives, and executive summaries are primary deliverables

• Experience with vendor risk management and third-party due diligence questionnaires

• Awareness of data privacy regulations (GDPR, CCPA) and how they intersect with information security controls and policy

• Self-directed and autonomous — this is a solo function initially; you will define scope, prioritize, and execute without a team

Preferred Qualifications

• Experience with compliance frameworks (SOC 2, ISO 27001, NIST CSF, CIS Controls) and the practical work of achieving or maintaining compliance

• Experience with cyber insurance — policy evaluation, application processes, underwriter interactions

• Background in financial services, hedge funds, or regulated environments with investor due diligence requirements

• Familiarity with automated compliance platforms

• Experience with business continuity and disaster recovery program governance

• Experience with operational risk reporting and KRI/KPI frameworks

• Certifications such as CISSP, CISM, CRISC, or GRCP

• Experience working in a quasi-academic, engineering-heavy culture where credibility is earned through demonstrated expertise, not authority

“Friends of Voleon” Candidate Referral Program

If you have a great candidate in mind for this role and would like to have the potential to earn $7,500 if your referred candidate is successfully hired and employed by The Voleon Group, please use this form to submit your referral. For more details regarding eligibility, terms and conditions please make sure to review the