Director, Cybersecurity Governance Risk and Compliance

QXO, Inc. (NYSE: QXO) is the largest publicly traded distributor of roofing, waterproofing, and related products, and the second largest publicly traded distributor of lumber and building materials in North America. QXO is the fastest growing company in the $800 billion building products distribution industry and plans to become the tech-enabled leader by delivering best-in-class customer satisfaction and outsized returns for its shareholders. The company is targeting $50 billion in annual revenues within the next decade through accretive acquisitions and organic growth.

As the Director of C ybersecurity G overnance R isk and C ompliance (GRC) at QXO , you’ll be a part of the Cybersecurity Leadership Team reporting to the CISO, providing leadership and direction for the company’s GRC requirements. The director is responsible for establishing and maintaining the company’s overall IT and security GRC program, as well as for developing and managing a global, enterprise-wide information GRC program. The role includes implementation and maintenance of policies, comprehensive controls framework , regulatory compliance, global third-party risk management and customer trust centers .

What you'll do:

• In tandem with risk management and security, direct and conduct ongoing risk analysis organization-wide to uphold the GRC program.

• Lead a team dedicated to an ongoing security maturation program, where areas of strength are amplified and areas needing improvement are documented.

• Emphasize privacy, security, business resiliency and compliance frameworks.

• Direct the GRC team to document, communicate and enforce areas of security improvement that balance risk with business operations, as well as ensure controls are not weakening efficiencies or business innovation.

• Establish and maintain a strategy for managing security-related audits, compliance checks and external assessment processes for auditors, including but not limited to, Sarbanes-Oxley (SOX), Service Organization Controls (SOC) 2, California Consumer Privacy Act (CCPA) , Payment Card Industry Data Security Standard (PCI DSS) , and other applicable industry standards.

• Facilitate IT compliance of identified controls – for example, IT general controls (ITGCs), application, cloud and cybersecurity.

• Oversee and ensure adequate protection of key information is maintained through data classification, data loss prevention (DLP) and enforcement of records retention requirements.

• Play a key role in the vendor risk assessment process and ensure all divisions follow and uphold process rigor.

• Maintain a high degree of knowledge with current and proposed security changes impacting regulatory, privacy and security industry best practice guidance.

• Effectively communicate knowledge of GRC controls across business units with a focus on, but not limited to, company practices, procedures, third-party integrations, product development and financials.

• Focus on principles aligning with enterprise risk management fundamentals within security and technology teams to maintain up-to-date configuration documentation for systems and processes.

• Lead a team to provide rigorous oversight of security systems and security configuration administration that reduces risk to enterprise systems and accounts.

• Liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws.

• Drive and govern disaster recovery and business continuity as they relate to security frameworks, compliance and privacy laws.

• Openly support management team and executive leadership, even during tumultuous times.

• Perform other duties as assigned.

What you'll bring:

• At least 10+ years’ experience in cybersecurity in one or more roles, including security analyst, compliance and regulations, risk management or audit.

• 5 or more years’ experience managing distributed team personnel.

• Demonstrated leadership experience and thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, HITRUST, and GDPR.

• Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls.

• Proven understanding of business focus and processes, and ability to inject cybersecurity into the business through teamwork and influence.

• T rack record of delivering GRC projects under tight deadlines.

• Demonstrated experience conducting tabletop exercises for business continuity.

• Ability to motivate teammates to achieve excellence and willingly share knowledge.

Additional Qualifications

• Organized, efficient self-starter requiring minimal supervision.

• Understanding of service design, delivery concepts and control frameworks.

• Forward thinking with strong business acumen and flexibility.

• Highly focused on building and implementing a strong, cohesive team and security culture.

• Effective at stress management in a constantly changing environment.

• Outstanding written and verbal, business and cybersecurity communication skills.

Education Requirements

• Bachelor's degree in computer science, information assurance, MIS or related field, or equivalent.

• Advanced degree not required, but an MBA or master’s degree in information assurance/technology is preferred.

Certification Requirements

• CISSP, CISM, CISA, CRISC, GSLC preferable, but not required.

What you'll earn

• 401(k) with employer match
• Medical, dental, and vision insurance
• PTO, company holidays, and parental leave
• Paid training and certifications
• Legal assistance and identity protection
• Pet insurance
• Employee assistance program (EAP)

QXO is an Equal Opportunity Employer. We value diversity and do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, or any other protected status.

Salary Range:

USD $172,100.00 - USD $266,800.00 /Yr.