Director, Cyber Governance and Controls

Company Description

NBCUniversal is one of the world’s leading media and entertainment companies. We create world-class content, which we distribute across our portfolio of film, television, and streaming, and bring to life through our theme parks and consumer experiences. We own and operate leading entertainment and news brands, including NBC, NBC News, MSNBC, CNBC, NBC Sports, Telemundo, NBC Local Stations, Bravo, USA Network, and Peacock, our premium ad-supported streaming service. We produce and distribute premier filmed entertainment and programming through Universal Filmed Entertainment Group and Universal Studio Group, and have world-renowned theme parks and attractions through Universal Destinations & Experiences. NBCUniversal is a subsidiary of Comcast Corporation.

Our impact is rooted in improving the communities where our employees, customers, and audiences live and work. We have a rich tradition of giving back and ensuring our employees have the opportunity to serve their communities. We champion an inclusive culture and strive to attract and develop a talented workforce to create and deliver a wide range of content reflecting our world.

Comcast NBCUniversal has announced its intent to create a new publicly traded company (‘Versant’) comprised of most of NBCUniversal’s cable television networks, including USA Network, CNBC, MSNBC, Oxygen, E!, SYFY and Golf Channel along with complementary digital assets Fandango, Rotten Tomatoes, GolfNow, GolfPass, and SportsEngine. The well-capitalized company will have significant scale as a pure-play set of assets anchored by leading news, sports and entertainment content. The spin-off is expected to be completed during 2025.

Job Description

The Director of Security Governance and Controls is a key team member within the NBCUniversal Cyber Assurance organization. This leader shapes, manages, and evolves NBCUniversal’s security governance framework and technical approach. This role requires a unique blend of deep policy and governance framework understanding, and the creative adaptability to work across dynamic environments, building security processes where needed. The ideal candidate brings a strong foundation in information security governance, a passion for proactive risk management, a wide-range of technical experience and background, and the ability to translate security principles into actionable, business-supporting policies. The ideal candidate will lead vendor engagement by building partnerships with procurement, engaging legal on contracts, and actively reducing risk through business 3rd party engagements. The unique candidate for this role will understand governance from a policy perspective and stretch to implement that governance in tooling with technical controls.

Responsibilities:

• Lead Governance, Controls, and Vendor management teams in partnership with Risk Management and Compliance
• Engage cyber platforms and enterprise engineering teams to align security tooling and baseline configurations with controls and policy
• Engage cyber Information Security Officers and security managers, to help translate policy and enable business functions
• Serve as the primary contact and subject matter expert for NBCU policies, controls, and vendor management
• Build partnerships with Enterprise Technology, Legal, and Procurement to strengthen our comprehensive approach to 3rd parties.
• Direct teams to document, communicate and enforce security improvements that balance risk with business operations and ensure controls do not weaken efficiencies or business innovation.
• Escalate identified vendor issues and gaps that may place the business at risk.
• Manage strategy and operation for the vendor risk management lifecycle from inception through termination.
• Define key performance indicators and key risk indicators and include them when reporting to cybersecurity and risk management leadership.
• Use advanced technologies—e.g., robotic process automation and AI/machine learning—to improve operation.
• Support risk assessments of vendor technologies
• Document, communicate, and enforce cybersecurity standards that balance risk with business operations
• Deliver monthly reporting to leadership, aligning with organizational objectives and team directives
• Support audit and compliance activities to help secure the enterprise by documenting the approach, necessary controls, gathering supporting evidence, provide requirements to health/hygiene dashboards
• Give and receive constructive feedback in a team environment, fostering a culture of continual improvement and excellence
• Demonstrate Strong written/verbal communication and presentation skills with the ability to tailor to both technical, and non-technical audiences

Qualifications

Requirements:

• Bachelor’s Degree in an IT-related field and/or equivalent work experience.
• 8+ years of experience in GRC, including roles in security analysis, compliance and risk management.
• Exposure to cloud providers (AWS, Google, Microsoft) and security configuration and management preferred.
• Wide-ranging knowledge in technical infrastructure and applications, from legacy through next generation.
• Knowledge of GRC for cloud computing, including validation of security configurations, resiliency and data protection.
• Versed in vulnerability management; emerging threats; insider risk; resiliency; and attacker tactics, techniques and procedures.
• Working knowledge of network protocols, web application architecture, and common vulnerabilities.
• Experience working with external vendors and internal technical teams.
• Excellent organizational, communication, and documentation skills.
• Ability to manage multiple concurrent projects and deadlines.
• Engange in learning constantly; actively experimenting and working with new technologies with quick instincts for picking up and developing expertise in new problem domains
• Knowledge of best practices in the Cyber Security industry, including OWASP Top 10 and CWE/SANS Top 25
• Excellent time management skills to appropriately prioritize multiple concurrent projects

Desired Characteristics:

• Large and decentralized business experience
• Hands-on experience configuring technical controls in tools like M365 (Conditional Access Policy, Purview, Cloud Defender), Slack (DLP), email secure configuration validation, etc.
• Complex environment threat modeling experience
• GRC leadership experience
• Preferred Certifications, but not required: CISSP, CISM, CISA, CRISC or CGRC

Additional Requirements:

• Fully Remote: This position has been designated as fully remote, meaning that the position is expected to contribute from a non-NBCUniversal worksite, most commonly an employee’s residence.

This position is eligible for company sponsored benefits, including medical, dental and vision insurance, 401(k), paid leave, tuition reimbursement, and a variety of other discounts and perks. Learn more about the benefits offered by NBCUniversal by visiting the Benefits page of the Careers website. Salary range: $155,000 – $200,000 (bonus and long-term incentive eligible)

Additional Information

As part of our selection process, external candidates may be required to attend an in-person interview with an NBCUniversal employee at one of our locations prior to a hiring decision. NBCUniversal’s policy is to provide equal employment opportunities to all applicants and employees without regard to race, color, religion, creed, gender, gender identity or expression, age, national origin or ancestry, citizenship, disability, sexual orientation, marital status, pregnancy, veteran status, membership in the uniformed services, genetic information, or any other basis protected by applicable law. 

If you are a qualified individual with a disability or a disabled veteran, you have the right to request a reasonable accommodation if you are unable or limited in your ability to use or access nbcunicareers.com as a result of your disability. You can request reasonable accommodations by emailing AccessibilitySupport@nbcuni.com.

For LA County and City Residents Only: NBCUniversal will consider for employment qualified applicants with criminal histories, or arrest or conviction records, in a manner consistent with relevant legal requirements, including the City of Los Angeles’ Fair Chance Initiative For Hiring Ordinance, the Los Angeles County Fair Chance Ordinance for Employers, and the California Fair Chance Act, where applicable.