Assistant Director, Cyber GRC
Principal Financial Group, Des Moines, IA, United States
What You’ll Do
We’re looking for an experienced Assistant Director of Cyber GRC to join our Information Security and Risk GRC team. In this role, you’ll lead cybersecurity regulatory compliance activities by engaging with regulators, interpreting new and emerging regulatory requirements on a global scale, translating those requirements into practical security controls, and partnering with technology, risk, and business teams to reduce the threat landscape to demonstrate sustainable compliance.
Key Responsibilities Governance & Assurance
Design global cybersecurity assurance program, including control gap assessments, testing, evidence management, and continuous monitoring
Evaluate control effectiveness and recommend process or tooling improvements to improve efficiency and coverage
Regulatory Compliance & Monitoring
Monitor and interpret changes in global cybersecurity laws, regulations, and standards (e.g., NIST, SOX, SOC, GDPR, HIPAA)
Translate regulatory requirements into actionable security controls, metrics, and framework mappings
Support control design enhancements to address regulatory expectations and emerging risks
Audit & Examination Readiness
Support readiness for regulatory exams, audits, and third‑party assessments
Participate in audits, coordinate responses to inquiries, and track remediation activities
Leadership & Collaboration
Partner with IT, Legal, Risk, Compliance, and Audit teams to align cybersecurity controls with regulatory obligations
Provide subject‑matter guidance on GRC best practices and control design
Provide training and awareness on regulatory compliance topics, as needed
Metrics, Reporting, and Stakeholder Communications
Develop and maintain reporting on control posture, findings, and remediation progress
Communicate regulatory changes, risks, and control insights to leadership
Qualifications
Bachelor’s degree in information security, cybersecurity, law, or a related field or equivalent experience
8+ years of experience in cybersecurity, information risk, or IT compliance
Direct, hands‑on experience engaging with regulators (e.g., scoping exams, responding to information requests, and/or presenting to examiners)
Proven experience with regulatory frameworks and standards such as NIST CSF and 800-53, SOX, SOC, GDPR, and HIPAA
Exceptional written and verbal communication skills with an ability to brief executives and regulators with clarity and confidence
Strong stakeholder management experience with the ability to influence cross‑functional teams and drive accountability without direct authority
Skills That Will Help You Stand Out
Experience designing cybersecurity assurance program in a regulated industry (e.g., finance, insurance, government)
Professional certifications such as CISA, CISM, CGRC, CRISC, or CISSP
Familiarity with risk management methodologies and tools
Diplomacy and professionalism in high‑stakes discussions
Ability to consult on technical controls
Salary Range $141,000 - $180,000 / year
Time Off Program Flexible Time Off (FTO) is provided to salaried (exempt) employees and provides the opportunity to take time away from the office with pay for vacation, personal or short‑term illness. Employees don’t accrue a bank of time off under FTO and there is no set number of days provided.
Pension Eligible Yes
Work Environments This role offers in‑office, hybrid (blending at least three office days in a typical workweek), and remote work arrangements (only if residing more than 30 miles from Des Moines, IA, Charlotte, NC, or Raleigh, NC). You’ll work with your leader to figure out which option may align best based on several factors.
Hours Core business hours are based on Central Standard Time (CST). Occasional adjustments to your schedule will be necessary to accommodate collaboration with global partners.
Work Authorization/Sponsorship At this time, we’re not considering applicants that need any type of immigration sponsorship now or in the future to work in the United States. This includes, but is not limited to: F1-OPT, F1-CPT, H-1B, TN, L-1, J-1, etc.
Investment Code of Ethics For Principal Asset Management positions, you’ll need to follow an Investment Code of Ethics related to personal and business conduct as well as personal trading activities for you and members of your household. These same requirements may also apply to other positions across the organization.
Experience Principal At Principal, we value connecting on both a personal and professional level. Together, we’re imagining a more purpose‑led future for financial services - and that starts with you.
Equal Opportunity Employer Principal is an Equal Opportunity Employer.
Posting Window We will accept applications for 3 full days following the Original Posting Date, after which the posting may remain open or be removed based upon applications received. If we choose to post the job again, we will accept additional applications for at least 1 full day following the Most Recently Posted Date.
EEO Statement All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.
#J-18808-Ljbffr
Key Responsibilities Governance & Assurance
Design global cybersecurity assurance program, including control gap assessments, testing, evidence management, and continuous monitoring
Evaluate control effectiveness and recommend process or tooling improvements to improve efficiency and coverage
Regulatory Compliance & Monitoring
Monitor and interpret changes in global cybersecurity laws, regulations, and standards (e.g., NIST, SOX, SOC, GDPR, HIPAA)
Translate regulatory requirements into actionable security controls, metrics, and framework mappings
Support control design enhancements to address regulatory expectations and emerging risks
Audit & Examination Readiness
Support readiness for regulatory exams, audits, and third‑party assessments
Participate in audits, coordinate responses to inquiries, and track remediation activities
Leadership & Collaboration
Partner with IT, Legal, Risk, Compliance, and Audit teams to align cybersecurity controls with regulatory obligations
Provide subject‑matter guidance on GRC best practices and control design
Provide training and awareness on regulatory compliance topics, as needed
Metrics, Reporting, and Stakeholder Communications
Develop and maintain reporting on control posture, findings, and remediation progress
Communicate regulatory changes, risks, and control insights to leadership
Qualifications
Bachelor’s degree in information security, cybersecurity, law, or a related field or equivalent experience
8+ years of experience in cybersecurity, information risk, or IT compliance
Direct, hands‑on experience engaging with regulators (e.g., scoping exams, responding to information requests, and/or presenting to examiners)
Proven experience with regulatory frameworks and standards such as NIST CSF and 800-53, SOX, SOC, GDPR, and HIPAA
Exceptional written and verbal communication skills with an ability to brief executives and regulators with clarity and confidence
Strong stakeholder management experience with the ability to influence cross‑functional teams and drive accountability without direct authority
Skills That Will Help You Stand Out
Experience designing cybersecurity assurance program in a regulated industry (e.g., finance, insurance, government)
Professional certifications such as CISA, CISM, CGRC, CRISC, or CISSP
Familiarity with risk management methodologies and tools
Diplomacy and professionalism in high‑stakes discussions
Ability to consult on technical controls
Salary Range $141,000 - $180,000 / year
Time Off Program Flexible Time Off (FTO) is provided to salaried (exempt) employees and provides the opportunity to take time away from the office with pay for vacation, personal or short‑term illness. Employees don’t accrue a bank of time off under FTO and there is no set number of days provided.
Pension Eligible Yes
Work Environments This role offers in‑office, hybrid (blending at least three office days in a typical workweek), and remote work arrangements (only if residing more than 30 miles from Des Moines, IA, Charlotte, NC, or Raleigh, NC). You’ll work with your leader to figure out which option may align best based on several factors.
Hours Core business hours are based on Central Standard Time (CST). Occasional adjustments to your schedule will be necessary to accommodate collaboration with global partners.
Work Authorization/Sponsorship At this time, we’re not considering applicants that need any type of immigration sponsorship now or in the future to work in the United States. This includes, but is not limited to: F1-OPT, F1-CPT, H-1B, TN, L-1, J-1, etc.
Investment Code of Ethics For Principal Asset Management positions, you’ll need to follow an Investment Code of Ethics related to personal and business conduct as well as personal trading activities for you and members of your household. These same requirements may also apply to other positions across the organization.
Experience Principal At Principal, we value connecting on both a personal and professional level. Together, we’re imagining a more purpose‑led future for financial services - and that starts with you.
Equal Opportunity Employer Principal is an Equal Opportunity Employer.
Posting Window We will accept applications for 3 full days following the Original Posting Date, after which the posting may remain open or be removed based upon applications received. If we choose to post the job again, we will accept additional applications for at least 1 full day following the Most Recently Posted Date.
EEO Statement All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.
#J-18808-Ljbffr