Lead Security Engineer - GRC

Title: Lead Security Engineer - GRC

Reports To: Enterprise Security & Compliance Manager

Department: Information Technology

Location: Remote

Employment Type: Full-Time/Exempt

Who We Are:

Old Republic is a leading specialty insurer that operates diverse property & casualty and title insurance companies. Founded in 1923 and a member of the Fortune 500, we are a leader in underwriting and risk management services for business partners across the United States and Canada. Our specialized operating companies are experts in their fields, enabling us to provide tailored solutions that set us apart.

Position Overview:

This role is critical to the success of the ORI security program. The role will serve as a key liaison between the ORI Security Governance, Risk, and Compliance (GRC) team and the Subsidiary Operating Centers (SOCs), supporting the execution of security and compliance initiatives, risk assessments, cross-department collaboration, and other GRC services and initiatives. The role will help ensure alignment across SOCs with enterprise policies, regulatory requirements, and risk management best practices. This role requires a security and business expert who can operate independently, provide strategic and tactical direction, and drive results across a dynamic technology and business environment.

Essential Job Functions:

• Support the development, implementation, and continuous improvement of the ORI GRC program.
• Coordinate with SOCs to facilitate consistent execution of security and compliance initiatives.
• Assist and/or lead audits, assessment of controls, risk assessments, mitigation planning, and ORI, SOC, and vendor risk assessments.
• Monitor compliance with internal policies and external regulations, escalating issues as needed.
• Prepare reports and metrics for leadership to track security effectiveness.
• Provide input into policy development and training and awareness campaigns.
• Collaborate with cross-functional teams to promote a culture of security and compliance.

Qualifications

Required:

• Bachelor’s degree in Information Security, Risk Management, Business Administration, or a related field. In lieu of a degree, candidates with equivalent practical experience and demonstrated expertise in cybersecurity, GRC, or related disciplines will be considered.
• Experience in GRC, cybersecurity, or risk management within a complex organizational structure.
• Strong understanding of regulatory frameworks (e.g., SOX, HIPAA, GDPR, etc.).
• Familiarity with GRC tools and platforms.
• Strong analytical and problem-solving skills with the ability to assess complex risk scenarios.
• Strong critical thinking skills to assess complex governance, risk, and compliance issues, identifying root causes and recommending effective solutions.
• Ability to work independently and collaboratively across business units and technical teams.
• Excellent written and verbal communication skills, with experience presenting to stakeholders or leadership.

Preferred Qualifications:

• 8+ years of experience in GRC, cybersecurity, or IT risk roles within a large or complex organization.
• Experience working with GRC platforms (e.g., Archer, ServiceNow GRC).
• Proven experience leading centralized or hybrid GRC service models, including governance across distributed teams or business units.
• Demonstrated success in managing vendor risk programs, including third-party assessments, contract reviews, and risk communication strategies.
• Advanced knowledge of security policy lifecycle management, including drafting, reviewing, and enforcing policy frameworks.
• Strong background in risk metrics development, dashboarding, and executive-level reporting.
• Familiarity with regulatory and compliance frameworks such as:
• 23 NYCRR 500
• NIST Cybersecurity Framework
• ISO/IEC 27001
• SOX, HIPAA, GDPR, or other industry-specific regulations
• Professional certifications such as:
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• Governance, Risk and Compliance Professional (GRCP)

ORI is an Equal Opportunity Employer. ORI provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.