Job Posting:

Since 1953, Ferguson has been a source of quality supplies for a variety of industries. Together We Build Better infrastructure, better homes and better businesses. We exist to make our customers’ complex projects simple, successful, and sustainable. We proactively solve problems, adapt and grow to continuously serve our customers, communities and each other. Ferguson, a Fortune 500 company, is proud to provide best-in-class products, service and capabilities across the following industries: Commercial/Mechanical, Facilities Supply, Fire and Fabrication, HVAC, Industrial, Residential Trade, Residential Building and Remodel, Waterworks and Residential Digital Commerce. Ferguson has approximately 36,000 associates across 1,700 locations. Ferguson is a community of proud associates who operate with the shared purpose of building something meaningful. You will build a career that you are proud of, at a company you can believe in.

Senior Manager, Information Security Governance & Risk

The Senior Manager, Security Governance and Risk owns responsibility for defining, measuring, and aligning all Ferguson entities with the NIST CSF framework through creation / publication of the Information Security Policy & Guiding Standards, coordination of security training / awareness, and overseeing Policy enforcement. This position is also responsible for enhancing and driving the risk function through risk assessments, vendor risk monitoring, phishing program, and security education training and awareness.

The position requires strong leadership, broad business sense, and communication capabilities and will be a critical point of contact with IT and business leadership. Forming strong relationships with IT and business partners while fostering a collaborative environment are critical to success in this role.

Location: This role is approved to be either Remote within the United States or Hybrid for associates in Newport News, VA, in accordance with company policy.

Duties and Responsibilities:

Governance and Risk

Use of the NIST CSF for information assurance as anchor for aligning and measuring IS program maturity.
Leads team to perform annual NIST CSF risk assessments as part of Ferguson’s risk management program to identify and status critical information assurance related risks across all business entities.
Identifies and prioritizes maturity gaps in the Program and partners with Architecture, Security Delivery, and Security Operations to define and maintain a rolling 3-year security roadmap showing security investments needed across the portfolio and the impact of such investments on Program maturity. Ensures integration of the security roadmap in the context of overall IT and enterprise strategic plans.
Owns and maintains the Enterprise Information Security Policy and related processes for annual review, stakeholder vetting, Executive Committee approval, and Associate acknowledgement. Includes maintaining processes to review, approve, and monitor all exceptions to the Enterprise Information Security Policy.
Owns and manages all aspects of the global Security Awareness Program.
Responsible for 3rd party security risk management and oversight.
Responsible for contract reviews with potential technology providers to ensure negotiated agreement include critical Information Assurance terms and conditions.
Works with Ferguson teams responsible for Mergers and Acquisitions to coordinate all security related pre-acquisition due diligence and provides oversight to post-acquisition integration activities vital for implementation and adoption of Ferguson’s Global Security Services.
Provides ongoing metrics and reporting for security resource consumption at all levels in the organization.
Develop a business-oriented culture and mentality driven by continual service improvement techniques.
Works with the IT senior leadership team on the service portfolio and governance required to prioritize resources.
Serves on IT planning and policymaking committees; drives the development of enterprise security technology standards, governance processes, and performance metrics to ensure the services consistently deliver value to the enterprise.
Coordinates annual independent assessments of external and internal information security capabilities.

Leadership

Coach and lead employees and on- and off-site contractors / consultants with respect to delivery on Ferguson’s GRC objectives.
Provides expert advice, coaching, and counseling within a particular discipline/function area.
Build a diverse and high-performing team through active team development of resources, recruiting, hiring, and training new team members.
Continuously assess and align core and extended team member skills with strategic Security and Technology direction.
Develop and maintain critical 3rd party partnerships to flex capacity and skill to meet resource demand.
Gathers reports and analysis on service consumption and value delivered to customers to ensure SLAs are met.
Maintain enterprise level relationships with Technology Leadership in all Ferguson business units and subsidiaries and partner with local security leads to ensure consistent quality execution of global Security Delivery responsibilities.
Partner with IT and the business to monitor and enforce compliance with the organization's security policies and standards among employees, contractors and third parties responsible for Security Delivery.
Actively monitor new and emerging technologies, trends, issues, and solutions and assess their applicability to Ferguson’s Security Delivery capabilities.
Participate in the GRC Leadership Team, to ensure reliable service delivery and efficient use of all resources.

Additional Job Duties and Responsibilities

Responsible for driving the Ferguson culture through values and customer service standards.
Accountable for outstanding customer service to all external and internal customers.
Develop and maintain effective relationships through effective and timely communication.
Takes initiative and action to respond, resolve and follow up regarding customer service issues with all customers in a timely manner.
Adhering to all policies, rules, regulations, and procedures.
Performing other duties or functions as requested by management.

Qualifications and Requirements:

7-10+ years in Information Security management role, internal or external auditing, with emphasis on IT auditing, preferably with larger companies having complex IT environments or large accounting firms with experience over a diverse geographical base.
Bachelor's or master's degree in computer science, information systems, business administration or related field, or equivalent work experience.
Prefer candidate with critical technical and management-focused IT security certifications, such as CISSP, CISM, or equivalent.
A detailed understanding of the general computer control areas and the NIST CSF, ISO 27001, IT governance framework (COBIT), Sarbanes Oxley, and the COSO framework.
Demonstrable experience with evaluating security and controls on various on-premises and cloud-based technologies, including experience with performing.
Solid ability to understand, assess and prioritize risks across the components of the IT environment (application, operating system, and database).
Tenacious in pursuit of improvement and ability to manage courageous conversations with internal & external customers.
Demonstrable experience in planning, organizing, and developing IT security teams and strategy, whether staff or third parties.
Substantial exposure to data processing, hardware platforms, enterprise software applications, and outsourced systems, with preference in Microsoft Technologies.
Expertise in leverage of cloud-based solutions necessary to enable the distributed enterprise.
Good understanding of computer systems characteristics, features, and integration capabilities.
Proven leadership ability; ability to instill confidence in the business and demonstrate the business value of IT.
Outstanding leadership skills with the capacity to craft and communicate an enterprise security vision that encourages and motivates staff and aligns to the IT and business strategy.
Effective influencing and negotiation skills in an environment where resources may not be in direct control of this role.
Excellent analytical, conceptual thinking, planning, and follow-through skills
Strong business sense, including industry, domain-specific knowledge of the enterprise and its business units.
Expertise in budget planning and fiscal management.
Success in employing both traditional best practices, such as IT service management practices based on ITIL, as well as emerging methods like DEV/SEC/OPS that are optimized for agility.
Demonstrated ability to develop and implement a strategic people plan. This plan ensures the right people are in the right roles at the right time. It also ensures employees are highly engaged and satisfied.
Strong vendor management and partner relationship skills.
Excellent verbal and written communication skills, including the ability to explain technical concepts and technologies to business leaders, and business concepts to the security workforce.
Ability to empower as a servant leader in a team-oriented, collaborative environment.

At Ferguson, we care for each other. We value our well-being just as much as our hard work. We are committed to a holistic approach towards benefits plans and programs that support the mental, physical and financial well-being of our associates. Our competitive offering not only includes benefits like health, dental, vision, paid time off, life insurance and a 401(k) with a company match, but our associates also enjoy additional meaningful and inclusive enhancements that are adaptable to their diverse situations and needs, including mental health coverage, gender affirming and family building benefits, paid parental leave, associate discounts, community involvement opportunities and more!

#LI-REMOTE

Pay Range:

Actual pay rate may vary depending upon location. The estimated pay range for this position is below. The specific rate will depend on a candidate’s qualifications and prior experience.

$9,458.97 - $16,551.03

Estimated Ranges displayed are Monthly for Salaried roles OR Hourly for all other roles.

This role is Bonus or Incentive Plan eligible.

Ferguson complies with all wage regulations. The starting wage may be higher in certain locations based on local or state wage requirements.

The Company is an equal opportunity employer as well as a government contractor that shall abide by the requirements of 41 CFR 60-300.5(a), which prohibits discrimination against qualified protected Veterans and the requirements of 41 CFR 60-741.5(A), which prohibits discrimination against qualified individuals on the basis of disability.

Ferguson Enterprises, LLC. is an equal employment employer F/M/Disability/Vet/Sexual Orientation/Gender Identity.

Equal Employment Opportunity and Reasonable Accommodation Information

Senior Manager - Information Security Governance & Risk (Remote)