Position Summary
The Governance, Risk, and Compliance (GRC) Manager leads a team of information security professionals responsible for designing, implementing, and continuously maturing the university’s cybersecurity GRC program. This role serves as the institution’s subject matter expert on cybersecurity risk, advising leadership on risk posture, compliance obligations, and strategic investment decisions. The GRC Manager oversees governance processes, risk assessment activities, policy development, and third‑party/supply‑chain risk management. The position ensures that cybersecurity requirements are embedded across the technology and data lifecycle, coordinates internal and external audits, and drives follow‑up and improvement activities. The Manager also leads university‑wide cybersecurity awareness and role‑based training initiatives while building strong partnerships with IT units, faculty, researchers, and administrative stakeholders to advance a culture of shared responsibility for cybersecurity.
Michigan State University (MSU) is ranked #30 among public universities and #63 overall in U.S. News & World Report’s America’s Best Colleges 2025. Located in East Lansing, three miles east of the state’s capitol, the MSU community includes more than 12,000 faculty, academic and support staff, as well as over 51,000 students. MSU offers an extensive benefits package to its employees including health care, prescription, and dental coverage, and a base retirement program with a University matching contribution, as well as basic life insurance. In addition, MSU offers educational benefits including a course fee courtesy program and educational assistance.
MSU Information Technology provides the primary leadership for strategic, financial, and policy initiatives affecting information technology (IT) across MSU. MSU IT offers technology resources that support MSU’s mission of providing education, conducting research, and advancing engagement.
Minimum Requirements
Knowledge equivalent to that normally acquired by completing a four-year college degree in Computer Science, Information Systems, Business, or a related field. Eight or more years of progressively responsible professional experience in information security, technology risk management, IT audit, or related areas; or an equivalent combination of education and experience.
Desired Qualifications
• Professional certifications such as CISSP, CISM, CRISC, CGEIT, CISA, or similar.
• Demonstrated experience leading complex and/or high-impact information technology or cybersecurity projects.
• Experience implementing or managing GRC processes such as risk assessments, risk registers, policy governance, compliance programs, or third-party risk management.
• Supervisory or formal team-lead experience in an enterprise IT or information security setting.
• Or an equivalent combination of education and experience.
• Advanced degree in a related field (e.g., Information Security, Information Systems, Business, Public Policy) or comparable professional experience.
• Experience working with cybersecurity and privacy frameworks (e.g., NIST CSF, NIST SP 800-53/800-171, ISO 27001, SOC 2).
• Experience in higher education, research, health care, or other complex, distributed environments.
• Demonstrated ability to communicate complex technical and risk concepts clearly to non-technical audiences, including senior leadership.
• Strong skills in stakeholder engagement, facilitation, analytical problem solving, and change management.
Equal Employment Opportunity Statement
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, citizenship, age, disability or protected veteran status.
Required Application Materials
Resume and cover letter.
Special Instructions
Please provide three professional references who are knowledgeable of your work.
Work Hours
STANDARD 8-5
Website
https://tech.msu.edu
Remote Work Statement
MSU strives to provide a flexible work environment and this position has been designated as remote-friendly. Remote-friendly means some or all of the duties can be performed remotely as mutually agreed upon.
Bidding eligibility ends April 14, 2026 at 11:55 P.M.
