Cybersecurity Governance, Risk & Compliance (GRC) Lead

Clorox is the place that’s committed to growth – for our people and our brands. Guided by our purpose and values, and with people at the center of everything we do, we believe every one of us can make a positive impact on consumers, communities, and teammates. Join our team. #CloroxIsThePlace

Your role at Clorox:

We are seeking a highly skilled and motivated Cybersecurity Governance, Risk & Compliance (GRC) Lead . This position reports to the Cybersecurity GRC Product Owner. The mission of this role is to support and continuously improve the company’s cybersecurity program, with a focus on driving risk informed decision making across sensitive data, systems, cloud environments, and third party relationships.
In this role, the individual will work cross functionally as a trusted security advisor to identify, assess, and manage cybersecurity risks; ensure compliance with internal security policies, industry frameworks, and regulatory requirements; and guide business and technology leaders in making informed risk management decisions. The role requires a strong understanding of cybersecurity risks, technologies, and controls, as well as the ability to clearly communicate complex risk concepts to both technical and non technical stakeholders.
The ideal candidate is deadline driven, detail oriented, and an excellent communicator, with deep expertise in cybersecurity governance and risk management best practices, with a focus on including third party security risk.

In this role, you will:

Third‑Party Risk Management (TPRM) 

• Lead and execute third‑party cybersecurity risk assessments throughout the vendor lifecycle, including onboarding, periodic reassessment, contract renewal, and offboarding.
• Evaluate vendor security posture using multiple inputs, including questionnaires, SOC reports, penetration test summaries, certifications, and evidence artifacts.
• Assess critical and high‑risk vendors, including SaaS, cloud service providers, data processors, and managed service providers, for alignment with company security and privacy requirements.
• Partner with Procurement, Legal, Privacy, IT, and the business to ensure cybersecurity risks associated with third parties are identified, documented, and addressed prior to contract execution.
• Define and enforce risk‑based onboarding and reassessment requirements aligned to vendor criticality, data sensitivity, and system access.
• Track third‑party risk findings, remediation commitments, and compensating controls to closure; escalate overdue or unacceptable risks as appropriate.
• Support contract security requirements, including review of security clauses, right‑to‑audit provisions, data protection obligations, and incident notification requirements.
• Maintain visibility into third‑party risk trends and exposures and report material risks to leadership.
• Ensure third‑party risk processes meet public‑company audit and regulatory expectations and support internal audit and external reviews.

Cyber Risk & Compliance

• Assess cybersecurity risks related to internal systems, cloud services, applications, and third‑party vendors across technology and operational initiatives.
• Ensure alignment with applicable cybersecurity, privacy, and compliance frameworks (e.g., NIST, ISO, SOC, SOX, GDPR, CCPA).
• Support day‑to‑day operations by identifying cybersecurity compliance risks, ensuring appropriate escalation, and coordinating timely corrective actions.
• Collaborate with technical and non‑technical teams to evaluate the effectiveness of security controls, identify and categorize risks, recommend improvements, and communicate outcomes.
• Facilitate the development, maintenance, and enforcement of cybersecurity policies and standards in collaboration with internal subject matter experts.
• Challenge the first line of defense by validating required assessments and attestations (e.g., PCI, SOX, GDPR, CCPA) and providing compliance guidance where necessary.
• Provide oversight of vulnerability management, risk remediation activities, and the policy exception request process.
• Communicate emerging risks, audit findings, and control issues to key stakeholders, and support remediation planning and execution.
• Develop metrics and reporting to provide leadership visibility into cybersecurity risk posture, compliance status, and risk trends.

AI, Cloud, and Emerging Technology Risk

• Evaluate AI‑enabled services offered by third parties for model security, training data governance, privacy implications, and exposure to model manipulation attacks.
• Ensure cloud and AI services align with referenced security and privacy frameworks (e.g., NIST CSF/RMF, NIST AI RMF, ISO, SOC 2, GDPR, CCPA).
• Advise on secure adoption of emerging technologies while maintaining risk, compliance, and governance standards.

Stakeholder Engagement & Leadership

• Work closely with business, technology, and compliance counterparts to understand business objectives and ensure alignment with security policies and best practices.
• Build strong relationships with business units to embed security‑by‑design into projects, architecture, infrastructure, and applications.
• Build trusted relationships with senior leaders to accelerate adoption of cybersecurity governance and compliance initiatives.
• Educate teams across the organization on cybersecurity risk, governance methodologies, and third‑party risk responsibilities.

What we look for:

• 6+ years of experience performing cybersecurity risk assessments and applying risk management methodologies
• 6+ years of tracking, monitoring, and reporting cyber risk to management
• 6+ years of cybersecurity governance, risk, and compliance experience
• Demonstrated experience in third‑party cyber risk management, including vendor risk assessments, remediation tracking, and stakeholder coordination
• Experience managing a team of offshore managed service providers.
• Experience managing vendor risk across SaaS, cloud, data processors, and managed service providers
• Strong knowledge of cybersecurity controls management, controls testing, and automation
• Hands‑on experience with cybersecurity and privacy frameworks (e.g., NIST CSF/RMF, ISO 27001/27002, SOC 1/2/3, SOX, GDPR, CCPA)
• Experience with AI/ML risk management frameworks (e.g., NIST AI RMF, ISO/IEC 42001) and understanding of AI‑specific threat vectors
• Experience drafting and maintaining cybersecurity policies and standards
• Experience using ServiceNow Integrated Risk Management or a comparable GRC platform
• Ability to influence without authority and communicate complex risk topics clearly to diverse audiences
• Cyber risk or audit certifications (CISA, CISM, CRISC, CISSP) are a plus

#LI-HYBRID

Workplace type:

Hybrid- 3 days in office;2 days WFH

Our values-based culture connects to our purpose and empowers people to be their best, professionally and personally. We serve a diverse consumer base which is why we believe teams that reflect our consumers bring fresh perspectives, drive innovation, and help us stay attuned to the world around us. That’s why we foster an inclusive culture where every person can feel respected, valued, and fully able to participate, and ultimately able to thrive. Learn more.

[U.S.]Additional Information:

At Clorox, we champion people to be well and thrive, starting with our own people. To help make this possible, we offer comprehensive, competitive benefits that prioritize all aspects of wellbeing and provide flexibility for our teammates’ unique needs. This includes robust health plans, a market-leading 401(k) program with a company match, flexible time off benefits (including half-day summer Fridays depending on location), inclusive fertility/adoption benefits, and more.

We are committed to fair and equitable pay and are transparent with current and future teammates about our full salary ranges. We use broad salary ranges that reflect the competitive market for similar jobs, provide sufficient opportunity for growth as you gain experience and expand responsibilities, while also allowing for differentiation based on performance. Based on the breadth of our ranges, most new hires will start at Clorox in the first half of the applicable range. Your starting pay will depend on job-related factors, including relevant skills, knowledge, experience and location. The applicable salary range for every role in the U.S. is based on your work location and is aligned to one of three zones according to the cost of labor in your area.

–Zone A: $106,700 - $204,900

–Zone B: $97,800 - $187,900

–Zone C: $88,900 - $170,800

All ranges are subject to change in the future. Your recruiter can share more about the specific salary range for your location during the hiring process.

This job is also eligible for participation in Clorox’s incentive plans, subject to the terms of the applicable plan documents and policies.

Please apply directly to our job postings and do not submit your resume to any person via text message. Clorox does not conduct text-based interviews and encourages you to be cautious of anyone posing as a Clorox recruiter via unsolicited texts during these uncertain times.

To all recruitment agencies: Clorox (and its brand families) does not accept agency resumes. Please do not forward resumes to Clorox employees, including any members of our leadership team. Clorox is not responsible for any fees related to unsolicited resumes.