Compliance Manager

West Monroe is seeking a Compliance Manager to join the internal Risk, Compliance & Cybersecurity (RCC) team. This role is responsible for leading and modernizing the firm’s cybersecurity compliance and governance programs while leveraging automation, AI capabilities, and integrated GRC tooling to reduce manual effort and improve operational efficiency.

The Compliance Manager will work closely with IT, security engineering, legal, and business stakeholders to ensure adherence to industry frameworks and client security expectations. A key focus of this role will be identifying creative ways to automate compliance processes, integrate systems into the firm’s GRC platform, and establish reliable sources of truth for audit evidence, risk tracking, and governance reporting.

This role will also oversee key security governance activities including incident response readiness, annual tabletop exercises, and security policy lifecycle management.

Qualifications

Candidates must demonstrate a strong understanding of cybersecurity governance, compliance frameworks, and enterprise risk management practices. The individual should be able to lead compliance initiatives while partnering with technical teams to ensure security controls are effectively implemented, monitored, and automated where possible.

The ideal candidate will have experience across a range of governance and compliance services, including but not limited to:

• Security Compliance Frameworks (SOC 2, ISO 27001, NIST, CIS Controls)
• Third-Party Risk Management and Vendor Security Assessments
• Client Security Questionnaires and Assurance Programs
• Security Policy Development and Governance Programs
• Audit Coordination and Evidence Management
• AI Governance and Emerging Compliance Frameworks (e.g., ISO 42001)
• Security Risk Assessments and Control Evaluations
• Compliance automation using GRC platforms and system integrations

Specific Skills Include, But Are Not Limited To:

Enterprise Compliance Program Leadership

• Own and lead enterprise‑level cybersecurity compliance programs aligned to SOC 2, NIST CSF, ISO 27001, CIS Controls, and related frameworks.
• Define compliance strategy, scope, and roadmap while ensuring consistent execution across the organization.

Audit Management & Evidence Strategy

• Lead complex internal and external audits (e.g., SOC 2), serving as the primary point of contact for auditors.
• Define audit scope, manage timelines, and implement scalable evidence management practices that improve audit readiness and reduce disruption.

Third‑Party Risk Management

• Lead vendor and third‑party security risk management programs, including due diligence assessments, ongoing monitoring, remediation tracking, and risk reporting.
• Ensure third‑party risk processes align with enterprise security and compliance requirements.

Client Security Assurance & Due Diligence

• Oversee responses to client security questionnaires, assessments, and assurance requests.
• Partner with legal, sales, and delivery teams to ensure responses are accurate, consistent, and aligned with the firm’s security posture.

Risk Management & Control Oversight

• Identify, assess, and track cybersecurity risks using risk registers and structured remediation plans.
• Partner with technical teams to ensure risks ar addressed through effective and measurable control implementations.

Policy & Governance Lifecycle Management

• Develop, maintain, and continuously improve security policies, standards, and procedures.
• Ensure governance documentation aligns with regulatory expectations, audit requirements, and operational practices.

Incident Response Governance

• Maintain and mature incident response governance, including annual tabletop exercises, readiness assessments, and post‑incident lessons learned.
• Ensure response procedures are documented, tested, and continuously improved.

Leadership, Influence & Communication

• Mentor and coach team members, supporting skill development, performance management, and knowledge growth.
• Communicate complex security and risk concepts effectively to senior leadership, technical teams, and business stakeholders.

Program Metrics & Executive Reporting

• Develop dashboards and reports that provide leadership visibility into compliance posture, automation maturity, audit readiness, and risk exposure.
• Use metrics to inform decision‑making and drive continuous improvement.

Compliance Automation & GRC Enablement

• Drive compliance automation initiatives using enterprise GRC platforms (e.g., Drata, ServiceNow GRC), with a focus on reducing manual effort and improving audit readiness.
• Design and implement integrations across security and business systems (e.g., IAM, endpoint, cloud, ticketing) to automate evidence collection, control validation, risk tracking, and reporting, establishing the GRC platform as a single source of truth.
• Identify and eliminate manual compliance tasks by leveraging automation, scripting, and AI-driven workflows, including:
  • Client questionnaire pre-population and consistency
  • Policy generation and updates
  • Evidence mapping and control alignment across frameworks
  • Risk identification and summarization
• Build continuous control monitoring by integrating telemetry from security tools to enable real-time evidence collection and reduce point-in-time audit efforts.
• Standardize and automate workflows (e.g., API-based evidence collection, task routing via ServiceNow/Jira) to minimize manual follow-ups and improve efficiency.
• Partner with engineering teams to integrate new tools into the compliance ecosystem and continuously improve processes, with a goal of reducing audit effort, increasing accuracy, and scaling the program efficiently.

Requirements

• 8+ years of experience in cybersecurity governance, risk management, or compliance roles, with demonstrated ownership of enterprise‑level programs
• Proven experience leading and scaling compliance programs aligned to frameworks such as SOC 2, NIST, ISO 27001, and CIS Controls
• Extensive experience managing complex internal and external audits, including direct engagement with auditors and scope management
• Experience overseeing client security questionnaires, due diligence responses, and assurance activities, including coordination with legal, sales, and delivery teams
• Strong background in third‑party risk management, including vendor security assessments, ongoing monitoring, and remediation tracking
• Hands‑on experience with enterprise GRC platforms (e.g., Drata, ServiceNow GRC, or similar), including configuration, optimization, and integrations
• Demonstrated success driving compliance automation and system integrations to reduce manual effort and improve audit readiness
• Experience managing or mentoring team members, including coaching, knowledge development, and performance feedback
• Strong communication skills with the ability to influence senior stakeholders and translate security and risk concepts to technical and business audiences
• Excellent organizational, prioritization, and program management skills in complex, cross‑functional environments

Preferences

• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or a related technical field
• 8+ years of experience in cybersecurity governance, risk management, or compliance roles with ownership of enterprise‑scale programs
• Prior experience in consulting or professional services environments, supporting multiple stakeholders and competing priorities
• Hands‑on experience implementing and optimizing compliance programs using enterprise GRC platforms and automation capabilities
• Demonstrated success driving compliance automation, system integrations, and process maturity improvements
• Familiarity with AI governance concepts and emerging frameworks (e.g., ISO 42001)
• Industry certifications such as CISSP, CISA, CRISC, or CISM