IT Security Lead - Risk Management

The IT Security Lead - Risk Management is a critical member of the Owens Corning Global Information Services (GIS) Security team. This role supports the Governance, Risk, and Compliance (GRC) function by executing cybersecurity governance activities, performing risk assessments, maintaining security policies and standards, supporting audits, and enabling compliance across the enterprise.

This role has global responsibility for identifying, analyzing, documenting, and communicating cybersecurity risks and control gaps in support of the cybersecurity risk framework. Strong analytical skills are required to assess complex environments, identify emerging risks and inconsistencies, and translate findings into clear, actionable guidance for risk owners and leadership.

The IT Security Lead - Risk Management also supports cybersecurity compliance activities across projects, programs, facilities, and business functions. This role manages information security communications, including policies, standards, and related requirements, ensuring updates are documented, approved, and communicated in alignment with governance expectations.

Success in this role requires comfort operating in a fast‑paced environment, managing multiple priorities, and adjusting to changing business needs. Curiosity, integrity, honesty, and strong attention to detail are essential, particularly when working with regulatory requirements, audit evidence, risk documentation, and enterprise reporting.

Reports to:                          IT Security Leader – Governance, Risk and Compliance

Span of Control:            Individual Contributor

Knowing Our Businesses and their Strategies

• Maintain strong awareness of evolving security standards, regulatory requirements, and industry best practices, and assess their impact on organizational risk posture and compliance obligations.
• Enable effective governance and audit readiness for Business Continuity and Disaster Recovery (BCP/DR) controls, aligned with information security, incident response, and compliance requirements.
• Identify opportunities to align security and compliance initiatives with strategic business programs (e.g., digital transformation, AI adoption, operational resilience), ensuring security is embedded as a business enabler rather than a constraint.
• Provide governance support for AI and machine‑learning capabilities by maintaining and evolving security, governance, and responsible‑AI policies aligned to enterprise objectives; executing AI security and risk assessments to identify control gaps and emerging risks; coordinating with Legal, Privacy, and business stakeholders to ensure alignment with regulatory, ethical, and compliance expectations; and continuously monitoring regulatory developments, industry trends, and emerging risks to inform and strengthen governance practices.

Executing Strategy

• Support enterprise cybersecurity governance and compliance efforts, including development and maintenance of information security policies, standards, procedures, and ISO 27001 ISMS documentation.
• Perform compliance and assurance activities, including internal control reviews and external audit coordination.
• Perform information security risk assessments in accordance with the cybersecurity risk framework.
• Identify control gaps, weaknesses, and emerging risks, document findings clearly and consistently.
• Support risk owners with analysis, impact statements, and documentation.
• Track and report risk remediation activities and status.
• Execute third‑party security assessments aligned with vendor risk management processes.
• Document vendor risks, control gaps, and remediation actions.
• Maintain vendor risk documentation and audit evidence.
• Draft, review, and maintain information security policies, standards, procedures, and guidelines.
• Ensure policies align with ISO 27001, regulatory requirements, and internal governance standards.
• Perform ongoing control testing and monitoring activities.
• Track audit findings, remediation activities, and evidence closure.

Influencing in the Function

• Collaborate with cross‑functional partners to support security and compliance requirements.
• Partner with Internal Controls, Internal Audit, and external auditors to provide evidence, documentation, and subject matter expertise.
• Engage with application and system owners to assess control effectiveness and document risk posture.
• Communicate findings clearly, distinguishing between required controls and best‑practice recommendations.
• Prepare accurate, well‑articulated reports on ISMS status, assessment results, and compliance metrics.
• Support documentation, publication, and communication of approved policy and control changes.
• Promote a culture of accountability, transparency, and continuous improvement within information security.

Developing Talent

• Support security awareness activities related to policy understanding and adherence.
• Mentor and coach team members to build information security knowledge, risk awareness, and governance capabilities.
• Share knowledge with a broader audience through training sessions, forums, and cross‑functional engagements on information security topics.
• Proactively communicate security expectations, emerging risks, and best practices to drive awareness and adoption across the organization.
• Identify opportunities to improve documentation quality, assessment consistency, and governance processes while enabling team learning and growth.

MINIMUM QUALIFICATIONS

• Bachelor’s degree in computer science, Information Systems, Information Technology; equivalent experience may be considered in lieu of a degree
• 5+ years of information security experience
• 3+ years supporting governance, risk, and compliance functions

KNOWLEDGE, SKILLS AND ABILITIES

• Strong understanding of project and operational execution in complex environments, with a hands-on, delivery-focused approach
• Strong knowledge of security controls, data classification, regulatory requirements, and privacy standards, including working knowledge of ISO 27001
• Excellent analytical, documentation, and problem-solving skills, with the ability to translate risks into clear, actionable controls and audit evidence
• Proven ability to build trust and work effectively across a highly matrixed, global organization, engaging stakeholders with varying levels of technical expertise
• Proven ability to manage multiple priorities with strong attention to detail
• Excellent communication, organizational, and interpersonal skills Self-starter with curiosity and a continuous improvement mindset
• Service-oriented professional with high personal standards and accountability
• Working knowledge of AI governance, responsible AI principles, and emerging regulatory considerations, with the ability to translate evolving risks into practical security and compliance frameworks
• Experience supporting business continuity, disaster recovery, or operational resilience initiatives from a security or compliance perspective
• Demonstrated ability to distinguish between mandatory security requirements and best practices, and clearly articulate that distinction
• Ability to travel up to 10%, domestically

About Owens Corning  

Owens Corning is a branded building products leader with three complementary market-leading businesses providing roofing, insulation, and doors primarily for residential markets in North America and Europe. The company operates with an integrated go-to-market strategy and a unique set of OC Advantages™ – including its iconic brand, unparalleled commercial strength, leading technology, and winning cost position – to help customers win and grow in the market. Owens Corning is committed to helping build better and achieve more through winning partnerships, leading performance, and engaging people. Founded in 1938 and headquartered in Toledo, Ohio, Owens Corning is listed on the New York Stock Exchange (NYSE: OC). For more information, visit www.owenscorning.com.

Owens Corning is an equal opportunity employer. Except in limited circumstances such as formal apprenticeship programs, Owens Corning does not employ anyone under the age of 18.