Governance, Risk, and Compliance

Governance, Risk, and Compliance (GRC) Specialist Location: Fredericton, N.B., Canada (Hybrid) At Thales, we envision innovative solutions that build a safer, greener, and inclusive future. As a cutting‑edge provider of aerospace, transportation, defence, security, and space solutions, we are committed to digital trust and resilience for our customers in Canada. Position Summary Thales Canada is looking for an intermediate level Governance, Risk, and Compliance (GRC) Specialist to deliver advisory services and hands‑on execution across CPCSC, CMMC, ISO 270x, and other compliance frameworks. You will lead readiness assessments, design and improve controls, guide clients through audits and certifications, and translate complex requirements into pragmatic, business‑aligned roadmaps. The role is ideal for a consultant comfortable working directly with stakeholders, facilitating workshops, and building sustainable GRC solutions. Key Areas of Responsibility Lead discovery sessions, stakeholder interviews, and workshops to understand business context, scope, and compliance objectives. Translate regulatory and framework requirements into actionable program plans, control designs, and implementation roadmaps. Present findings and recommendations to technical and executive audiences and prepare high‑quality client deliverables. Framework Readiness and Implementation Conduct CPCSC gap assessments, control mapping, and remediation planning; provide guidance on scoping, data flows, and evidence requirements. Perform CMMC (v2) readiness assessments, develop SSPs and POA&Ms, and support clients through assessment journeys. Build or mature ISMS programs, conduct risk assessments, develop the Statement of Applicability, support internal audits and management reviews, and prepare for external certification. Control Design, Testing, and Continuous Improvement Design and document policies, standards, procedures, and control narratives aligned to applicable frameworks. Build crosswalks and control catalogs across CPCSC, CMMC, ISO 27001/27002, and related frameworks. Perform control testing, sampling, and evidence reviews; track remediation and validate closure. Define and operationalise KRIs/KPIs and compliance metrics dashboards. Risk Management and Security Governance Facilitate formal risk assessments and treatment plans using ISO 27005, NIST SP 800-30, and optional FAIR. Advise on secure configurations, IAM, vulnerability and patch management, logging/monitoring, and incident response alignment with compliance needs. Support third-party/vendor risk assessments and continuous monitoring activities. Audit and Certification Support Prepare clients for external audits/assessments; coordinate evidence, walkthroughs, and sampling with assessors and certification bodies. Guide remediation and readiness sprints; develop playbooks for recurring audit cycles. Training and Enablement Deliver targeted training and awareness for control owners, process owners, and stakeholders. Create reusable templates, accelerators, and best practices to scale program delivery. Minimum Qualifications Bachelor’s degree in Information Security, Information Systems, Computer Science, Risk/Compliance, or related field; or equivalent experience. 3–6 years of experience in GRC, cybersecurity compliance, or IT audit, with hands-on work in at least two of: CMMC/NIST 800-171, ISO 27001/27002, CPCSC. Demonstrated consulting/advisory experience: client-facing communication, facilitation, slideware, and report writing. Practical knowledge of CMMC (v2) practices, NIST SP 800-171 requirements, SSP/POA&M, scoping/enclave concepts, evidence management; ISO 27001:2022 and ISO 27002:2022 controls; control design and testing; governance documentation. Strong understanding of core security domains: asset, configuration management, access control, vulnerability management, logging, business continuity, incident response, and change management. Excellent communication skills and ability to translate technical concepts into business outcomes. Key Competencies Advisory mindset: structured problem-solving, stakeholder management, and executive communication. Project delivery: scoping, planning, tracking, and on-time delivery of milestones and artifacts. Analytical rigor: evidence-based assessment, root-cause analysis, and pragmatic recommendations. Collaboration: ability to work with cross-functional teams (Security, IT, Legal, Engineering, Procurement). Adaptability: comfortable with evolving standards and working across multiple client environments. Preferred Qualifications Exposure to additional frameworks/requirements: NIST 800-53, SOC 2, PCI DSS, privacy regimes, secure SDLC/DevSecOps integration. Experience within the defence industrial base or regulated sectors (aerospace/defence, critical infrastructure, fintech, healthcare). Familiarity with compliance and GRC platforms and ticketing/ITSM tools (Jira, ServiceNow). Experience building control crosswalks and maintaining control libraries. Comfort with data classification, encryption key management guidance, and cloud security controls (ISO 27017/27018). Education and Certifications Relevant certifications preferred: CISM, CISA, CISSP, ISO 27001 Lead Implementer/Lead Auditor, CISM, CRISC, PMP, or comparable. For CMMC advisory, current/eligible CMMC related credentials (e.g., RP/RPO affiliation, CCP/CCA when applicable) are a plus. Special Position Requirements Schedule: Core business hours Monday-Friday; eight-hour workday. Physical Environment: Access to R&D facilities, cyber-ranges, and Cyber Security Operations Centres. Travel: 25% of time regionally and nationally; customer site visits required. What We Offer Company-paid extended health, dental, HSA, life, AD&D, short-term disability, cancer care program, travel insurance, employee assistance plan, and well-being program. Retirement savings plans (RRSP, DCPP, TFSA) with a company contribution and a match to a DCPP, with no vesting period. Company-paid holidays, vacation days, and paid sick leave. Voluntary life, AD&D, critical illness, long-term disability. Employee discounts on home, auto, and gym membership. Why Join Us? Explore working at Thales; click here. Compensation Total Target Compensation (TTC) market range: Total Target Cash (TTC) 89,968.16 - 182,564.53 CAD. Equal Opportunity Employer Thales is an equal‑opportunity employer that values diversity and inclusivity. We provide accommodations throughout the interview process and treat all accommodation information confidentially. Security Clearance This position requires direct or indirect access to hardware, software, or technical information controlled under the Canadian Export Control List, the Canadian Controlled Goods Program, the Canadian Industrial Security Programme, the US ITAR and/or EAR. Applicants must be eligible to obtain Canadian NATO Secret clearance. #J-18808-Ljbffr