YM Inc. was founded on the strength of a single retail store in the heart of downtown Toronto in 1975, under the name Stitches. Today we are one of North America’s leading apparel retailers operating over 700 stores across Canada and the United States under the following banners: Stitches, Urban Planet, Urban Behavior, Sirens, Forever 21, Urban Kids, Suzy Shier, Bluenotes, West 49, Amnesia, Charlotte Russe, Rue 21 and Mandee.
Our goal is to sustain performance that exceeds expectations. We are committed to creating a culture where people feel valued and inspired to achieve results. We give our people the appropriate tools, freedom and authority to make decisions. They are accountable for their actions and we recognize their efforts and reward their results. We attract and nurture the best people by providing leadership opportunities, career development and continuous learning. We are committed to leading by example and with integrity. We treat people with respect and dignity, promote the benefits of diversity and address challenges in a direct and compassionate manner. We engage people in our goals and objectives; we listen and act on new ideas where possible. That is our Philosophy.
Role Overview
The IT Security Governance & Compliance Specialist is responsible for governing, coordinating, and overseeing YM’s information security program, ensuring that security risks are identified, documented, mitigated, and communicated effectively across the organization.
This role is not a hands‑on technical implementation role. Instead, it serves as the central authority for IT security governance, working with internal technical teams and external vendors to ensure security controls are defined, approved, enforced, documented, and continuously improved.
The role acts as the primary interface for security vendors, audits, compliance efforts, risk management activities, and security incident coordination, while ensuring policies, procedures, and awareness programs are consistently maintained and applied.
Key Responsibilities
1. Security Governance & Policy Management
- Develop, maintain, and periodically update all IT security policies, standards, and guidelines.
- Ensure policies align with organizational risk tolerance, business requirements, and regulatory obligations.
- Translate technical security requirements into clear, business‑understandable policies.
- Present and explain security policies and risk posture to management as required.
2. Risk Management & Exception Tracking
- Conduct and document IT security risk assessments across infrastructure, applications, and business processes.
- Maintain a centralized Risk Register, including:
- Accepted risks (e.g., EOL servers/applications required for business reasons)
- Risk owners
- Expiry/review dates
- Document and track compensating controls for each accepted risk.
- Manage risk exception requests, approvals, and renewals, ensuring formal sign‑off by leadership.
3. PCI & Compliance Oversight (Control Gap)
- Own PCI compliance end‑to‑end from a governance and coordination perspective.
- Coordinate with Control Gap to:
- Schedule and facilitate tabletop exercises and assessments
- Collect and organize audit evidence
- Review, validate, and challenge findings where appropriate
- Track remediation items and ensure issues are driven to closure with responsible teams.
- Act as the primary point of contact for PCI‑related audits and compliance activities.
4. SOC & Threat Monitoring Oversight (LCM / FortiSIEM)
- Serve as the primary liaison with the SOC vendor (LCM).
- Review security alerts, incident reports, and threat notifications.
- Actively respond to SOC tickets/emails by:
- Reviewing severity and impact
- Validating false positives
- Approving or coordinating response actions
- Ensure SOC recommendations are reviewed, approved, and implemented by the appropriate IT teams.
- Own escalation of security incidents to server, network, DBA, POS, and other technical teams.
5. Security Incident Coordination
- Act as the first point of coordination for security incidents (non‑technical).
- Coordinate incident response activities across internal teams and vendors.
- Ensure incidents are properly documented, including:
- Incident timelines
- Impact assessment
- Root‑cause summaries (from technical teams)
- Lessons learned and corrective actions
- Prepare and deliver incident reports and post‑mortems.
- Interface directly with executive leadership during significant security incidents.
- Participate in on‑call rotation to respond to critical SOC notifications outside business hours.
6. Third‑Party Security & Risk Assessments
- Manage and complete third‑party security questionnaires.
- Assess vendor security posture and identify potential risks.
- Track third‑party risks, remediation actions, and mitigation strategies.
- Act as the security review authority for new vendors and services.
7. Security Awareness & Training
- Develop and deliver security awareness campaigns organization‑wide.
- Coordinate user awareness training on topics such as phishing, social engineering, and data protection.
- Analyze flagged threat/phishing emails reported by users.
- Track awareness effectiveness and recurring risk patterns.
8. Cross‑Functional Enforcement & Collaboration
- Work closely with:
- Server Team
- Frontier/Network Team
- Helpdesk
- POS/Retail Systems
- DBA Team
- Recommend security controls and improvements.
- Once approved by management, ensure enforcement by responsible technical teams.
- Track completion and compliance without directly implementing technical changes.
Explicitly Out of Scope (Clarified to Avoid Overreach)
The IT Security & GRC Specialist does not:
- Administer endpoint security tools
- Implement firewall rule changes
- Manage MFA or Conditional Access policies
- Perform system patching or vulnerability scans
- Directly manage firewall platforms or operating systems
Ownership is governance, oversight, enforcement follow‑up, and documentation.
Success Measures
- Audit readiness and successful audit outcomes
- Reduced number and severity of security findings
- Timely incident response coordination
- Policy compliance across IT teams
- Accurate and current risk and exception tracking
- Vendor SLA adherence and effective SOC engagement
What we offer:
· Competitive Compensation Package
· Health and Dental Benefits Plan
· Paid Sick Days
· Employee Discount
· Tuition Reimbursement
· Ongoing Training and Development
· Career Advancement Opportunities
· Being part of an amazing, supportive and collaborative team
YM Inc. is an equal opportunity employer. If chosen to participate in the selection process, accommodations are available upon request. We will consult with the applicant to provide or arrange suitable accommodation in a manner that takes into account the applicant’s accessibility needs.
This posting is for an open vacancy.
We use AI in our hiring process.
Pay: $65,000.00-$75,000.00 per year
Benefits:
- Extended health care
- Life insurance
- On-site parking
- Paid time off
- Store discount
- Vision care
Ability to commute/relocate:
- North York, ON M6A 2W1: reliably commute or plan to relocate before starting work (required)
Experience:
- IT security governance: 4 years (required)
- PCI & Compliance Oversight : 3 years (required)
- IT security risk assessments : 3 years (required)
Work Location: In person
