Cyber Policy and Compliance Expert

About The Position

Requirements

• Deep GRC Expertise: Extensive experience creating, maintaining, and auditing cybersecurity policies, standards, and procedures for enterprise environments.
• Regulatory Knowledge: Mastery of key cybersecurity frameworks and regulations, specifically NIST (CSF & RMF), ISO/IEC 27001, GDPR, and CCPA.
• Technical Understanding: Ability to understand how written policies map to technical controls (STIG, firewalls, IAM, SIEM, Endpoint Security) to ensure generated policies are practically enforceable.
• Risk Management: Strong background in conducting risk assessments and translating risk appetite into policy language.
• Communication: Exceptional written communication skills with the ability to articulate complex compliance requirements clearly and concisely.
• Education: Bachelor’s or Master’s degree in Cybersecurity, Information Systems, Law, or relevant field.
• Experience: 5+ years of experience in GRC, Information Security Management, or Security Auditing.
• Certifications: CISSP, CISM, CISA, CRISC, or CIPP.

Nice To Haves

• Background in auditing or preparing organizations for third-party audits (e.g., DoD Impact Levels, FedRAMP, CMMC).
• Previous experience in highly regulated industries such as Defense, Finance, or Healthcare.
• Experience with Policy-as-Code tools (e.g., Open Policy Agent) or cloud governance (AWS Config, Azure Policy).

Responsibilities

• Dynamic Policy Scenario Creation: Develop sophisticated test cases that require the test subject to generate or modify security policies based on specific triggers, such as a new zero-day vulnerability, a shift to remote work, or an update to international privacy laws.
• Compliance & Framework Mapping: Evaluate responses for strict adherence to major security frameworks and standards, including NIST SP 800-53, ISO 27001, SOC2, HIPAA, and GDPR.
• Enforceability Assessment: Critique generated policies not just for compliance, but for technical feasibility and enforceability (e.g., ensuring a "Data Protection Policy" translates into realistic DLP or encryption configurations).
• Strategic Risk Analysis: Assess the subject’s ability to align security controls with business goals, ensuring policies are not overly restrictive (hindering operations) or dangerously permissive.
• Iterative Refinement: Provide expert-level feedback and rewritten responses to establish a high standard of reasoning in complex regulatory and ethical decision-making processes.