Cybersecurity GRC Analyst II

About The Position

Requirements

• Deep understanding of IT governance, compliance, and risk management principles.
• Proven experience managing and responding to external IT audits.
• Strong knowledge of frameworks and standards such as SOC 2, NIST CSF/800-53, CIS Controls, NY DFS, and CCPA/CPRA.
• Experience with IT GRC/IRM platforms (e.g., Archer, ServiceNow, OneTrust, or similar).
• Familiarity with cloud environments (Azure, AWS, GCP) and modern IT infrastructures.
• Proven ability to adapt to rapidly changing technology landscapes and compliance requirements.
• Excellent analytical, problem-solving, and critical thinking skills.
• Strong interpersonal, written, and verbal communication abilities, with experience presenting to senior leadership and cross-functional teams.
• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field.
• Minimum 5-7 years of progressive experience in IT audit, IT risk management, cybersecurity, or compliance in a complex enterprise environment.
• Must be able to verify identity and employment eligibility to work in the U.S. This position does not offer visa sponsorship.

Nice To Haves

• Professional certifications are highly preferred: CISA, CISSP, CRISC, CISM, CGRC (formerly CAP), CDPSE, CGEIT, CIA.

Responsibilities

• Lead the coordination and response to all external IT audits and regulatory examinations. Act as the primary liaison for external auditors, managing evidence collection, interviews, and formal responses to findings.
• Design, lead, and perform comprehensive IT control reviews and compliance testing aligned with regulatory and industry frameworks (e.g., SOC 2, NIST, NY DFS, CCPA/CPRA). Identify control weaknesses and recommend remediation strategies.
• Collaborate with senior IT leadership and Governance teams to develop audit plans and testing strategies based on enterprise risk assessments. Lead high-impact audits across infrastructure, cloud, applications, and cybersecurity domains.
• Independently evaluate the design and operating effectiveness of IT controls, including access management, change management, data protection, network security, business continuity, and disaster recovery.
• Assess automated evidence gathered by NAF’s Next Gen GRC/IRM platform. Partner with control owners to validate effectiveness and drive continuous improvement in evidence quality and timeliness for both internal and external audits.
• Prepare executive-level audit reports that clearly articulate testing performed, risk exposure, control gaps, and actionable recommendations. Present findings to leadership, governance bodies, and external auditors.
• Guide and monitor the implementation of remediation plans for audit findings, ensuring timely and effective resolution of identified issues. Conduct follow-up reviews to validate remediation efforts.
• Support ongoing IT risk assessment efforts to identify areas of heightened risk. Recommend enhancements to control coverage and risk mitigation practices based on audit results and industry trends.
• Serve as a trusted advisor between IT, business units, and external auditors. Ensure strong collaboration and alignment of controls testing and audit evidence across the organization.
• Stay informed on emerging regulatory requirements, auditing standards, and technology trends. Interpret and apply requirements to improve NAF’s IT risk and compliance posture.

Benefits

• health
• dental & vision
• retirement with company contribution
• parental leave
• mental health & wellness benefits
• generous PTO
• sales incentive pay for most sales roles
• an annual bonus plan for eligible non-sales roles