Cybersecurity GRC Analyst

About The Position

Requirements

• University degree in Information Technology, Computer Science, Computer Engineering, or an equivalent
• Six to nine years of relevant experience in information security and IT, including experience in a GRC-focused role supporting enterprise environments (endpoint and identity security).
• Maintains one or more active, industry-recognized certifications (e.g., CISSP, CRISC, CISA, Certified Ethical Hacker, or equivalent)
• Experience working with Microsoft Security and Compliance solutions
• Strong experience in identity governance and conditional access (e.g., Entra ID)
• Hands-on experience with XDR tools and familiarity with SIEM/SOAR platforms, including automated workflows/playbooks
• Solid understanding of Zero Trust security principles and modern security architectures
• Knowledge of MITRE ATT&CK and experience with threat modeling methodologies
• Strong knowledge of cyber risk management, cybersecurity frameworks, and business continuity practices, including BCP and Disaster Recovery (DR)
• Demonstrated business acumen with strong analytical, problem-solving, and decision-making skills
• Excellent communication and presentation skills, with the ability to effectively influence and collaborate with both technical and non-technical stakeholders

Nice To Haves

• Additional certifications considered an asset include CISM, ISACA Advanced in AI Security Management (AAISM), ITIL, PMP, or an MBA (or equivalent)
• Exposure to or experience with AI-driven security tools and controls is an asset
• Experience with API-based integrations and automation (e.g., REST, Microsoft Graph API).

Responsibilities

• Maintaining and continuously improving cybersecurity policies, standards, and controls, ensuring alignment with recognized frameworks such as CIS, NIST, and ISO 27001.
• Serving as the primary point of contact for cybersecurity-related audits, coordinating activities including evidence collection and remediation tracking.
• Overseeing security exception and risk acceptance processes.
• Integrating governance for artificial intelligence (AI) and emerging technologies into existing frameworks, including assessing associated organizational risks and providing guidance on regulatory and ethical considerations.
• Maintaining the enterprise cybersecurity risk register, including risk ratings, remediation expectations, and escalation thresholds.
• Assessing and documenting risks arising from vulnerabilities, incidents, third-party findings, and control gaps.
• Developing and maintaining cybersecurity dashboards, key risk indicators (KRIs), and key performance indicators (KPIs).
• Providing regular reporting to senior leadership on emerging cybersecurity risks and overall security posture.
• Maintaining visibility of vulnerabilities across infrastructure, cloud, and applications, assessing business impact, particularly related to sensitive data exposure.
• Tracking remediation progress, escalate overdue critical items, and document residual risk and risk acceptance where remediation is deferred.
• Overseeing controls protecting sensitive data, including personal and health information (PII/PHI).
• Collaborating on data governance initiatives, including data classification and data loss prevention (DLP), and report on application and data-related risks.
• Work closely with the Senior Security Architect to conduct threat modeling for new and existing applications and validate secure coding practices, SAST/DAST scanning, and remediation effectiveness.
• Reviewing and reporting on application risks related to identity and access management, API security, data protection, and third-party dependencies.
• Overseeing quarterly privileged access and identity certification reviews.
• Reviewing major incident reports, validating root cause analysis and corrective actions.
• Monitoring recurring control failures and systemic weaknesses across infrastructure, applications, and AI systems.
• Conducting third-party cybersecurity risk assessments, including vendors providing AI-enabled services.
• Monitoring remediation commitments and risk acceptance documentation.
• Facilitating periodic technical and management tabletop exercises.
• Supporting phishing simulations and broader cybersecurity awareness initiatives.

Benefits

• A work environment whose values are to be respectful, bold, responsive, and transparent in our work and our behaviours
• A fantastic opportunity to grow with the team and help shape the strategic direction of the OMA, its members and the health-care system
• An organization that is committed to the equity, diversity and inclusion principles of humility, accountability, collaboration, courage and integrity
• A commitment to growth and development through paid professional development and continuous in-house learning
• A friendly and flexible hybrid work environment
• Competitive total rewards package including a hiring salary range of $92,835 - $98,640 plus pension plan and a bonus program
• Exceptional group benefits package, including a spending account and a robust wellness program
• An organization that has been recognized as a Greater Toronto’s Top Employers for six consecutive years.