GRC Analyst

About The Position

Requirements

• 5-7 years in GRC, security compliance, risk management, or a closely related security function.
• Hands-on experience owning or supporting a SOC 2 Type II audit: evidence collection, control mapping, and auditor coordination.
• Solid working knowledge of NIST CSF: gap assessments, control mapping, and remediation tracking.
• Demonstrated experience building or formalizing a security policy library, not just updating existing documents.
• Experience managing third-party and vendor risk assessments using a tiered risk model.
• Experience responding to client security questionnaires: SIG, CAIQ, or similar formats.
• Clear understanding of the boundary between GRC and legal/privacy functions. Proven ability to work alongside a legal team without blurring lanes.
• Strong written communication: you can translate technical controls into clear, accurate language for clients, auditors, and executives.
• Disciplined project management: you own timelines, follow up without being asked, and don't let things fall through.
• Active daily use of AI and automation. We operate at 100% internal AI adoption. Non-negotiable.

Nice To Haves

• GRC platforms: OneTrust, Drata, Vanta, Whistic, or similar.
• Security awareness platforms: KnowBe4 or equivalent.
• ITGC working knowledge across identity (Okta), SaaS (Google Workspace), cloud (AWS, GCP, Azure), and endpoint (CrowdStrike).
• BCP/DR frameworks: BIA methodology, RTO/RPO definition, and tabletop exercise facilitation.
• AI governance frameworks: NIST AI RMF or EU AI Act.
• Familiarity with CASB, DLP, or cloud security posture tooling from a compliance and documentation standpoint.
• Private equity, holding company, or multi-entity compliance environment experience strongly preferred.

Responsibilities

• Own the internal SOC 2 Type II evidence collection process, keeping controls audit-ready year-round. Manage the audit timeline, day-to-day liaison with the external auditor, and remediation finding closure between cycles.
• Own the NIST CSF remediation roadmap: maintain the gap register, report progress to the VP and vCISO on a defined cadence, and coordinate with portfolio company IT teams to assess and close control gaps.
• Build and maintain a unified controls library mapping SOC 2 Trust Services Criteria, NIST CSF subcategories, and applicable regulatory requirements.
• Prepare the organization for bi-annual NIST CSF assessments, ensuring controls are documented and defensible.
• Operationalize the enterprise-wide information security policy library across the corporate entity and portfolio companies. Inventory gaps against SOC 2, NIST CSF, and applicable regulations; draft, publish, and version-control policies in coordination with the vCISO.
• Build and maintain annual policy attestation workflows across all employees. Bridge with the Data Privacy legal team on overlapping areas: data classification, retention, and incident notification.
• Develop and maintain the AI governance framework: tool intake review, data handling risk assessment, and acceptable use policy. Evaluate AI tools proposed across the corporate entity and portfolio companies against security and compliance standards.
• Own AI-related policy documentation and track emerging regulatory requirements including the EU AI Act and NIST AI RMF.
• Build and maintain a risk register with risk-to-control mapping. Define and document formal risk tolerance and appetite in coordination with the vCISO and leadership.
• Own the third-party risk management program. Define and implement a tiered due diligence model (critical, high, medium, low) and conduct recurring reviews of critical service providers.
• Manage vendor risk assessments for tools under evaluation — SASE, CASB, DLP, AI governance tooling, and security platform consolidation. Coordinate with the Data Privacy legal team on vendors with material data processing obligations.
• Lead operationalization of the GRC platform (OneTrust) for centralized vendor inventory, risk scoring, and lifecycle management.
• Manage and respond to inbound security questionnaires from portfolio company clients (SIG, CAIQ, and custom formats). Build and maintain a response library to improve turnaround time and accuracy.
• Coordinate with the Cybersecurity Operations Engineer to validate technical control responses and keep answers current as the security stack evolves.
• Own ITGC audit controls across identity, endpoint, cloud, and SaaS platforms. Support internal audit responses and evidence requests beyond the annual SOC 2 cycle.
• Own BCP/DR formalization: develop a business continuity charter, coordinate Business Impact Analysis across the corporate entity and portfolio companies, define RTO/RPO for critical operations, and ensure crisis management is embedded in the IR framework.
• Manage the KnowBe4 security awareness training program: campaign management, phishing simulations, completion tracking, and leadership reporting.
• Manage the security testing program as the organization transitions from annual to continuous autonomous pentesting. Own vendor relationships, track findings to remediation, and produce executive-ready reporting.

Benefits

• Comprehensive total rewards package designed to provide protection, peace of mind, and a focus on overall well-being while helping our people plan for the future.
• Discretionary annual bonus, determined based on both the company's business performance and individual contributions.
• Comprehensive benefits package for our full-time employees, encompassing healthcare benefits.
• A 401(k) plan with an employer match.
• Short-term and long-term disability coverage.
• Life insurance.
• Paid time off.
• Parental leave.
• Various paid holidays.
• Opportunities for involvement in a wide range of challenging and impactful projects, across diverse industries and business models, fostering career advancement and development within our growing organization.
• Highly collaborative and supportive culture.