GRC Cybersecurity Lead

About The Position

Requirements

• Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related field.
• 8+ years of progressive experience in cybersecurity GRC, IT audit, information security, or compliance (at least 3 years focused on policy, risk, and/or compliance).
• Hands-on experience operating a cybersecurity risk register and end-to-end risk management lifecycle.
• Experience supporting audits or certifications under at least two of: NIST CSF, HITRUST, HIPAA, PCI DSS, SOC 2.
• Deep working knowledge of NIST CSF, HITRUST CSF, HIPAA Security and Privacy Rules, and PCI DSS 4.0.
• Familiarity with adjacent frameworks: SOC 2, ISO/IEC 27001, NIST SP 800-53, NIST SP 800-171.
• Experience reviewing and red-lining cybersecurity provisions in commercial contracts, BAAs, and DPAs.
• Experience with at least one GRC platform (Archer, ServiceNow GRC, OneTrust, LogicGate, AuditBoard, Hyperproof, Drata, Vanta, or similar).
• Strong written and verbal communication; able to translate technical risk into business language for executive, board, and client audiences.
• Proven ability to manage multiple workstreams and deadlines in a matrixed, cross-functional environment.

Nice To Haves

• One or more of: CISSP, CISA, CISM, CRISC, CIPP, HCISPP, HITRUST CCSFP, or PCI ISA.
• Experience in healthcare, financial services, fintech, payments, or other heavily regulated industries.
• Hands-on experience supporting HITRUST r2 certification and/or PCI DSS 4.0 attestation.
• Working knowledge of HIPAA, GDPR, CCPA/CPRA, and U.S. state privacy laws.
• Familiarity with cloud platforms (AWS, Azure, GCP) and SaaS environments, including shared responsibility models.
• Experience in an organization undergoing rapid growth, M&A activity, or platform modernization.

Responsibilities

• Own enterprise-wide cyber risk analysis and reporting, from methodology to board-level dashboards.
• Develop and continuously refine risk assessment methodologies, scoring models, and risk appetite statements.
• Identify, evaluate, and quantify cybersecurity risks; recommend mitigation strategies and track remediation to closure.
• Lead annual and ad hoc enterprise risk assessments, including third-party/vendor risk reviews.
• Coordinate tabletop exercises and Incident Response Plan testing.
• Keep all cybersecurity policies, standards, and procedures current and aligned to NIST CSF, HITRUST CSF, HIPAA, and PCI DSS 4.0.
• Lead the annual policy review and approval cycle, including version control, exception management, and stakeholder sign-off.
• Develop and map controls across frameworks to minimize duplication and audit fatigue.
• Communicate policy changes and provide interpretive guidance to internal stakeholders and control owners.
• Partner with Compliance, IT, Engineering, Product, Legal, HR, Finance, and Operations to ensure risks are captured in OSG’s enterprise risk register.
• Maintain accuracy and completeness of the risk register; track treatment plans and accept/transfer/mitigate/avoid decisions.
• Facilitate risk review forums, steering committees, and quarterly risk governance meetings.
• Escalate critical or unresolved risks to the CISO and executive leadership.
• Work with Compliance to ensure cybersecurity policies meet regulatory requirements (HIPAA, PCI DSS, state privacy laws) and client contractual obligations.
• Support internal and external audits; HITRUST, SOC 2, PCI DSS, HIPAA, and client audits including coordinating evidence, responses, and remediation.
• Track regulatory and framework changes and translate them into actionable policy and control updates.
• Manage client-facing security questionnaires and assessments (CAIQ, SIG, HITRUST inheritance, custom questionnaires).
• Review MSAs, vendor contracts, BAAs, DPAs, and other agreements to confirm cybersecurity and data protection sections meet OSG and regulatory requirements.
• Validate clauses covering data protection, breach notification, audit rights, subcontractor controls, encryption, retention, and data return/destruction.
• Partner with Legal, Procurement, and Sales to negotiate security-related contract language.
• Maintain a library of standard security clauses, fallback positions, and contract templates.
• Serve as the senior subject-matter expert for GRC, mentoring analysts and influencing stakeholders across the organization without formal reporting authority.
• Build strong relationships with IT, Engineering, Product, Legal, Compliance, Privacy, Internal Audit, and HR.

Benefits

• Health Insurance (EPO & HRA options)
• Dental Insurance
• Vision Insurance
• Short & Long Term Disability
• Flexible Spending Accounts
• Life Insurance
• Accident & Critical Illness Insurance
• Company 401(k) Matching Contribution
• Paid Time Off (PTO)
• Employee Assistance Program (EAP)