Lead GRC Analyst

About The Position

Requirements

• BS degree in Information Security, Risk Management, Business Administration, or related field
• 5+ years of experience in GRC, risk management, or related fields, with demonstrated leadership experience
• Strong knowledge of regulatory requirements (e.g., GDPR, HIPAA, PCI-DSS, CPRA) and industry standards (e.g., ISO 27001, NIST).
• Expert in designing, implementing, and maintaining security solutions
• Experience developing and implementing GRC frameworks, policies, and procedures
• Excellent analytical skills with the ability to assess complex risks and develop effective mitigation strategies
• Exceptional communication and interpersonal skills, with the ability to effectively collaborate with stakeholders at all levels of the organization
• Proven ability to lead and manage projects, including coordinating cross-functional teams and delivering results on time
• Ability to adapt to a fast-paced and dynamic environment, with a focus on continuous improvement and innovation
• Proficiency with security standards and secure configuration baselines such as CIS or OWASP
• Proficiency with cloud-based solutions and web related technologies

Nice To Haves

• Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM) or Certified in Risk and Information Systems Control (CRISC) strongly preferred
• Understanding of modern approaches to GRC such as Policy-as-Code and Compliance-as-Code

Responsibilities

• Architect, implement, and continuously mature the organization’s Governance, Risk, and Compliance (GRC) program, aligning it with HIPAA-HITECH, HITRUST CSF, state privacy regulations, GDPR, and other applicable regulatory frameworks.
• Lead organization-wide risk identification, analysis, and treatment processes using structured methodologies to conduct risk assessment, identify gaps, and develop mitigation plans.
• Lead end-to-end third-party risk management activities, including structured vendor security assessments, evaluation of assurance artifacts (SOC 2, ISO 27001, penetration tests), risk impact analysis and residual risk determination.
• Conduct formal risk assessments across infrastructure, application, vendor, and business process domains.
• Collaborate with cross-functional teams to integrate GRC principles into business processes and systems.
• Monitor evolving regulatory requirements, enforcement trends, and industry best practices to proactively adjust the organization’s compliance program.
• Provide guidance and training to employees on GRC policies, procedures, and best practices.
• Oversee the execution of audits, assessments, and compliance activities to validate adherence to compliance standards.
• Ensure documentation artifacts support evidentiary requirements for regulatory examinations and certification audits.
• Act as a liaison with external auditors, regulators, and stakeholders on GRC-related matters.
• Develop and maintain key performance indicators (KPIs) and metrics to measure the effectiveness of GRC initiatives.
• Mentor and coach GRC analysts, fostering their professional development and growth within the organization.
• Drive continual improvement of the organization’s information security program, ensuring alignment with HITRUST CSF, HIPAA, GDPR, ISO 27701, and other frameworks as required.
• Identify and document cyber risks and manage mitigation, follow up on open security risks, and report issues to leadership.
• Assist with ad-hoc compliance reporting and follow up with customers and/or support partners to ensure all identified vulnerabilities are being addressed.
• Provide support to Information Security Incident Response team during cyber/privacy incidents.
• Review architectural designs and new technology initiatives to validate alignment with regulatory and internal security requirements.
• Ensures the running application and developing codebase protects the confidentiality, integrity, and availability of our customer's data.
• Evaluate the technical security posture of newly proposed third-party solutions.

Benefits

• Competitive salary - $125,000-$165,000
• Employer sponsored health, dental, vision, life, and disability insurance
• Retirement plan with company contribution
• Annual company profit sharing
• Personal development/training budget
• Open, collaborative work environment
• Extensive 2-week onboarding plan
• Comprehensive mentorship program