Lead Security Risk Analyst (GRC)

About The Position

Requirements

• At least 7+ years' experience directly in cybersecurity fields, with a demonstrated track record of leading complex GRC projects in at least two of the following areas: cyber risk management, vendor security management, policy & compliance, security awareness and communication
• A deep understanding of risk assessment methodology, NIST 800-53, CIS, and associated security and privacy rules
• Strong knowledge and experience with operational risk management, covering the full lifecycle of activities, including risk identification, assessment, mitigation, monitoring, and reporting
• Functional knowledge of security domains and information security industry standard and best practices
• Strong knowledge of third-party assessments, IT risk management, regulatory requirements and compliance and its overall business processes, controls and risk exposure
• Ability to identify and recommend tools, processes, and software to automate and continuously improve security and compliance practices.
• Technical understanding of cloud-based security in an AWS environment
• Proven track record as a strong communicator both in written and oral presentations; capable of rapidly creating detailed, yet concise documentation
• Proven analytical abilities and using data/facts for decision-making
• Exceptional organizational skills with the ability to prioritize and manage multiple projects at the same time.
• A self-motivated person who can influence and drive cross-functional teams, promoting timely and effective communication
• Good organizational skills, proactive and self-sufficient with a proven ability to work independently and prioritize deliverables

Nice To Haves

• Previous experience with GRC solutions - Archer, Workiva, LogicGate etc
• Security Certifications of CISSP, CISM, CRISC, CISA a plus

Responsibilities

• Work with the GRC leader to provide guidance and solutions that protect Justworks, our products, customers and employees.
• Support GRC leader to build GRC strategy and multi-year roadmaps to mature Justwork’s GRC function.
• Provide technical leadership to build GRC’s capabilities such as cyber risk management, vendor security assessment, security training and communications, and our compliance program.
• Assist GRC leader to define Justworks risk management framework, leveraging NIST 800-53, CIS and others.
• Work with GRC leader to develop the compliance program for both regulatory compliance such as SOC2, GDPR, and compliance to our Justworks policies and standards.
• Monitor and analyze changes in relevant regulations and industry standards such as CCPA, GDPR, adapting company policies and procedures as needed.
• Partner with Engineering, IT, People, and Finance on control requirements and evidence production proactively in anticipation of SOC2/SOx, and customer audits.
• Lead and drive security assessments to enable the global Justworks to identify, assess, treat and monitor (via risk register) cybersecurity risks.
• Oversee findings brought forward through the risk reporting and risk exception process and report to security leadership where gaps exist.
• Collaborate with all stakeholders across the company to provide risk visibilities, and more importantly to lead and drive the mitigation of cyber risks.
• Drive on-going security assessments to enable the global Justworks to identify, assess, treat and monitor cybersecurity risks.
• Build a risk aware culture by maturing existing risk management processes to monitor, track, measure and report cyber risks.
• Partner with stakeholders when onboarding vendor solutions to ensure adequate controls are available and enabled in production.
• Build a robust vendor risk management program, including evaluating software supply chain security, vendor security assessments, and assurance vendor incident reporting.
• Oversee vendor relationship for applicable third party vendors providing service delivery of GRC related functions including but not limited to vendor management, security awareness training, GRC management and others.
• Engage with organizational stakeholders to develop and implement engaging and effective security and compliance training programs.
• Drive timely & effective communication via collaboration with various stakeholders including IT, Cyber Defense Operations, Security Architecture & Engineering, People Operations, Customer Service and Marketing.
• Provide mentorship and day-to-day support to GRC analysts to enable the team to deliver best work and develop their professional skills.
• Work with the Security Architecture and Engineering team to identify and implement missing capabilities for GRC to mature and advance GRC’s capabilities.
• Perform other related duties as assigned.