Principal Technical Risk Analyst

Toast

8h•Hybrid

About The Position

Toast creates technology to help restaurants and local businesses succeed in a digital world, helping business owners operate, increase sales, engage customers, and keep employees happy. We are seeking a Principal Technical Risk Analyst to lead and mature Toast’s Technical Risk Program. This role will report to the Sr. Director of Technical Governance, Risk, & Compliance and is part of the Information Security Organization. This is a high-impact, senior individual contributor role responsible for owning the end-to-end cyber risk management program, including risk identification, assessment, reporting, and integration into enterprise risk and leadership decision-making. This role is not about maintaining a process — it is about building, operationalizing, and leading a program that drives real business decisions and outcomes. You will partner closely with: Enterprise Risk Management (ERM), Security Engineering, Infrastructure, and Product teams, Technical Compliance and Governance teams, Senior leadership and executive forums. You will play a key role in advancing and scaling our Technical Risk program, further strengthening our data-driven approach to risk management and enabling informed, timely decision-making across the business.

Requirements

8–12+ years of experience in Technical Risk, Security GRC, ERM, or related fields
Proven experience owning and leading a technical/cyber risk program
Strong understanding of: Cybersecurity domains (cloud, infrastructure, IAM, application security)
Strong understanding of: Risk frameworks (NIST CSF, ISO 27001, etc.)
Experience operating in high-growth, complex, cloud-based environments
Demonstrated ability to: Build and operationalize programs from 0 → 1 and 1 → scale
Demonstrated ability to: Drive predictable execution cadence and rigor
Demonstrated ability to: Translate ambiguity into structured, executable plans
Strong program management discipline (planning, tracking, follow-through)
Ability to: Translate technical issues into clear risk narratives and business impact
Ability to: Prioritize risks based on impact and likelihood
Ability to: Drive data-informed decision-making
Exceptional communication skills:
Executive-ready written and verbal communication
Ability to structure updates: What / So What / Now What / Decision Needed
Proven ability to influence: Senior stakeholders
Proven ability to influence: Cross-functional teams without direct authority
Experience with GRC tools such as: Optro (fka AuditBoard-preferred), ServiceNow GRC, Workiva, etc.
Ability to: Drive tool adoption and configuration
Ability to: Translate business processes into scalable system workflows

Nice To Haves

Experience integrating technical risk into ERM programs
Experience building risk dashboards, metrics, and reporting frameworks
Familiarity with automation, AI, or data-driven GRC approaches
Relevant certifications (CISSP, CISM, CISA, CRISC)

Responsibilities

Own and Lead the Technical Risk Program
Own the end-to-end cyber risk lifecycle: risk identification, assessment, prioritization, mitigation tracking, and reporting
Establish and operationalize a scalable risk operating model (risk discovery → intake → assessment → reporting → monitoring)
Ensure the program operates with a predictable cadence, clear ownership, and strong execution rigor
Drive adoption of the program across Security, Product, Engineering, and Infrastructure teams
Lead Technical Risk Management Across the Lifecycle
Lead the end-to-end technical risk management lifecycle through close partnership with cross-functional stakeholders
Establish and scale risk discovery mechanisms, including: Stakeholder engagement across Engineering, Product, Infrastructure, and Security; Inputs from audits, incidents, assessments, and external signals
Ensure continuous identification and prioritization of emerging and high-impact risks
Translate technical issues into clear, business-relevant risk narratives
Act as a trusted partner and challenger, influencing stakeholders to drive timely risk mitigation and resolution
Drive Risk Program Maturity and Transformation
Lead the evolution of the technical risk program to support scale, consistency, and improved visibility
In partnership with ERM, operate within, suggest enhancements to, and manage the following: Risk taxonomy and classification models; Risk assessment and prioritization frameworks; Risk-to-control mapping (linking risks to the controls and a Common Controls Framework)
Own and evolve the use of Optro (fka AuditBoard) RiskOversight as the system of record
Improve data quality, reporting capabilities, and workflow scalability
Operationalize the program within AuditBoard RiskOversight (Optro) as the system of record
Build scalable processes that enable automation, reporting, and AI use cases
Enable Risk Governance and Decision Making Through Risk Insights
Develop and deliver clear, executive-ready risk reporting and dashboards
Manage and lead the Technical Risk Subcommittee and related governance forums:
Prepare committee materials to ensure meetings are structured, actionable, and decision-oriented
Clearly articulate risks, impacts, and recommended actions
Provide leadership with: Visibility into top risks, mitigation plan progress, and trends; Clear trade-offs and prioritization inputs
Partner with Enterprise Risk Management (ERM) to align on risk taxonomy, reporting, and governance
Communicate, report, and escalate upward to the Enterprise Risk and Compliance Committee (ERCC)