Senior Governance, Risk, Compliance (GRC) Analyst
About The Position
Headway handles sensitive health data for millions of patients, necessitating a security and compliance program that scales with the business. The company is building out its dedicated GRC team to improve and mature its program. The role is part of the Security team and focuses on four key areas: security certifications (HITRUST, SOC 2, PCI-DSS, HIPAA), third-party risk management, security awareness training, and technical risk management. This is an opportunity to build a modern, AI-enabled compliance program at a company transforming mental healthcare delivery in the United States. The role reports to the Director of Security and collaborates closely with Privacy and Engineering teams.
Requirements
- 5+ years of experience in a GRC, compliance, or security risk role.
- Working knowledge of at least two of the following: HITRUST, SOC 2, PCI-DSS, or HIPAA.
- Experience using a GRC platform such as Vanta, Drata, OneTrust, or similar for automating evidence collection or managing controls.
- Ability to communicate compliance requirements clearly to both technical and non-technical audiences.
- A preference for building repeatable processes over one-off solutions.
- Enthusiasm for leveraging AI and modern tooling to scale compliance operations.
Nice To Haves
- Experience in healthcare or healthtech, with a practical understanding of HIPAA.
Responsibilities
- Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness by collecting evidence, coordinating with assessors, and tracking control gaps and remediation timelines.
- Build and manage the vendor security assessment lifecycle, including questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement during procurement and renewals.
- Establish and operate Headway's security awareness training program, covering onboarding modules, phishing simulations, annual compliance training, and completion tracking.
- Operate the centralized risk register by identifying, assessing, and tracking technical security risks through mitigation, and presenting risk-informed priorities to engineering and security leadership.
- Partner cross-functionally with Privacy, Legal, IT, and Engineering to integrate compliance into Headway's operations rather than treating it as an afterthought.
Benefits
- Equity compensation
- Medical, Dental, and Vision coverage
- HSA / FSA
- 401K
- Work-from-Home Stipend
- Therapy Reimbursement
- 16-week parental leave for eligible employees
- Carrot Fertility annual reimbursement and membership
- 13 paid holidays each year
- Holiday Break during the week between December 25th and December 31st
- Flexible PTO
- Employee Assistance Program (EAP)
- Training and professional development
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Senior
Education Level
No Education Listed
