Senior GRC Analyst

Morgan & Morgan, P.A.Orlando, FL
Remote

About The Position

Morgan & Morgan is seeking a Senior GRC Analyst to join their Risk & Resilience Program. This is a full-time, ground-floor opportunity to build a Governance, Risk, and Compliance (GRC) program from scratch. The role involves end-to-end ownership of workstreams such as Third-Party Risk Management (TPRM), policy lifecycle management, risk register calibration, and security awareness program design. The Senior GRC Analyst will report directly to the Director of Business Continuity and will play a key role in shaping how risk is managed across the national law firm. This position is ideal for someone who wants to build a mature program rather than maintain an existing one.

Requirements

  • 4–6+ years in GRC, IT audit, compliance, or information security
  • Deep hands-on experience in a GRC platform; Vanta strongly preferred
  • Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; experience mapping controls across multiple frameworks
  • ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)
  • Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation
  • Experience designing a security awareness program
  • Comfortable operating independently
  • Bachelor’s degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered

Responsibilities

  • Build and own the end-to-end TPRM process: risk tiering, assessment criteria, and escalation thresholds.
  • Lead risk assessments for the firm’s highest-exposure vendor relationships.
  • Bring risk acceptance and remediation recommendations to the Director; own the analysis behind the decision.
  • Run the full policy lifecycle: drafting, review cadence, approval workflows, and firm-wide attestation tracking.
  • Write policy content directly, translating framework requirements into language that works for a law firm.
  • Identify and close policy gaps against ISO 27001, NIST CSF, and CIS v8.1.
  • Own the enterprise risk register: methodology, scoring calibration, and quarterly review cadence.
  • Lead control testing and gap assessment in Vanta; design remediation plans.
  • Spot emerging risk trends and bring recommendations.
  • Assist with the design of the security awareness program strategy: content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions.
  • Analyze effectiveness data and adjust the program based on results.
  • Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries.
  • Own the audit calendar and evidence readiness posture.
  • Build and maintain the GRC reporting suite for CIO-level consumption.
  • Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director.
  • Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions.
  • Coordinate with the Privacy function on data inventory, state privacy law obligations, and third-party data handling risks.
  • Serve as a working mentor to the GRC Analyst once hired.

Benefits

  • Medical and dental insurance
  • 401(k) plan
  • Paid time off
  • Paid holidays
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service