Sr. Governance, Risk & Compliance Analyst

About The Position

Requirements

• Bachelor’s degree in Information Security, Cybersecurity, Information Technology, Risk Management, or a related field, preferred.
• 5+ years of experience in Information Security, Compliance, or Risk Management.
• Deep hands-on experience managing PCI DSS programs in regulated or bank integrated environments.
• Proven experience leading SOC 2 Type I & II audits end-to-end.
• Strong understanding of banking partner security expectations, third-party risk management, and regulatory oversight.
• Experience working cross function with Security Engineering, Infrastructure, Legal, and Compliance teams.
• Relevant certifications: CISSP, CISA, CISM, PCI ISA, or QSA (or working toward).

Nice To Haves

• Experience in FinTech, banking, or highly regulated SaaS environments, preferred.
• Familiarity with NIST CSF, ISO 27001, and vendor risk frameworks, preferred.
• Hands‑on experience with GRC tooling (risk registers, evidence repositories, workflow automation) , preferred.

Responsibilities

• PCI DSS Program Ownership
• Own and manage the end-to-end PCI DSS compliance program, including scope definition, control validation, evidence collection, and remediation tracking
• Serve as the primary liaison with external Qualified Security Assessors (QSAs) for annual assessments, ROC/AOC delivery, and ongoing advisory support
• Coordinate quarterly ASV scans, penetration testing, and continuous compliance activities
• Maintain PCI related policies, procedures, and responsibility matrices aligned with PCI DSS 4.0 expectations and bank partner requirements
• SOC 2 Governance & Audit Management
• Lead annual SOC 2 Type II readiness and examinations across all Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)
• Manage audit timelines, evidence requests, auditor communications, and management responses
• Partner with internal teams to ensure control design and operating effectiveness are maintained throughout the year
• Drive continuous improvement initiatives based on audit observations and risk assessment outcomes
• Banking Partner & Third-party Security Oversight
• Act as the primary security point of contact for banking partners, responding to due diligence requests, security questionnaires, and onsite/virtual assessments
• Support new bank integrations by providing security documentation, control mappings, and risk summaries
• Coordinate remediation activities tied to bank partner findings or contractual security requirements
• Build trusted relationships with partner risk, compliance, and information security teams
• Risk Management & GRC Operations
• Own the enterprise risk assessment process, including risk identification, analysis, treatment planning, and executive reporting
• Maintain audit ready documentation within the GRC platform, ensuring traceability across risks, controls, and remediation plans
• Partner with Vendor Management and Legal to support third party risk assessments and contract security requirements
• Develop and maintain security policies, standards, and procedures aligned with SOC 2, PCI DSS, NIST CSF, and banking expectations
• Leadership & Cross Functional Collaboration
• Provide guidance and oversight to GRC analysts or compliance contributors (direct or matrixed)
• Translate complex regulatory requirements into clear, actionable guidance for technical and business teams
• Deliver executive level updates on compliance posture, audit status, and risk trends
• Support board level and executive reporting as needed for audits, bank reviews, and regulatory inquiries