Senior IT GRC Advisor

About The Position

Requirements

• Bachelor’s degree in information technology, cybersecurity, information systems, accounting, audit, risk management, or a related field.
• Minimum of 7 years of progressive experience in IT audit, IT risk management, cybersecurity compliance, or GRC program leadership.
• Demonstrated experience planning and leading complex IT audit, risk assessment, or advisory engagements.
• Experience developing or maturing GRC programs, frameworks, policies, risk registers, metrics, or issue management processes.
• Experience assessing third-party and vendor risk and reviewing assurance artifacts such as SOC reports, penetration tests, and security certifications.
• Experience conducting cloud risk or compliance assessments in AWS, Azure, or similar environments.
• One or more of the following certifications is required: CISA, CISSP, CISM, CRISC, CGEIT, CDPSE, or equivalent.

Nice To Haves

• Working knowledge of the HIPAA Security Rule and recognized security practices relevant to safeguarding ePHI.
• Experience with AI governance, AI risk assessments, or AI assurance reviews.
• Experience in continuous controls monitoring, executive reporting, and program maturity improvement.
• Experience in healthcare, regulated environments, or privacy and security compliance programs preferred.

Responsibilities

• Lead the enterprise IT GRC program, including governance structures, risk management processes, policy oversight, control framework alignment, and reporting on program effectiveness to leadership.
• Demonstrate strong critical thinking and professional skepticism to assess control design and operating effectiveness, analyze requirements, data, and processes in context, and provide defensible, risk-based recommendations to management.
• Plan, lead, and execute IT risk assessments, audits, and advisory engagements across infrastructure, applications, cloud services, cybersecurity processes, data protection controls, and enterprise technology initiatives.
• Develop, maintain, and mature the IT risk register and issue management process, including documenting risks, assigning ownership, tracking remediation plans, validating closure, and reporting residual risk and trends to leadership.
• Establish and maintain GRC metrics, dashboards, KPIs, and KRIs to provide leadership with meaningful visibility into control effectiveness, audit readiness, remediation status, and emerging risk trends.
• Collaborate with IT, Security, Privacy, Legal, Compliance, Internal Audit, and business stakeholders to strengthen internal controls and implement sustainable corrective and preventive actions.
• Advise on large-scale enterprise projects, system implementations, and technology changes by embedding risk, compliance, control, and governance requirements throughout the project and system lifecycle.
• Lead third-party and vendor risk management activities, including due diligence, control reviews, evidence evaluation, contract and security requirement alignment, ongoing monitoring, and escalation of material risks. Assess third-party controls, including SOC reports, HITRUST certifications, penetration testing results, policy documentation, and other independent assurance artifacts to evaluate control design and operating effectiveness.
• Conduct cloud and SaaS compliance assessments across platforms such as AWS and Azure, with emphasis on shared responsibility, configuration governance, access management, identity governance, and evidence-based validation of security controls.
• Evaluate identity and access management controls, including privileged access management, role-based access control, user provisioning and deprovisioning, and workforce access appropriateness.
• Support the organization’s preparedness for internal and external audits, regulatory reviews, and control assessments by coordinating evidence, validating remediation, and improving documentation quality and audit readiness.
• Assess IT and security policies, standards, procedures, and governance artifacts for alignment to recognized frameworks and regulatory expectations. Provide risk based and business centric recommendations to address gaps.
• Develop and facilitate workforce education and awareness programs related to security, privacy, compliance, and internal controls, with a focus on practical risk ownership and control accountability.
• Coordinate with operational and technical teams to evaluate incident response, disaster recovery, and business continuity control design and testing from a GRC perspective.
• Support responsible AI governance and AI assurance efforts by assessing governance structures, usage controls, risk mitigation approaches, and emerging compliance expectations related to AI-enabled tools and processes.
• Develop and maintain GRC methodologies, templates, repositories, internal sites, and reporting artifacts that improve consistency, efficiency, and program maturity.
• Fulfill other GRC responsibilities as assigned by management.

Benefits

• Competitive Benefits Package effective first day of employment
• Opportunities for growth, training, and bonus incentives