Information Security GRC Analyst

How you will impact the organization…

The Information Security GRC Analyst supports the organization’s mission to protect data, maintain compliance, and build trust with stakeholders by managing critical governance, risk, and compliance activities. Reporting to the Director of Information Security, Governance, Risk, and Compliance (GRC) and collaborating with Security Operations, Engineering, Product Development, IT, Network Operations, Project Management, Sales, Marketing, Legal, Internal Audit, and HR teams, this role ensures security practices are integrated across the organization. Key responsibilities include managing the security review intake process for software and vendors, conducting risk assessments, maintaining the risk registry, and implementing security awareness programs such as phishing exercises and training. Additionally, the role supports GRC task management, provides project management for compliance and security initiatives, addresses customer security inquiries, and helps manage the Trust Center. By driving cross-functional collaboration and aligning security initiatives with organizational objectives, this position is vital in mitigating risks, ensuring compliance, and fostering a culture of security, directly contributing to the organization’s strategic success.

The value you will deliver…

• Conduct risk assessments, maintain the risk registry, and support the development and implementation of security policies and procedures.
• Manage the intake and review process for software and vendor security assessments, ensuring compliance with organizational standards.
• Develop and deliver security awareness programs, including phishing simulations, to promote a culture of security across the organization.
• Address customer security inquiries and maintain accurate and transparent information on the organization’s Trust Center.
• Track and manage GRC-related tasks, providing comprehensive project management support for compliance and risk mitigation initiatives while maintaining “keep the lights on” functions.
• Implements changes in project requirements, incorporating adjustments into task management processes to enhance efficiency and avoid delays.
• Assist in audits by coordinating evidence collection, responding to regulatory requirements such as SOC 2, PCI, and ISO 27001, and supporting audit readiness efforts.
• Collaborate with cross-functional teams, including Security Operations, Engineering, IT, Legal, and Internal Audit, to integrate security best practices and meet regulatory obligations.
• Monitor and report on GRC program performance, including task progress, risk mitigation, and training outcomes, and provide regular updates to leadership on metrics and milestones.
• Identify opportunities for process improvements within GRC activities to streamline operations, increase productivity, and align with organizational goals.
• Assist in drafting and updating documentation related to compliance frameworks, policies, and procedures as needed.
• Support incident response activities by providing risk assessments or compliance insights during investigations.
• Conduct periodic reviews of third-party vendors to assess compliance with security and contractual requirements.
• Provide ad hoc training sessions or workshops on security and compliance topics for specific teams or departments.
• Participate in the evaluation and implementation of tools and technologies that support GRC processes and improve security posture.
• Assist with special projects or initiatives related to mergers, acquisitions, or organizational changes that impact GRC activities.
• Collaborate on internal communications regarding updates to security policies or compliance requirements.
• Serve as a backup resource for other security team functions during peak workloads or resource constraints.
• Represent the GRC team in external customer or partner meetings to address specific security inquiries or concerns.
• Stay informed on emerging compliance regulations and industry trends to provide recommendations for continuous improvement.
• Perform other duties and responsibilities as required, assigned, or requested. Consensus reserves the right to add or change duties at any time.

What you will bring to the table…

• Holding relevant security certifications such as Certified Information Systems Auditor (CISA), Security+, Certified in Risk and Information Systems Control (CRISC), and Certified Third-Party Risk Professional (CTPRP), that are active and in good standing or ability to obtain within 12 months of hire.
• Training in compliance frameworks such as SOC 2, HIPAA, ISO 27001, and FedRAMP.
• Familiarity with basic security concepts and GRC tools through self-study, formal training, or on-the-job experience.
• Experience in regulatory compliance or risk management may be considered in place of formal educational credentials.
• 3+ years of experience in information security, risk management, or governance, risk, and compliance (GRC).
• 3+ years of experience with security frameworks such as SOC 2, ISO 27001, or HIPAA.
• 2+ years basic hands-on experience with compliance management tools, risk assessments, or audit support processes.
• 2+ years of familiarity with cloud computing, SaaS applications, and associated security practices.
• 2+ years of experience conducting risk assessments, managing risk registers, or supporting security audits.
• 1+ years of exposure to working with cross-functional teams, including IT, legal, product development, and operations.
• 1+ years of experience with basic project management tools or platforms for task tracking and milestone management.
• 1+ years of experience working independently and as part of a team to manage GRC tasks and contribute to compliance and security initiatives.
• Basic understanding of cloud computing, SaaS applications, and security practices.
• Familiarity with regulatory frameworks such as HITRUST, HIPAA, ISO 27001, SOC 2, SOX, and FedRAMP.
• Knowledge of risk management practices, including conducting risk assessments and managing risk registers.
• Experience with security tools and platforms for vulnerability management, compliance tracking, and incident response.
• Understanding of information security concepts like access control, encryption, identity management, and data protection.
• Basic proficiency in project management tools such as Jira, Trello, or Microsoft Project for task tracking and milestone management.
• Experience with tools for monitoring and reporting security metrics and KPIs.
• Familiarity with compliance management platforms or software, such as GRC tools or spreadsheets, to support audit and assessment processes.
• Ability to review and analyze security documentation, including policies, procedures, and controls.
• Basic understanding of the software development lifecycle (SDLC) and how security integrates into DevOps and DevSecOps practices.
• Proficiency in word processing applications such as Google Docs, Google Sheets, and Google Slides for documentation, reporting, and presentation creation.
• Strong analytical thinking to assess risks and make informed decisions related to cloud computing, SaaS apps, and compliance frameworks.
• Attention to detail to ensure accuracy in tasks, documentation, and reporting, especially related to HITRUST, HIPAA, ISO 27001, SOC 2, SOX, and FedRAMP standards.
• Agility to adapt to changing priorities and emerging threats, particularly in cloud environments and SaaS applications.
• Effective collaboration and communication with cross-functional teams to achieve shared objectives, ensuring alignment with cloud security requirements and compliance standards.
• Ability to manage communications across teams, ensuring that security and compliance efforts are clearly understood and executed consistently.
• Problem-solving skills to proactively address security and compliance issues, especially in relation to data privacy and regulatory frameworks like HIPAA, SOX, and SOC 2.
• Project management skills to organize tasks, track milestones, and meet deadlines for cloud and SaaS app security initiatives, ensuring alignment with HITRUST and ISO 27001 standards.
• Clear communication to convey both technical and non-technical information, ensuring clarity around cloud security, data protection regulations, and compliance efforts.
• Solid understanding of security frameworks such as HITRUST, HIPAA, ISO 27001, SOC 2, SOX, and FedRAMP to ensure compliance and risk management best practices.
• Ability to identify process improvements and implement best practices, particularly in securing cloud environments and SaaS applications.
• Customer-focused approach to address security concerns professionally, particularly regarding data protection and regulatory compliance in cloud and SaaS solutions.
• Critical thinking and time management to prioritize tasks and resources, ensuring efficient handling of compliance requirements for cloud environments, SaaS apps, and various regulatory standards.
• Ethical judgment to ensure integrity in all GRC activities, particularly related to cloud computing, data privacy, and compliance frameworks such as HIPAA and FedRAMP.
• Ability to learn quickly and adapt to new processes, tools, and technologies in the fast-evolving fields of cloud security and compliance.
• Commitment to continuous learning to stay updated on regulations, trends, and technologies related to cloud computing, SaaS apps, and compliance with frameworks like ISO 27001, SOC 2, and FedRAMP.

You will stand out if you also have…

• Bachelor's degree in computer science, information technology, cybersecurity, or equivalent experience. A master's degree may be preferred.
• Proven experience in security compliance, risk management, and integrating security compliance into software development processes.
• Proficiency in various cybersecurity technologies and tools, including security training and awareness tools, vendor risk management tools, and security compliance and risk register tools.
• Hands-on experience with security assessment and security benchmarking testing tools.
• Familiarity with security information and event management (SIEM) systems.
• Experience in deployment of cloud controls for infrastructure, platform, and applications (IaaS/SaaS/PaaS), specifically within AWS.

Additional details…

• Location requirements: Fully remote within the U.S.
• Travel requirements: Up to 10% travel
• Physical requirements: Must be able to sit for long periods, as well as, handle long periods of screen time
• Technology requirements: Reliable, high speed internet
• Eligible for sponsorship: No
• Security clearance: Required - Yes

The salary range for this role is $90,000 - $110,000 USD annually.  The total compensation package for this position is negotiable and may also include [annual performance bonus, ESPP, enhanced time off packages and benefits.]