Cyber GRC Specialist

Job Summary

We are seeking a Cyber GRC Specialist to support and advance the company’s cybersecurity governance, risk management, and compliance (GRC) initiatives. The successful candidate will collaborate with Security, IT, Legal, Privacy, Compliance, and business teams to identify and manage cyber risk, implement controls, maintain compliance with applicable frameworks and regulations, and support continuous improvement of the security posture. This role requires a pragmatic, consultative approach and the ability to translate technical security concepts into business risk terms.

Key Responsibilities

Governance & Policy

• Develop, maintain, and operationalize cybersecurity policies, standards, and procedures aligned with industry frameworks and regulatory requirements (e.g., NIST CSF, ISO 27001, SOC 2, PCI, relevant regional regulations).

• Support security governance forums and reporting to senior leadership and stakeholders on cyber risk, control effectiveness, and remediation progress.

• Collaborate with cross-functional teams to ensure security requirements are integrated into business processes, projects, and third-party relationships.

Risk Management & Assessments

• Conduct and coordinate risk assessments, control gap analyses, and threat/risk modeling for systems, applications, and third-party services.

• Maintain the risk register, prioritize remediation activities, and track closure of identified vulnerabilities and control deficiencies.

• Perform vendor security and risk assessments; review third-party contracts and recommend appropriate security controls and contractual language.

Compliance & Audit Support

• Support internal and external compliance initiatives, audits, and certifications (e.g., SOC 2, ISO 27001), including evidence collection, control testing, and remediation coordination.

• Monitor regulatory and industry compliance requirements and translate obligations into practical control and process requirements across the organization.

• Prepare and maintain documentation, control narratives, and artifacts required for assessments and regulatory inquiries.

Incident Response & Continuous Improvement

• Participate in incident response planning and post-incident reviews; advise on control improvements and regulatory/contractual notification considerations.

• Collaborate with Security Operations and IT teams to ensure controls are effectively implemented, monitored, and improved based on lessons learned and evolving threats.

• Identify opportunities to automate control monitoring, reporting, and GRC workflows using GRC platforms and security tooling.

Training, Awareness & Advisory

• Develop and deliver role-based security awareness, GRC guidance, and targeted training for employees, contractors, and business partners.

• Provide practical, risk-based advisory to Product, Engineering, IT, and business teams on secure design, control selection, and compliance requirements.

• Act as a trusted advisor for security and compliance questions related to new projects, cloud deployments, and third-party integrations.

Required Qualifications - Skills & Experience

• Bachelor’s degree in Information Security, Computer Science, Cybersecurity, Risk Management, or a related field, or equivalent practical experience.

• 3+ years of demonstrated experience in cybersecurity GRC, risk management, compliance, or related roles within a commercial or regulated environment.

• Familiarity with common cybersecurity frameworks and standards (e.g., NIST CSF, ISO 27001, SOC 2) and practical experience applying them.

• Experience performing risk assessments, vendor/security assessments, control gap analysis, and supporting audits or certifications.

• Working knowledge of cloud security concepts (AWS, Azure, GCP), identity and access management, and common security controls.

• Strong written and verbal communication skills with the ability to document controls, prepare executive reports, and communicate with technical and non-technical stakeholders.

• Experience with GRC platforms, ticketing systems, and security assessment tools; comfortable working in cross-functional, fast-paced environments.

Preferred Qualifications

• Relevant certifications such as CISSP, CISM, CRISC, CGEIT, or certification in GRC platforms preferred.

• Experience supporting SOC 2, ISO 27001, or other compliance programs and working with external auditors.

• Prior exposure to privacy requirements and data protection interactions with cybersecurity controls is a plus.

• Experience in cloud-native environments, DevSecOps practices, and automation of control monitoring is advantageous.

Work Environment & Compensation

• Full-time role with a hybrid onsite/remote work model; occasional travel may be required for stakeholder meetings, audits, or vendor engagements.

• Competitive salary commensurate with experience and a comprehensive benefits package, including health insurance, retirement plan options, and paid time off.

• Opportunities for professional development, certification support, and career progression within Security, Compliance, and Risk functions.

• Inclusive and respectful workplace culture that values diversity, equity, and work-life balance.