Senior GRC Analyst

Summary

Join Abnormal Security's Security & Privacy team as a Senior GRC Analyst. You will support the execution of the GRC program, focusing on evaluating technology controls, audit readiness, leading external audits, and acting as a compliance domain advisor. This role also leads Issues Management to remediate company-wide issues. You will support governance and risk management activities, including policy management and risk operations. The ideal candidate possesses strong auditing, project management, and communication skills, along with a deep understanding of cybersecurity and compliance. This position requires significant experience in cybersecurity, GRC, and ISO 27001 implementation and maintenance. Abnormal Security offers competitive compensation and benefits.

Requirements

• 5+ years of experience in cyber security, technology risk, GRC, and/or technical compliance roles, with at least 3 years focused on ISO 27001 implementation and maintenance
• Demonstrated experience leading at least two successful ISO 27001 certification cycles (including the 2022 revision of ISO 27001) from start to finish
• Proven project management experience, including: Managing multiple concurrent compliance projects with competing deadlines
• Proven project management experience, including: Leading cross-functional teams across technical and business units
• Experience with project management methodologies (Agile, Waterfall) and tools (ServiceNow, etc.)
• Track record of delivering complex compliance projects on time and within scope
• Strong understanding of security concepts and practical usage, including: Information Security Management System (ISMS) implementation and maintenance
• Strong understanding of security concepts and practical usage, including: Control mapping across multiple frameworks
• Strong understanding of security concepts and practical usage, including: Continuous control monitoring and automation
• Experience implementing and managing compliance programs aligned with ISO 27001 and ISO 27701, including: Development and maintenance of Statement of Applicability
• Experience implementing and managing compliance programs aligned with ISO 27001 and ISO 27701, including: Risk treatment plans and risk acceptance criteria
• Experience implementing and managing compliance programs aligned with ISO 27001 and ISO 27701, including: Internal audit programs
• Experience implementing and managing compliance programs aligned with ISO 27001 and ISO 27701, including: Management review processes
• Proven track record in working with external auditors, including internal stakeholder management
• Experience with audit automation and continuous control monitoring tools
• Proven ability to manage multiple stakeholders and vendors while maintaining project momentum

Responsibilities

• Keep abreast of regulatory and industry developments and advise leadership on the potential impact on the program strategy and plans
• Ensure program activities align with strategy and manage the timely and high-quality execution of GRC landmarks
• Drive internal control effectiveness through crafting the control matrix, rigorous internal control monitoring, implementing control enhancements, and providing thought leadership on control design, operations, and supporting processes and policies
• Perform compliance readiness assessments and provide updates, recommendations, and roadmap to senior management both within Security and to our business partners
• Develop the audit plan in partnership with leadership and lead internal and external audit engagements according to plan, while supervising the work of external auditors and internal audit contractors and working with relevant control owners to minimize disruption while successfully completing the efforts in a timely manner
• Advise, educate, and train process and control owners with the preparation and ongoing maintenance of controls and control documentation (e.g., policies, procedures, narratives, and matrices) to better understand the security controls framework and their responsibilities
• Recommend, develop, and manage the company’s risk register, including the definition and reporting on key risk indicators (KRIs) and key performance indicators (KPIs)
• Conduct regular risk assessments and work with relevant departments to identify, evaluate, and mitigate risks across the organization
• Define, develop, and implement capabilities to manage third-party cybersecurity risks
• Manage review, testing, and improvements to business continuity plans
• Advise, educate, and train risk owners with the identification, assessment, mitigation, and monitoring of risks to better understand the risk management process and their responsibilities
• Maintain the policy repository and support effective policy communication
• Proactively identify gaps or conflicts in existing policies and processes and work to develop solutions with internal business partners
• Advise policy owners with the preparation, communication, and ongoing maintenance of policies to better understand policy management and their responsibilities
• Define, develop, and implement capabilities to govern data handling
• Advise data owners with the data classification, labeling, retention, and deletion requirements to better understand data governance and their responsibilities
• Drive remediation and risk mitigation activities, also known as issues management, including root cause analysis and owning the design, tracking, and progress of action plans across compliance, policy, or process gap remediation activities and risk mitigation activities in partnership with internal business partners
• Design and manage program operations to support the program goals and implement and maintain technology to support the program and its operations
• Engage in ad-hoc projects as required
• Maintain regular, clear communication with project teams, key partners, and management regarding the status of controls testing, audit progress, risk assessment progress, and progress of issues management
• Effectively communicate program and project execution status, program health and effectiveness, key accomplishments, and risks to senior management both within Security and to our business partners

Preferred Qualifications

• Bachelor's degree or equivalent military experience
• ISO27001 Lead Auditor Certification
• CRISC, CISSP, CPA, CISA, PMP, CISM certification(s)
• Experience with NIST CSF, NIST SP 800-53 / 171 or other control frameworks
• Experience preferably at a technology or SaaS / Cloud and/or with a regulated public company
• 2+ years of Big 4 experience

Benefits

• Bonus
• Restricted stock units (RSUs)
• Benefits