GRC Analyst

Department:Information Security Reports to: Senior Director, Information Security Role Summary You will be a hands-on GRC professional who builds, monitors, and improves the frameworks that keep our organization compliant, resilient, and risk informed. You'll work across technology, operations, and product teams to assess control effectiveness, manage audits, and translate regulatory requirements into actionable, measurable security practices. Success in this role means turning governance into enablement - helping teams move faster by defining clear expectations, automating evidence, and maintaining trust with our customers, auditors, and partners. What You'll Do (Core Responsibilities)Governance and Control Frameworks Maintain and evolve the company's Information Security Governance Framework, aligning with NIST CSF, NIST 800-53, ISO 27001, SOC 2, PCI-DSS, and other relevant standards. Map security controls across frameworks to identify overlaps, gaps, and opportunities for simplification and automation. Draft, update, and maintain policies, standards, and procedures in partnership with subject-matter experts across InfoSec, IT, Legal, and Engineering. Support the implementation and measurement of control effectiveness through dashboards and continuous monitoring programs. Risk Management Support the enterprise risk management (ERM) program by identifying, assessing, tracking, and reporting technology and cybersecurity risks. Facilitate risk assessments for new products, third parties, and major projects; ensure mitigation plans are defined and tracked to closure. Maintain and enhance the risk register, including metrics for likelihood, impact, and residual risk. Collaborate with AppSec, Cloud, and IAM teams to quantify risk using data (e.g., vulnerability counts, MTTR, compliance exceptions) rather than qualitative labels alone. Produce risk reports and heatmaps for leadership and steering committees. Compliance and Audit Readiness Lead or support internal and external audits (SOC, NYDFS, Texas DOB), coordinating evidence collection and control owner interviews. Build evidence-as-code patterns - automating artifact collection through existing systems (e.g., Azure, AWS, Jira, ServiceNow, Wiz, Splunk). Maintain an annual audit calendar and ensure recurring control testing is timely and consistent. Track and verify remediation of findings; document and report status to management and auditors. Third-Party Risk Management Manage and mature the vendor security review process, including questionnaire assessments, evidence validation, and risk scoring. Coordinate security due diligence for acquisitions, technology partners, and critical service providers. Collaborate with Procurement and Legal to ensure contracts include appropriate security, privacy, and data protection clauses. Maintain a vendor risk register and report exposure by category and criticality. Awareness, Reporting, and Enablement Develop and publish periodic metrics and dashboards showing control health, risk posture, and compliance status. Communicate risk and compliance expectations to business and technical stakeholders in clear, actionable language. Support security awareness and training campaigns, focusing on control ownership and policy alignment. Participate in tabletop exercises and incident post-mortems to ensure lessons learned are captured as control improvements. Minimum Qualifications 3-5 years of experience in Information Security, IT Audit, or GRC roles. Working knowledge of at least one major control framework (e.g., NIST CSF, ISO 27001, SOC 2, PCI-DSS, or CIS Controls). Experience with risk assessment methodologies and familiarity with quantitative or semi-quantitative models. Strong organizational skills and ability to manage multiple assessments, audits, and remediation efforts in parallel. Proficiency with GRC or risk management platforms (e.g., Archer, ServiceNow GRC, LogicGate, Tugboat Logic, Drata, or similar). Understanding of cloud service provider shared responsibility models (AWS, Azure, GCP). Excellent written and verbal communication skills, with the ability to translate technical control results into executive-ready summaries. Preferred Qualifications Experience in an acquisitive environment, helping standardize and integrate controls across multiple business units or subsidiaries. Familiarity with data privacy regulations (GDPR, CCPA, GLBA) and privacy impact assessments. Knowledge of secure software development life cycle (SSDLC) governance and control testing. Experience supporting external attestations or certifications (SOC 2 Type II, ISO 27001, PCI-DSS). Relevant certifications such as CISA, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor, or CCSK. Behavioral Competencies Enablement mindset: You see governance as a way to empower teams, not block them. Curiosity: You dig into how controls really work in technical systems, not just on paper. Precision: You care about evidence quality and clarity of documentation. Collaboration: You work cross-functionally with engineers, legal, and executives to close risk gaps. Communication: You distill complex regulatory and control requirements into understandable, actionable guidance. #Auris Candidates should be comfortable with an on-site presence to support collaboration, team leadership, and cross-functional partnership. Why Join Us: At Acrisure, we're building more than a business, we're building a community where people can grow, thrive, and make an impact. Our benefits are designed to support every dimension of your life, from your health and finances to your family and future. Making a lasting impact on the communities it serves, Acrisure has pledged more than $22 million through its partnerships with Corewell Health Helen DeVos Children's Hospital in Grand Rapids, Michigan, UPMC Children's Hospital in Pittsburgh, Pennsylvania and Blythedale Children's Hospital in Valhalla, New York. Employee Benefits We also offer our employees a comprehensive suite of benefits and perks, including: Physical Wellness: Comprehensive medical insurance, dental insurance, and vision insurance; life and disability insurance; fertility benefits; wellness resources; and paid sick time. Mental Wellness: Generous paid time off and holidays; Employee Assistance Program (EAP); and a complimentary Calm app subscription. Financial Wellness: Immediate vesting in a 401(k) plan; Health Savings Account (HSA) and Flexible Spending Account (FSA) options; commuter benefits; and employee discount programs. Family Care: Paid maternity leave and paid paternity leave (including for adoptive parents); legal plan options; and pet insurance coverage. ... and so much more This list is not exhaustive of all available benefits. Eligibility and waiting periods may apply to certain offerings. Benefits may vary based on subsidiary entity and geographic location. Acrisure is an Equal Opportunity Employer. We consider qualified applicants without regard to race, color, religion, sex, national origin, disability, or protected veteran status. Applicants may request reasonable accommodation by contacting leaves@acrisure.com. California Residents: Learn more about our privacy practices for applicants by visiting the Acrisure California Applicant Privacy Policy. Recruitment Fraud: Please visit here to learn more about our Recruitment Fraud Notice. Welcome, your new opportunity awaits you.