Cybersecurity Governance, Risk & Compliance (GRC) Specialist

Cybersecurity Governance, Risk & Compliance (GRC) Specialist

Position Overview

We are seeking a Cybersecurity GRC Specialist to develop, implement, and manage comprehensive governance, risk, and compliance programs aligned with leading cybersecurity frameworks including NIST Cybersecurity Framework, ISO 27001/27002, MITRE ATT&CK, and CIS Controls to ensure organizational security posture and regulatory compliance.

Key Responsibilities

Framework Implementation & Management

• Implement and maintain NIST Cybersecurity Framework across organizational functions (Identify, Protect, Detect, Respond, Recover)

• Develop ISO 27001/27002 Information Security Management System (ISMS) and manage certification processes

• Map organizational security controls to CIS Controls and ensure implementation across all critical security functions

• Integrate MITRE ATT&CK framework for threat modeling, risk assessment, and security control validation

• Establish governance structures, policies, and procedures aligned with multiple cybersecurity standards

Risk Assessment & Management

• Conduct comprehensive cybersecurity risk assessments and business impact analyses

• Develop risk treatment plans including risk acceptance, mitigation, transfer, and avoidance strategies

• Maintain enterprise risk registers and ensure regular risk review and update processes

• Perform gap analyses against security frameworks and develop remediation roadmaps

• Create risk-based metrics and KPIs for executive reporting and board communications

Compliance & Audit Management

• Manage regulatory compliance programs including SOX, PCI-DSS, HIPAA, GDPR, and industry-specific requirements

• Coordinate internal and external security audits and manage audit finding remediation

• Develop compliance monitoring programs and automated compliance reporting capabilities

• Maintain evidence collection and documentation for compliance demonstrations

• Support vendor risk assessments and third-party security evaluations

Policy & Governance Development

• Develop comprehensive cybersecurity policies, standards, and procedures aligned with business objectives

• Establish security governance committees and risk management oversight structures

• Create security awareness training programs and ensure organization-wide policy compliance

• Manage policy lifecycle including review, approval, communication, and periodic updates

• Coordinate cross-functional collaboration for security program implementation

Required Qualifications

Technical Skills

• 5+ years experience in cybersecurity governance, risk management, or compliance roles

• Expert knowledge of NIST Cybersecurity Framework, ISO 27001/27002, CIS Controls, and MITRE ATT&CK

• Strong understanding of regulatory requirements (SOX, PCI-DSS, HIPAA, GDPR) and compliance methodologies

• Experience with GRC platforms (ServiceNow GRC, RSA Archer, MetricStream) and risk management tools

• Knowledge of security control frameworks and security architecture principles

• Proficiency in risk assessment methodologies and quantitative risk analysis techniques

Governance Skills

• Proven experience developing and implementing enterprise security governance programs

• Strong understanding of business continuity, disaster recovery, and crisis management

• Experience with vendor risk management and third-party security assessments

• Knowledge of board reporting and executive communication for cybersecurity topics

Preferred Qualifications

• Bachelor's degree in Cybersecurity, Risk Management, Business Administration, or related field

• Professional certifications (CISSP, CISA, CRISC, CISM, ISO 27001 Lead Auditor)

• Experience with cloud compliance frameworks (SOC 2, FedRAMP, CSA CCM)

• Background in internal audit or external consulting for cybersecurity assessments

• Knowledge of emerging regulations and privacy frameworks