Head of GRC

Next Insurance, founded in 2016 and headquartered in Palo Alto, is an insurtech company offering digital insurance solutions tailored to small businesses across the U.S. By leveraging AI and machine learning, the company provides customized policies for sectors such as general liability, professional liability, and commercial auto insurance. Business owners can easily receive quotes and purchase coverage through the platform online.

To date, Next Insurance has raised over $1.1 billion in funding, including a $265 million strategic round in November 2023, led by Allstate and Allianz X. This funding is intended to accelerate the company's path to profitability and expansion. A strategic partnership with Allstate enables Next Insurance to develop new commercial auto products and extend its offerings to Allstate’s customer base.

Serving more than 500,000 small businesses nationwide, Next Insurance employs around 700 people, with offices in Palo Alto, Waltham, Rochester, Israel, and some remote roles.

We seek a Head of GRC who is passionate about assessing and quantifying Information Security risks to develop practical standards and guidelines.

The Head of Governance, Risk & Compliance (GRC) has a critical leadership role and is responsible for setting the vision and strategy for cyber governance, risk management, and

compliance. This individual will lead a team dedicated to ensuring that NEXT meets established security requirements, adheres to industry standards, and complies with external and internal policies.

The ideal candidate is a strategic thinker with strong leadership abilities, a deep understanding of relevant laws and regulations, and a proven ability to collaborate across multiple departments.

 Key areas of responsibility include policy development and enforcement, regulatory compliance, cyber risk management, partnerships and assurance support, training and awareness, audit coordination, and cross-functional collaboration.

Reporting directly to the CISO, the Head of GRC will serve as a trusted advisor to the senior leadership team, providing education, awareness, and guidance on risk and compliance matters.

What You’ll Do: 

• Plan, build, run, and manage an enterprise-wide governance, risk, and compliance program for NEXT, including awareness and training, partnerships and business support, 
• Develop and oversee security audit processes and risk assessments. 
• Collaborate with various business units to ensure that security compliance considerations are integrated into business processes.
• Maintain a current understanding of the threat landscape that could potentially impact NEXT operations and translate that knowledge into potential risks and actionable plans to protect the business.
• Enhance and maintain a risk register to monitor and track risk mitigation activities.
• Develop policy framework and update organizational policies and procedures to ensure compliance with relevant laws, regulations, and industry standards.
• Third party risk management, responsible for the vendor assessment program, for both ongoing processes and new initiatives for improving process efficiency and risk measurements .
• Lead the development of security awareness training to increase security awareness and ensure understanding of relevant security practices and procedures as well as our regulatory landscape.
• Simplifying and articulating deep technical concepts and requirements into easily understood terms.
• Translating compliance requirements into operational procedures.

What We Need: 

• 5+ years of audit, risk, and/or compliance experience as an external or internal function, primarily in regulated environments such as insurance, healthcare or financial services
• 2+ years of people management experience,e preferably in global companies.
• Deep understanding of Information Security risk management concepts from both enterprise and start-up perspectives (e.g., ITIL Change Management vs. DevOps Continuous Delivery)
• Knowledge of pragmatic security controls across all security domains, such as access management, encryption methods, vulnerability management, network security, etc.
• Have start-up DNA: You have demonstrated an ability to thrive in a dynamic start-up environment or have the DNA to do so.
• Good understanding of security assurance and trust frameworks ( NIST 800-53, ISO2700x, 23 NYCRR 500, etc.)
• Good understanding of privacy and data protection laws (CCPA, GDPR, GLBA Privacy and Safeguards Rules)

Don’t meet every single requirement? Studies have shown that some underrepresented people are less likely to apply to jobs unless they meet every single qualification. At NEXT, we are dedicated to building a diverse, inclusive and respectful workplace, so if you’re excited about this role but your past experience doesn’t align perfectly with every qualification in the job description, we encourage you to apply anyways. You may be just the right candidate for this or other roles.

One of our core values is 'Play as a Team'; this means making sure everyone has an equal chance to participate and make a difference. We win by playing together. Next Insurance is an equal opportunity employer and prioritizes building a diverse and inclusive workplace. We provide equal employment opportunities to all employees and applicants of any type and do not discriminate based on race, color, religion, national origin, gender, age, sexual orientation, physical or mental disability, genetic information or characteristic, gender identity and expression, veteran status, or other non-job-related characteristics or other prohibited grounds specified in applicable federal, state, and local laws. Next's policy is to comply with all applicable laws related to nondiscrimination and equal opportunity and will not tolerate discrimination or harassment based on any of these characteristics. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.