Senior GRC Analyst

About The Position

Requirements

• Bachelor’s degree in Information Security, Cybersecurity, InformationTechnology or equivalent education and experience.
• Minimum of 7 years of experience in information security GRC, or related fields.
• Experience with PCI, HIPAA, SOC2, CIS Controls, and risk management, enterprise security risk management, and security awareness.
• Proficiency in PCI and security risk assessments methodologies and tools.
• Excellent problem-solving skills.
• Strong communication and interpersonal skills.

Nice To Haves

• Familiarity with healthcare industry regulations
• Strong understanding of security frameworks and standards (NIST CSF, PCI, HIPAA, SOC2, CIS Controls)
• Experience with GRC tools and technologies
• PCIP, ISA CISA Certification
• CISM Certification

Responsibilities

• Lead the development, implementation, and ongoing maintenance of enterprise cybersecurity policies, standards, and procedures.
• Own and evolve components of the cybersecurity governance framework, ensuring alignment with business strategy, risk appetite, and regulatory obligations.
• Serve as a subject matter expert on GRC frameworks and best practices, advising leadership on governance decisions and tradeoffs.
• Partner cross-functionally to embed governance requirements into operational and technology processes.
• Lead and independently execute enterprise and third-party risk assessments, including methodology refinement and scoping decisions
• Evaluate complex risk scenarios, identify control gaps, and recommend prioritized, risk-based mitigation strategies.
• Monitor risk remediation efforts, challenge effectiveness of controls, and escalate material risks as appropriate.
• Contribute to the ongoing maturation of the enterprise risk management and third-party risk management programs.
• Own and lead compliance activities for major regulatory and industry frameworks (PCI, HIPAA, SOC 2, CIS Controls, NIST CSF).
• Act as a primary point of contact for internal and external auditors, independently managing audit readiness, execution, and remediation efforts.
• Interpret evolving regulatory requirements and translate them into actionable controls and processes for the business.
• Drive continuous improvement of compliance processes, reducing audit friction and improving control sustainability.
• Design and continuously improve security awareness and training initiatives based on risk trends and audit findings.
• Advise business partners and leadership on risk-conscious decision-making and secure-by-design practices.
• Measure and report on program effectiveness and adoption.
• Develop and present executive-level reporting on GRC metrics, risk posture, audit outcomes, and program maturity.
• Ensure comprehensive, defensible documentation for audits, risk assessments, and governance decisions.
• Provide insights and recommendations to senior security leadership based on data and trend analysis.

Benefits

• Comprehensive medical, dental, and vision benefits, including a company Health Savings Account contribution
• 401(k): ModMed provides a matching contribution each payday of 50% of your contribution deferred on up to 6% of your compensation. After one year of employment with ModMed, 100% of any matching contribution you receive is yours to keep.
• Generous Paid Time Off and Paid Parental Leave programs
• Company paid Life and Disability benefits
• Flexible Spending Account, and Employee Assistance Programs
• Company-sponsored Business Resource & Special Interest Groups that provide engaged and supportive communities within ModMed
• Professional development opportunities, including tuition reimbursement programs and unlimited access to LinkedIn Learning
• Global presence and in-person collaboration opportunities; dog-friendly HQ (US)
• Hybrid office-based roles and remote availability for some roles
• Weekly catered breakfast and lunch, treadmill workstations, Zen, and wellness rooms within our BRIC headquarters.