Cybersecurity Governance, Risk & Compliance (GRC) Specialist

About the job Cybersecurity Governance, Risk & Compliance (GRC) Specialist

We are seeking a Cybersecurity GRC Specialist to develop, implement, and manage comprehensive governance, risk, and compliance programs aligned with leading cybersecurity frameworks including NIST Cybersecurity Framework, ISO 27001/27002, MITRE ATT&CK, and CIS Controls to ensure organizational security posture and regulatory compliance.

• Implement and maintain NIST Cybersecurity Framework across organizational functions (Identify, Protect, Detect, Respond, Recover)
• Develop ISO 27001/27002 Information Security Management System (ISMS) and manage certification processes
• Map organizational security controls to CIS Controls and ensure implementation across all critical security functions
• Integrate MITRE ATT&CK framework for threat modeling, risk assessment, and security control validation
• Establish governance structures, policies, and procedures aligned with multiple cybersecurity standards

• Conduct comprehensive cybersecurity risk assessments and business impact analyses
• Develop risk treatment plans including risk acceptance, mitigation, transfer, and avoidance strategies
• Maintain enterprise risk registers and ensure regular risk review and update processes
• Perform gap analyses against security frameworks and develop remediation roadmaps
• Create risk-based metrics and KPIs for executive reporting and board communications

• Manage regulatory compliance programs including SOX, PCI-DSS, HIPAA, GDPR, and industry-specific requirements
• Coordinate internal and external security audits and manage audit finding remediation
• Develop compliance monitoring programs and automated compliance reporting capabilities
• Maintain evidence collection and documentation for compliance demonstrations
• Support vendor risk assessments and third-party security evaluations

• Develop comprehensive cybersecurity policies, standards, and procedures aligned with business objectives
• Establish security governance committees and risk management oversight structures
• Create security awareness training programs and ensure organization-wide policy compliance
• Manage policy lifecycle including review, approval, communication, and periodic updates
• Coordinate cross-functional collaboration for security program implementation

• 5+ years experience in cybersecurity governance, risk management, or compliance roles
• Expert knowledge of NIST Cybersecurity Framework, ISO 27001/27002, CIS Controls, and MITRE ATT&CK
• Strong understanding of regulatory requirements (SOX, PCI-DSS, HIPAA, GDPR) and compliance methodologies
• Experience with GRC platforms (ServiceNow GRC, RSA Archer, MetricStream) and risk management tools
• Knowledge of security control frameworks and security architecture principles
• Proficiency in risk assessment methodologies and quantitative risk analysis techniques

• Proven experience developing and implementing enterprise security governance programs
• Strong understanding of business continuity, disaster recovery, and crisis management
• Experience with vendor risk management and third-party security assessments
• Knowledge of board reporting and executive communication for cybersecurity topics

• Bachelor's degree in Cybersecurity, Risk Management, Business Administration, or related field
• Professional certifications (CISSP, CISA, CRISC, CISM, ISO 27001 Lead Auditor)
• Experience with cloud compliance frameworks (SOC 2, FedRAMP, CSA CCM)
• Background in internal audit or external consulting for cybersecurity assessments
• Knowledge of emerging regulations and privacy frameworks