Sr. GRC Analyst
Listed on 2026-07-08
-
IT/Tech
Cybersecurity, Information Security
Subsplash is an award‑winning team of 280+ mission‑driven people committed to humility, innovation, and excellence. Founded in 2005, we pioneered the first church mobile app and now build The Ultimate Engagement Platform™ for churches, Christian ministries, non‑profits, and businesses worldwide, serving 14,000+ clients and millions of users daily.
About the TeamThe IT Team maintains all activities and services that support business functions, ensuring proper security across all IT systems. We deliver robust day‑to‑day technical support and handle essential functions such as access management, user provisioning and deprovisioning, new hardware and software setup, and budget‑controlled subscription spend.
About the RoleThe Senior GRC Analyst acts as a strategic lead to advance security and risk operations. You will integrate people, policy, and technology to drive operational excellence and framework maturity, identify security gaps, implement best practices, and mature our control environment. We are building an AI‑first compliance function, and this role will lead the deployment of AI tools that scale our GRC program.
Compensation- The total compensation for this position is between $95,000–$105,000/yr, depending on experience level.
- Audit Execution:
Act as the primary point of contact for external auditors; lead the end‑to‑end execution of PCI DSS audits and support internal audit on IT SOX controls. - Data Mapping Maintenance:
Develop and maintain a comprehensive data inventory and data flow diagrams to track sensitive data (PII, PCI) and ensure compliance with privacy regulations. - Framework Maturation:
Map and implement controls across multiple frameworks (PCI DSS, NIST CSF) to eliminate redundancies and improve the organization’s security posture. - GRC Reporting:
Track and report on GRC program health across compliance posture, risk register status, audit readiness, and control effectiveness. Present metrics and trends to leadership on a regular cadence.
- User Access Reviews:
Orchestrate and lead the quarterly and semi‑annual user access review process across all critical systems (SaaS, cloud infrastructure, and internal tools). - Joiner/Mover/Leaver Oversight:
Monitor and validate that provisioning and deprovisioning processes are executed accurately and on time across critical systems. Flag exceptions, track remediation, and maintain documentation to support access control audits.
- Program Ownership:
Execute and maintain a year‑round Security Awareness Training (SAT) program that meets PCI DSS requirements while driving actual behavioral change. - Phishing Simulations:
Execute monthly or quarterly phishing simulations; analyze fail rates and provide targeted follow‑up training to high‑risk groups. - Content Curation:
Select and deploy engaging security content, newsletters, and security moments to keep cybersecurity top‑of‑mind for all employees. - Reporting:
Present program health metrics (completion rates, simulation trends, and reporting speed) to the leadership team.
- Vendor & Risk Execution:
Execute the TPRM program—conducting vendor security reviews, tracking remediation to completion, and escalating high‑risk findings to leadership. - Risk Register Ownership:
Maintain and update the corporate risk register, ensuring remediation efforts are tracked, validated, and communicated to leadership.
- Experience:
3–5 years in GRC, Information Security, or Audit. Fin Tech or Financial Services industry experience is highly preferred. - Technical Mastery:
Deep practical knowledge of PCI DSS requirements and controls. - Data Governance:
Experience performing data mapping exercises and maintaining Records of Processing Activities (RoPA). - SAT Strategy:
Proven experience managing phishing platforms (KnowBe4, Mimecast, or Vanta‑integrated tools) and developing security training curricula. - IAM Expertise:
Proven experience managing formal access review cycles and identity governance processes. - Systems:
Proven experience administering a…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).