Manager, Information Security Compliance & Risk

Overview

Analysis Group is one of the largest international economics consulting firms, with more than 1,500 professionals across 15 offices in North America, Europe, and Asia. Since 1981, we have provided expertise in economics, finance, health care analytics, and strategy to top law firms, Fortune Global 500 companies, and government agencies worldwide. Our internal experts, together with our network of affiliated experts from academia, industry, and government, offer our clients exceptional breadth and depth of expertise.

The Manager, Information Security Compliance and Risk is responsible for leading the firm s Governance, Risk, and Compliance (GRC) program, including regulatory compliance, enterprise risk management, and assurance activities that support client requirements and regulatory obligations.

This role also serves as the primary owner of Information Security AI governance, ensuring that the firm s use of AI and machine learning technologies aligns with security, privacy, regulatory, and client expectations.

The role manages a team of three Information Security Analysts and owns SOC 2 and ISO 27001 certification programs, while partnering closely with Legal, Compliance, Privacy, IT, and Security Engineering and Operations to ensure effective control design, evidence collection, risk management, and continuous improvement.

Governance and Compliance Leadership

• Own and maintain the firm s information security governance framework, including policies, standards, and procedures.
• Lead annual SOC 2 and ISO 27001 audit cycles, including audit readiness, evidence coordination, and remediation tracking.
• Ensure ongoing compliance with client, regulatory, and contractual information security requirements.
• Manage policy exceptions, risk acceptances, and documentation of compensating controls.

Regulatory Authorization and Assurance

• Lead the renewal and ongoing maintenance of government and client security authorizations, attestations, and approvals required for regulated engagements.
• Coordinate cross-functional evidence collection and control validation to support authorization renewals and periodic reassessments.
• Track authorization requirements, renewal timelines, and control changes to ensure continuous eligibility for regulated work.

AI Security Governance

• Lead the Information Security AI governance program, ensuring secure, responsible, and compliant use of AI technologies across the firm.
• Partner with Legal, Privacy, Compliance, and business stakeholders to define and maintain AI security requirements, risk assessments, and usage standards.
• Establish and maintain security controls for AI-enabled tools, including data handling, access controls, model usage restrictions, and third-party AI risk.
• Support client and regulatory inquiries related to AI security posture and governance practices.
• Track emerging AI-related regulatory and security requirements and assess their impact on firm policies and controls.

Risk Management

• Maintain and mature the enterprise information security risk register.
• Facilitate periodic risk assessments, including risks associated with AI usage, data processing, and third-party technologies.
• Develop and report meaningful risk metrics and dashboards for leadership review.
• Translate technical and operational risks into clear business-impact language.

Third-Party and Emerging Risk Governance

• Oversee third-party security risk management in partnership with Legal.
• Lead structured reviews of vendor security posture, including AI and SaaS providers.
• Track remediation plans and ongoing monitoring of third-party and AI-related risks.

Audit and Assurance Coordination

• Serve as the primary liaison for internal and external audits related to information security.
• Coordinate evidence collection across IT, Security Engineering, Privacy, and business stakeholders.
• Track findings, corrective actions, and continuous improvement initiatives.

Team Leadership

• Directly manage three Information Security Analysts.
• Set priorities, provide mentorship, and support professional development.
• Establish consistent processes, documentation standards, and performance expectations across the GRC function.

Cross-Functional Collaboration

• Partner closely with Security Engineering and Operations to align governance requirements with technical controls.
• Work with Legal, Compliance, Privacy, and Data Science teams on regulatory interpretation and AI governance requirements.
• Support client security inquiries, assessments, and due diligence requests.

Expected Outcomes

• Sustained audit readiness for SOC 2 and ISO 27001 with minimal disruption.
• Clear, measurable visibility into information security and AI-related risk posture.
• Consistent, scalable governance processes supporting firm growth and responsible AI adoption.
• Strong alignment between governance requirements and operational security controls.

Qualifications & Skills

• Bachelor s degree required; degree in information security, risk management, or a related field preferred.
• 7 to 10 years of…