Senior GRC Analyst: Control Validation Lead

Job Overview

We are seeking a detail-oriented and technically proficient Principal GRC Analyst to join our Information Security team, with a focus on validating and testing security controls across the enterprise. This role will serve as the most senior member of a small team focused on validating the effectiveness of information security controls. It is ideal for professionals with 8 or more years of experience in GRC, IT audit, or cybersecurity operations who have supervised IT control testing teams and are passionate about driving continuous improvement.

• Plan, lead, and execute control validation and testing activities across various domains (e.g., access management, vulnerability management, incident response, data protection).
• Mentor junior analysts, providing guidance on control validation methodologies and best practices while fostering a culture of accountability.
• Provide subject matter expertise regarding information security control validation and compliance frameworks to the CDT organization and its business partners.
• Document control issues and collaborate with stakeholders to develop remediation recommendations.
• Develop and enhance control testing methodologies, procedures, and reporting mechanisms.
• Prepare risk reports and dashboards for management and governance committees.
• Influence the evolution of the GRC program through maturing tools, automation, processes, and metrics.

• Experienced and Passionate: You are a seasoned security professional with a passion for governance, risk, and compliance.
• Methodical and Pragmatic: You approach control testing with precision and can identify pragmatic solutions to addressing risks.
• Self-Motivated and Curious: You are driven to understand the "why", you thoughtfully investigate complex issues and ask probing questions.
• Leadership-Oriented: You demonstrate initiative and are experienced in mentoring and developing others.
• Relationship Driven: You build rapport and support your team and colleagues across functions.
• Influential Communicator: Whether in writing or verbally, you can effectively explain technical concepts and risks to colleagues and management without excessive jargon.
• Bachelor’s degree in a technical field such as cybersecurity or business information systems.
• Security certifications such as CISSP, CISA, CRISC, Sec+, or CC preferred.
• Minimum 8 years’ experience in GRC, IT audit, or information security within mid-size to large corporate environment.
• Proven expertise in cybersecurity frameworks such as NIST CSF or ISO 27001.
• Hands‑on experience in leading IT audits, risk assessments, or compliance programs.