GRC Cybersecurity Lead

Osg Inc
Carol Stream, United States of America
1 month ago

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English
Experience level
Senior
Compensation
$ 140K

Job location

Carol Stream, United States of America

Tech stack

Amazon Web Services (AWS)
Azure
Software as a Service
Cloud Computing
Computer Security
Information Systems
Information Technology Audit
PCI Data Security Standards
Google Cloud Platform
Cloud Platform System
Information Technology
Software Version Control
ServiceNow

Job description

As a GRC Cybersecurity Lead, you will own OSG's cybersecurity GRC program end-to-end. This is a high-visibility role and you will work shoulder-to-shoulder with executive leadership, Legal, Compliance, Privacy, Internal Audit, IT, Engineering, Product, and Sales. Reporting directly to the CISO and have a meaningful seat at the table where risk decisions get made., * Own enterprise-wide cyber risk analysis and reporting, from methodology to board-level dashboards.

  • Develop and continuously refine risk assessment methodologies, scoring models, and risk appetite statements.
  • Identify, evaluate, and quantify cybersecurity risks; recommend mitigation strategies and track remediation to closure.
  • Lead annual and ad hoc enterprise risk assessments, including third-party/vendor risk reviews.
  • Coordinate tabletop exercises and Incident Response Plan testing., * Keep all cybersecurity policies, standards, and procedures current and aligned to NIST CSF, HITRUST CSF, HIPAA, and PCI DSS 4.0.
  • Lead the annual policy review and approval cycle, including version control, exception management, and stakeholder sign-off.
  • Develop and map controls across frameworks to minimize duplication and audit fatigue.
  • Communicate policy changes and provide interpretive guidance to internal stakeholders and control owners., * Partner with Compliance, IT, Engineering, Product, Legal, HR, Finance, and Operations to ensure risks are captured in OSG's enterprise risk register.
  • Maintain accuracy and completeness of the risk register; track treatment plans and accept/transfer/mitigate/avoid decisions.
  • Facilitate risk review forums, steering committees, and quarterly risk governance meetings.
  • Escalate critical or unresolved risks to the CISO and executive leadership.

Compliance & Regulatory Partnership

  • Work with Compliance to ensure cybersecurity policies meet regulatory requirements (HIPAA, PCI DSS, state privacy laws) and client contractual obligations.
  • Support internal and external audits; HITRUST, SOC 2, PCI DSS, HIPAA, and client audits including coordinating evidence, responses, and remediation.
  • Track regulatory and framework changes and translate them into actionable policy and control updates.
  • Manage client-facing security questionnaires and assessments (CAIQ, SIG, HITRUST inheritance, custom questionnaires).

Contract Review

  • Review MSAs, vendor contracts, BAAs, DPAs, and other agreements to confirm cybersecurity and data protection sections meet OSG and regulatory requirements.
  • Validate clauses covering data protection, breach notification, audit rights, subcontractor controls, encryption, retention, and data return/destruction.
  • Partner with Legal, Procurement, and Sales to negotiate security-related contract language.
  • Maintain a library of standard security clauses, fallback positions, and contract templates.

Cross-Functional Leadership

  • Serve as the senior subject-matter expert for GRC, mentoring analysts and influencing stakeholders across the organization without formal reporting authority.
  • Build strong relationships with IT, Engineering, Product, Legal, Compliance, Privacy, Internal Audit, and HR.

Requirements

Do you have experience in Information security auditing?, Do you have a Bachelor's degree?, * Bachelor's degree in Information Security, Computer Science, Information Systems, or a related field.

  • 8+ years of progressive experience in cybersecurity GRC, IT audit, information security, or compliance (at least 3 years focused on policy, risk, and/or compliance).
  • Hands-on experience operating a cybersecurity risk register and end-to-end risk management lifecycle.
  • Experience supporting audits or certifications under at least two of: NIST CSF, HITRUST, HIPAA, PCI DSS, SOC 2.
  • Deep working knowledge of NIST CSF, HITRUST CSF, HIPAA Security and Privacy Rules, and PCI DSS 4.0.
  • Familiarity with adjacent frameworks: SOC 2, ISO/IEC 27001, NIST SP 800-53, NIST SP 800-171.
  • Experience reviewing and red-lining cybersecurity provisions in commercial contracts, BAAs, and DPAs.
  • Experience with at least one GRC platform (Archer, ServiceNow GRC, OneTrust, LogicGate, AuditBoard, Hyperproof, Drata, Vanta, or similar).
  • Strong written and verbal communication; able to translate technical risk into business language for executive, board, and client audiences.
  • Proven ability to manage multiple workstreams and deadlines in a matrixed, cross-functional environment.

Preferred:

  • One or more of: CISSP, CISA, CISM, CRISC, CIPP, HCISPP, HITRUST CCSFP, or PCI ISA.
  • Experience in healthcare, financial services, fintech, payments, or other heavily regulated industries.
  • Hands-on experience supporting HITRUST r2 certification and/or PCI DSS 4.0 attestation.
  • Working knowledge of HIPAA, GDPR, CCPA/CPRA, and U.S. state privacy laws.
  • Familiarity with cloud platforms (AWS, Azure, GCP) and SaaS environments, including shared responsibility models.
  • Experience in an organization undergoing rapid growth, M&A activity, or platform modernization.

Benefits & conditions

$90,000 - $140,000 a year - Full-time, Pulled from the full job description

  • Health insurance
  • 401(k) matching
  • Paid time off
  • Vision insurance
  • Dental insurance
  • Flexible spending account
  • Life insurance, * Health Insurance (EPO & HRA options)
  • Dental Insurance
  • Vision Insurance
  • Short & Long Term Disability
  • Flexible Spending Accounts
  • Life Insurance
  • Accident & Critical Illness Insurance
  • Company 401(k) Matching Contribution
  • Paid Time Off (PTO)
  • Employee Assistance Program (EAP)

Apply for this position