GRC Cybersecurity Lead
Role details
Job location
Tech stack
Job description
As a GRC Cybersecurity Lead, you will own OSG's cybersecurity GRC program end-to-end. This is a high-visibility role and you will work shoulder-to-shoulder with executive leadership, Legal, Compliance, Privacy, Internal Audit, IT, Engineering, Product, and Sales. Reporting directly to the CISO and have a meaningful seat at the table where risk decisions get made., * Own enterprise-wide cyber risk analysis and reporting, from methodology to board-level dashboards.
- Develop and continuously refine risk assessment methodologies, scoring models, and risk appetite statements.
- Identify, evaluate, and quantify cybersecurity risks; recommend mitigation strategies and track remediation to closure.
- Lead annual and ad hoc enterprise risk assessments, including third-party/vendor risk reviews.
- Coordinate tabletop exercises and Incident Response Plan testing., * Keep all cybersecurity policies, standards, and procedures current and aligned to NIST CSF, HITRUST CSF, HIPAA, and PCI DSS 4.0.
- Lead the annual policy review and approval cycle, including version control, exception management, and stakeholder sign-off.
- Develop and map controls across frameworks to minimize duplication and audit fatigue.
- Communicate policy changes and provide interpretive guidance to internal stakeholders and control owners., * Partner with Compliance, IT, Engineering, Product, Legal, HR, Finance, and Operations to ensure risks are captured in OSG's enterprise risk register.
- Maintain accuracy and completeness of the risk register; track treatment plans and accept/transfer/mitigate/avoid decisions.
- Facilitate risk review forums, steering committees, and quarterly risk governance meetings.
- Escalate critical or unresolved risks to the CISO and executive leadership.
Compliance & Regulatory Partnership
- Work with Compliance to ensure cybersecurity policies meet regulatory requirements (HIPAA, PCI DSS, state privacy laws) and client contractual obligations.
- Support internal and external audits; HITRUST, SOC 2, PCI DSS, HIPAA, and client audits including coordinating evidence, responses, and remediation.
- Track regulatory and framework changes and translate them into actionable policy and control updates.
- Manage client-facing security questionnaires and assessments (CAIQ, SIG, HITRUST inheritance, custom questionnaires).
Contract Review
- Review MSAs, vendor contracts, BAAs, DPAs, and other agreements to confirm cybersecurity and data protection sections meet OSG and regulatory requirements.
- Validate clauses covering data protection, breach notification, audit rights, subcontractor controls, encryption, retention, and data return/destruction.
- Partner with Legal, Procurement, and Sales to negotiate security-related contract language.
- Maintain a library of standard security clauses, fallback positions, and contract templates.
Cross-Functional Leadership
- Serve as the senior subject-matter expert for GRC, mentoring analysts and influencing stakeholders across the organization without formal reporting authority.
- Build strong relationships with IT, Engineering, Product, Legal, Compliance, Privacy, Internal Audit, and HR.
Requirements
Do you have experience in Information security auditing?, Do you have a Bachelor's degree?, * Bachelor's degree in Information Security, Computer Science, Information Systems, or a related field.
- 8+ years of progressive experience in cybersecurity GRC, IT audit, information security, or compliance (at least 3 years focused on policy, risk, and/or compliance).
- Hands-on experience operating a cybersecurity risk register and end-to-end risk management lifecycle.
- Experience supporting audits or certifications under at least two of: NIST CSF, HITRUST, HIPAA, PCI DSS, SOC 2.
- Deep working knowledge of NIST CSF, HITRUST CSF, HIPAA Security and Privacy Rules, and PCI DSS 4.0.
- Familiarity with adjacent frameworks: SOC 2, ISO/IEC 27001, NIST SP 800-53, NIST SP 800-171.
- Experience reviewing and red-lining cybersecurity provisions in commercial contracts, BAAs, and DPAs.
- Experience with at least one GRC platform (Archer, ServiceNow GRC, OneTrust, LogicGate, AuditBoard, Hyperproof, Drata, Vanta, or similar).
- Strong written and verbal communication; able to translate technical risk into business language for executive, board, and client audiences.
- Proven ability to manage multiple workstreams and deadlines in a matrixed, cross-functional environment.
Preferred:
- One or more of: CISSP, CISA, CISM, CRISC, CIPP, HCISPP, HITRUST CCSFP, or PCI ISA.
- Experience in healthcare, financial services, fintech, payments, or other heavily regulated industries.
- Hands-on experience supporting HITRUST r2 certification and/or PCI DSS 4.0 attestation.
- Working knowledge of HIPAA, GDPR, CCPA/CPRA, and U.S. state privacy laws.
- Familiarity with cloud platforms (AWS, Azure, GCP) and SaaS environments, including shared responsibility models.
- Experience in an organization undergoing rapid growth, M&A activity, or platform modernization.
Benefits & conditions
$90,000 - $140,000 a year - Full-time, Pulled from the full job description
- Health insurance
- 401(k) matching
- Paid time off
- Vision insurance
- Dental insurance
- Flexible spending account
- Life insurance, * Health Insurance (EPO & HRA options)
- Dental Insurance
- Vision Insurance
- Short & Long Term Disability
- Flexible Spending Accounts
- Life Insurance
- Accident & Critical Illness Insurance
- Company 401(k) Matching Contribution
- Paid Time Off (PTO)
- Employee Assistance Program (EAP)