Principal GRC Analyst

Job description

Business Wire, a Berkshire Hathaway company, is the global market leader in press release distribution and regulatory disclosure. We are on a mission to redefine how organizations connect with their audiences - and that’s just the beginning!

Organizations, large and small, depend on us to accurately publicize market-moving news and multimedia, and generate social engagements that develop interactions with their target audiences.

About the Role

The Principal Governance, Risk, and Compliance (GRC) Analyst will identify, assess, and mitigate cybersecurity risks, focusing on automating and optimizing cybersecurity controls. This role will evaluate the effectiveness of security controls, ensure compliance with relevant frameworks, and streamline risk management processes. The ideal candidate will possess deep cybersecurity risk management, regulatory compliance knowledge, and hands-on experience in Integrated Risk Management and Third-Party Risk Management (TPRM) tools.

The Analyst will partner with the business, IT, and security organizations to coordinate the mitigation of identified risks and automate the controls to achieve a higher compliance level of mandated regulations, standards, and policies within the organization.

What You’ll Do

• Automate and manage cybersecurity controls across the organization, ensuring they are appropriately implemented and effectively mitigate risks.
• Evaluate, implement, and administer ITRM and TPRM tool(s).
• Coordinate and participate in managing the risk register and risk mitigation efforts, including managing the risk exception process.
• Conduct internal cybersecurity and third-party risk assessments.
• Develop and maintain an inventory of cybersecurity controls mapped to industry standards (e.g., NIST, ISO 27001, CIS, SOC 2) and regulatory requirements (e.g., GDPR, CCPA, PCI-DSS, and SOX).
• Develop assessment questionnaires and conduct compliance assessments to identify gaps in existing controls and recommend mitigation strategies, leveraging automation and assessment tools.
• Collaborate with key stakeholders (IT, InfoSec, Compliance, and Legal) to ensure that risks are understood, assessed, and appropriately addressed.
• Generate risk and control assessment reports and dashboards for senior leadership, identifying key risks, mitigation progress, and controls effectiveness metrics.
• Collaborate to document and maintain up-to-date policies and procedures related to cybersecurity risk management and control automation.

What You’ll Need

• Bachelor’s degree in Information Security, Information Technology, Information Systems Management, Computer Science, Engineering, or related field(s).
• 8+ years of experience using risk management and GRC platforms to automate control testing, conduct risk assessments, and track compliance.
• A strong understanding of cybersecurity controls, risk mitigation strategies, and their application for data protection and privacy compliance.
• Ability to analyze complex cybersecurity risks, identify control weaknesses, and recommend actionable mitigation strategies.
• Security and compliance certifications, such as CISSP, CISA, CISM, CGEIT, or CRISC, are preferred. Candidates with CISSP will be given preference.

Technical Knowledge

Must possess solid working knowledge of/experience in:

• Identity and access management and governance concepts and technologies, such as Microsoft Entra, Active Directory, PAM, etc.
• Vulnerability management platforms such as Rapid7.
• IT asset management, Configuration Management Databases (CMDB), and network asset discovery tools.
• Control frameworks and objectives (e.g., NIST CSF, NIST RMF, PCI-DSS, SOX, SOC 2, GDPR, CCPA, etc.).
• Operating systems, databases, and middleware components.
• Conducting compliance and risk assessments.
• Management of IT and security projects.
• Office 365 tools (Word, Excel, SharePoint, OneDrive, Teams, and PowerPoint).

Work Environment Characteristics

• Self-motivated and results-oriented, including the ability to prioritize conflicting assignments.
• Exceptional organizational skills to balance work and lead projects.
• Strong verbal and written skills.
• Ability to collaborate and build consensus and strong relationships with various internal and external stakeholders (business, development, security, auditors, legal, etc.).
• Ability to adapt and apply information to new scenarios and technologies.

Business Wire will not sponsor a new applicant for employment authorization for this position.

What We Offer

The base salary range for this position is $175K to $182K/year.  Offered salary will be determined by several factors, including but not limited to: applicant’s education, experience, knowledge, skills and abilities, as well as internal equity and alignment with geographic market data.  Business Wire reserves the right to modify this salary range at any time.

Business Wire’s total rewards include:

• Ability to work remotely
• Excellent health benefits that begin on your first day of employment
• $100 monthly fitness allotment, a tuition reimbursement program, and enhanced mental health resources
• 401(k) plan with generous company match, and annual profit sharing contribution (subject to company performance)
• PTO, Floating Holidays, Wellness Day Off, Birthday Day Off, and more!

A pre-employment background check will be required after the acceptance of an offer. Business Wire is proud to be an equal opportunity workplace. We are committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity or Veteran status. Pursuant to the San Francisco Fair Chance Ordinance and other similar state laws and local ordinances, and its internal policy, Business Wire will also consider for employment qualified applicants with arrest and conviction records.