Governance, Risk, and Compliance Cybersecurity LeadOSG is growing our Governance, Risk, and Compliance function and looking for an experienced practitioner ready to take real ownership, shaping how we measure, manage, and communicate cyber risk enterprise-wide.
As a GRC Cybersecurity Lead, you will own OSG's cybersecurity GRC program end-to-end. This is a high-visibility role and you will work shoulder-to-shoulder with executive leadership, Legal, Compliance, Privacy, Internal Audit, IT, Engineering, Product, and Sales. Reporting directly to the CISO and have a meaningful seat at the table where risk decisions get made.
Job Focus:
Cyber Risk Analysis & Reporting- Own enterprise-wide cyber risk analysis and reporting, from methodology to board-level dashboards.
- Develop and continuously refine risk assessment methodologies, scoring models, and risk appetite statements.
- Identify, evaluate, and quantify cybersecurity risks; recommend mitigation strategies and track remediation to closure.
- Lead annual and ad hoc enterprise risk assessments, including third-party/vendor risk reviews.
- Coordinate tabletop exercises and Incident Response Plan testing.
Policy & Standards Management- Keep all cybersecurity policies, standards, and procedures current and aligned to NIST CSF, HITRUST CSF, HIPAA, and PCI DSS 4.0.
- Lead the annual policy review and approval cycle, including version control, exception management, and stakeholder sign-off.
- Develop and map controls across frameworks to minimize duplication and audit fatigue.
- Communicate policy changes and provide interpretive guidance to internal stakeholders and control owners.
Risk Register Management- Partner with Compliance, IT, Engineering, Product, Legal, HR, Finance, and Operations to ensure risks are captured in OSG's enterprise risk register.
- Maintain accuracy and completeness of the risk register; track treatment plans and accept/transfer/mitigate/avoid decisions.
- Facilitate risk review forums, steering committees, and quarterly risk governance meetings.
- Escalate critical or unresolved risks to the CISO and executive leadership.
Compliance & Regulatory Partnership- Work with Compliance to ensure cybersecurity policies meet regulatory requirements (HIPAA, PCI DSS, state privacy laws) and client contractual obligations.
- Support internal and external audits; HITRUST, SOC 2, PCI DSS, HIPAA, and client audits including coordinating evidence, responses, and remediation.
- Track regulatory and framework changes and translate them into actionable policy and control updates.
- Manage client-facing security questionnaires and assessments (CAIQ, SIG, HITRUST inheritance, custom questionnaires).
Contract Review- Review MSAs, vendor contracts, BAAs, DPAs, and other agreements to confirm cybersecurity and data protection sections meet OSG and regulatory requirements.
- Validate clauses covering data protection, breach notification, audit rights, subcontractor controls, encryption, retention, and data return/destruction.
- Partner with Legal, Procurement, and Sales to negotiate security-related contract language.
- Maintain a library of standard security clauses, fallback positions, and contract templates.
Cross-Functional Leadership- Serve as the senior subject-matter expert for GRC, mentoring analysts and influencing stakeholders across the organization without formal reporting authority.
- Build strong relationships with IT, Engineering, Product, Legal, Compliance, Privacy, Internal Audit, and HR.
Qualifications:
- Bachelor's degree in Information Security, Computer Science, Information Systems, or a related field.
- 8+ years of progressive experience in cybersecurity GRC, IT audit, information security, or compliance (at least 3 years focused on policy, risk, and/or compliance).
- Hands-on experience operating a cybersecurity risk register and end-to-end risk management lifecycle.
- Experience supporting audits or certifications under at least two of: NIST CSF, HITRUST, HIPAA, PCI DSS, SOC 2.
- Deep working knowledge of NIST CSF, HITRUST CSF, HIPAA Security and Privacy Rules, and PCI DSS 4.0.
- Familiarity with adjacent frameworks: SOC 2, ISO/IEC 27001, NIST SP 800-53, NIST SP 800-171.
- Experience reviewing and red-lining cybersecurity provisions in commercial contracts, BAAs, and DPAs.
- Experience with at least one GRC platform (Archer, ServiceNow GRC, OneTrust, LogicGate, AuditBoard, Hyperproof, Drata, Vanta, or similar).
- Strong written and verbal communication; able to translate technical risk into business language for executive, board, and client audiences.
- Proven ability to manage multiple workstreams and deadlines in a matrixed, cross-functional environment.
Preferred:
- One or more of: CISSP, CISA, CISM, CRISC, CIPP, HCISPP, HITRUST CCSFP, or PCI ISA.
- Experience in healthcare, financial services, fintech, payments, or other heavily regulated industries.
- Hands-on experience supporting HITRUST r2 certification and/or PCI DSS 4.0 attestation.
- Working knowledge of HIPAA, GDPR, CCPA/CPRA, and U.S. state privacy laws.
- Familiarity with cloud platforms (AWS, Azure, GCP) and SaaS environments, including shared responsibility models.
- Experience in an organization undergoing rapid growth, M&A activity, or platform modernization.
Benefits:- Health Insurance (EPO & HRA options)
- Dental Insurance
- Vision Insurance
- Short & Long Term Disability
- Flexible Spending Accounts
- Life Insurance
- Accident & Critical Illness Insurance
- Company 401(k) Matching Contribution
- Paid Time Off (PTO)
- Employee Assistance Program (EAP)
