THE OPPORTUNITYThe Senior GRC Analyst reports to the Director of Information Security and owns three primary functions: the compliance platform (Vanta), inbound customer security assessments, and FedRAMP ConMon execution support. This is an independent practitioner role - direction comes from the Director, but you own your work without step-by-step guidance.
The "Senior" in this title is earned by the scope, not just the experience level. Owning the compliance platform means auditors see your work directly. Owning customer assessments means your responses are read by enterprise security teams before they sign. Supporting FedRAMP ConMon means authorization status depends in part on what you produce monthly. The stakes are real.
WHAT YOU'LL OWNCompliance platform (Vanta) - primary owner- Own the compliance platform end-to-end: evidence library currency, control mapping accuracy, framework completeness across SOC 2, ISO 27001, FedRAMP, and GDPR
- Evidence is current year-round - not assembled at audit time; no stale or missing evidence in any active certification domain
Customer security assessments - primary owner- Own the inbound customer assessment intake and response process - all RFPs and security questionnaires are assigned, tracked, and responded to within defined SLA
- Collaborate with sales, legal, and technical teams on complex questionnaire responses; escalate novel or sensitive items to the Director
- Maintain and improve the questionnaire response library across all active frameworks
FedRAMP ConMon - execution support- Support monthly ConMon reporting - vulnerability scan results, POA&M updates, and evidence - as primary executor
- Maintain POA&M tracking accuracy; flag aging items to the Director before they breach defined thresholds
TPCRM and compliance support- Support third-party risk identification, assessment, and monitoring activities as directed
- Monitor compliance framework and regulatory changes; assess impact and surface findings to the Director with a recommended response
- Support internal audit processes - evidence coordination, control testing documentation, and auditor request responses
WHAT YOU BRING- 2-4 years of hands-on experience in GRC, compliance, or information security
- Practical working knowledge of SOC 2, NIST, or ISO 27001 applied in a real compliance environment
- Experience producing compliance evidence, contributing to audit cycles, or managing specific framework control domains independently
- Familiarity with cloud services principles and their security and compliance implications
- General knowledge of core security domains: network security, email security, endpoint protection, vulnerability scanning, access controls, log management
- Strong written communication - audit-ready documentation produced independently
PREFERRED- Hands-on experience administering Vanta or an equivalent compliance platform as a primary owner - not just a user
- Direct experience with FedRAMP ConMon - monthly reporting, POA&M tracking, evidence production
- Experience owning or significantly contributing to a customer security questionnaire response program
- Familiarity with TPCRM programs and vendor questionnaire workflows
- Active or in-progress certification: CompTIA Security+, CISA, CRISC, ISO 27001 Lead Auditor/Implementer, or equivalent
The expected base salary range for this role is $100,000-$115,00 per year. Compensation at Black Kite is more than just base pay - we offer a total rewards program that includes performance-based bonuses, equity, flexible healthcare options, paid time off, and retirement savings programs. The annual base salary range for this position represents a nationwide market range and reflects a broad spectrum of salaries for this role across the United States. Actual compensation will depend on factors such as qualifications, skills, experience, and the scope, complexity, and location of the role.
