Senior GRC AnalystMorgan & Morgan | Risk & Resilience Program
Reports To: Director of Business Continuity
Department: Information Security / Risk & Resilience
Type: Full-Time
The OpportunityMorgan & Morgan is one of the largest plaintiff law firms in the country - 6,000+ employees, 100+ offices, and a caseload that doesn't wait. The Risk & Resilience program is in full build mode: governance structure is set, the first BIA is complete, and the frameworks are mapped. What's missing is execution capacity.
This is not a maintenance role. You're joining at the ground floor of a GRC program that needs to be built from a standing start - TPRM methodology, policy lifecycle, risk register calibration, awareness program design. You'll own workstreams end-to-end, not coordinate them. You report directly to the Director of Business Continuity, who owns the GRC function and sets program direction.
If you want to inherit a mature program and tune it, this isn't for you. If you want to build one - with real ownership, real scope, and a clear path to being the person who shapes how risk is managed across a national law firm - read on.
What You'll OwnThird-Party Risk Management- Build and own the end-to-end TPRM process: risk tiering, assessment criteria, and escalation thresholds - from scratch
- Lead risk assessments for the firm's highest-exposure vendor relationships: case management, e-discovery, payment processing, and others
- Bring risk acceptance and remediation recommendations to the Director; own the analysis behind the decision
Policy Lifecycle- Run the full policy lifecycle: drafting, review cadence, approval workflows, and firm-wide attestation tracking
- Write policy content directly - you're not inheriting a library, you're building it, translating framework requirements into language that works for a law firm
- Identify and close policy gaps against ISO 27001, NIST CSF, and CIS v8.1 before they become audit findings
Risk Management- Own the enterprise risk register: methodology, scoring calibration, and quarterly review cadence
- Lead control testing and gap assessment in Vanta; design remediation plans
- Spot emerging risk trends and bring recommendations
Security Awareness- Assist with the design of the security awareness program strategy: content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions
- Analyze effectiveness data and adjust the program based on results, not just completion rates
Audit & Compliance Readiness- Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries
- Own the audit calendar and evidence readiness posture - you're not responding to requests as they land, you're ahead of them
Reporting & Program Visibility- Build and maintain the GRC reporting suite for CIO-level consumption: risk posture snapshots, control testing results, TPRM exposure summaries
- Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director
Cross-Program Coordination- Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions
- Coordinate with the Privacy function (in build) on data inventory, state privacy law obligations (FL, CA, NY, and others), and third-party data handling risks
- Once the GRC Analyst is hired, serve as a working mentor without formal management authority
What We're Looking For- 4-6+ years in GRC, IT audit, compliance, or information security
- Deep hands-on experience in a GRC platform; Vanta strongly preferred
- Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; you've mapped controls across multiple frameworks at the same time
- ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)
- Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation
- You've designed a security awareness program
- Comfortable operating independently
- Bachelor's degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered
#LI-MB1
BenefitsMorgan & Morgan is a leading personal injury law firm dedicated to protecting the people, not the powerful. This success starts with our staff. For full-time employees, we offer an excellent benefits package including medical and dental insurance, 401(k) plan, paid time off and paid holidays.