Senior GRC Analyst

Morgan & Morgan, P.A.

$85K — $110K *
Information Technology
Less than 5 years of experience
Job Overview by Ladders

Qualifications

  • 4-6+ years in GRC, IT audit, compliance, or information security
  • Deep hands-on experience with GRC platforms, particularly Vanta
  • Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1
  • Certifications such as ISC2 CC/CCSP or ISACA CRISC/CISA required
  • Experience leading external audits and client security due diligence
  • Proven capability in designing security awareness programs
  • Bachelor's degree in Information Security, Risk Management, or Computer Science, or equivalent experience

Responsibilities

  • Build and manage the entire Third-Party Risk Management process from scratch
  • Lead risk assessments for high-exposure vendor relationships
  • Draft and oversee the complete policy lifecycle including review and approval processes
  • Actively write policy content and address gaps against established frameworks
  • Maintain the enterprise risk register and facilitate quarterly reviews
  • Assist in designing the security awareness program and adjusting based on effectiveness data
  • Serve as a point of contact for cyber insurance audits and compliance inquiries

Benefits

  • Medical and dental insurance
  • 401(k) plan
  • Paid time off
  • Paid holidays
Full Job Description
Senior GRC Analyst

Morgan & Morgan | Risk & Resilience Program

Reports To: Director of Business Continuity

Department: Information Security / Risk & Resilience

Type: Full-Time

The Opportunity

Morgan & Morgan is one of the largest plaintiff law firms in the country - 6,000+ employees, 100+ offices, and a caseload that doesn't wait. The Risk & Resilience program is in full build mode: governance structure is set, the first BIA is complete, and the frameworks are mapped. What's missing is execution capacity.

This is not a maintenance role. You're joining at the ground floor of a GRC program that needs to be built from a standing start - TPRM methodology, policy lifecycle, risk register calibration, awareness program design. You'll own workstreams end-to-end, not coordinate them. You report directly to the Director of Business Continuity, who owns the GRC function and sets program direction.

If you want to inherit a mature program and tune it, this isn't for you. If you want to build one - with real ownership, real scope, and a clear path to being the person who shapes how risk is managed across a national law firm - read on.

What You'll Own

Third-Party Risk Management
  • Build and own the end-to-end TPRM process: risk tiering, assessment criteria, and escalation thresholds - from scratch
  • Lead risk assessments for the firm's highest-exposure vendor relationships: case management, e-discovery, payment processing, and others
  • Bring risk acceptance and remediation recommendations to the Director; own the analysis behind the decision

Policy Lifecycle
  • Run the full policy lifecycle: drafting, review cadence, approval workflows, and firm-wide attestation tracking
  • Write policy content directly - you're not inheriting a library, you're building it, translating framework requirements into language that works for a law firm
  • Identify and close policy gaps against ISO 27001, NIST CSF, and CIS v8.1 before they become audit findings

Risk Management
  • Own the enterprise risk register: methodology, scoring calibration, and quarterly review cadence
  • Lead control testing and gap assessment in Vanta; design remediation plans
  • Spot emerging risk trends and bring recommendations

Security Awareness
  • Assist with the design of the security awareness program strategy: content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions
  • Analyze effectiveness data and adjust the program based on results, not just completion rates

Audit & Compliance Readiness
  • Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries
  • Own the audit calendar and evidence readiness posture - you're not responding to requests as they land, you're ahead of them

Reporting & Program Visibility
  • Build and maintain the GRC reporting suite for CIO-level consumption: risk posture snapshots, control testing results, TPRM exposure summaries
  • Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director

Cross-Program Coordination
  • Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions
  • Coordinate with the Privacy function (in build) on data inventory, state privacy law obligations (FL, CA, NY, and others), and third-party data handling risks
  • Once the GRC Analyst is hired, serve as a working mentor without formal management authority

What We're Looking For
  • 4-6+ years in GRC, IT audit, compliance, or information security
  • Deep hands-on experience in a GRC platform; Vanta strongly preferred
  • Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; you've mapped controls across multiple frameworks at the same time
  • ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)
  • Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation
  • You've designed a security awareness program
  • Comfortable operating independently
  • Bachelor's degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered

#LI-MB1

Benefits

Morgan & Morgan is a leading personal injury law firm dedicated to protecting the people, not the powerful. This success starts with our staff. For full-time employees, we offer an excellent benefits package including medical and dental insurance, 401(k) plan, paid time off and paid holidays.

Similar Jobs

More Jobs at Morgan & Morgan, P.A.

More Information Technology Jobs

Find similar Senior GRC Analyst jobs: