GRC Analyst

Sr. Security Governance, Risk, & Compliance (GRC) Professional

Arlington, VA

12 Months Contract

Hybrid Job: 3 Days onsite at Arlington, VA office.

Essential Duties and Responsibilities:

• Perform control/risk assessments by leveraging deep understanding of the organization s technology stack, including cloud platforms, infrastructure components, DevOps pipelines, and application architectures, to define scope, control procedures, policies, and testing criteria.
• Conduct cyber risk evaluations using recognized frameworks (NIST RMF/CSF/800-171 and PCI) while aligning control expectations to the technical design of systems, services, data flows, and authentication models.
• Assess likelihood vs. impact for risks identified through vulnerability data, engineering feedback, internal assessments, operational telemetry, and threat intelligence feeds.
• Translate complex technical issues such as cloud misconfigurations, exposed APIs, IAM weaknesses, system design flaws, and network segmentation gap into clear and actionable risk statements that outline threat vectors, attack paths, and potential business impacts.
• Perform quantitative and qualitative risk analysis using scenario modeling, loss event frequency analysis, and control effectiveness scoring informed by threat behaviors and system architecture.
• Conduct ongoing threat analysis by evaluating adversary tactics (MITRE ATT&CK), exploitability of technology-stack components, vulnerability chaining paths, and systemic architectural risks.
• Evaluate how threats and risks affect business operations, financial exposure, regulatory posture, and service availability by connecting technical failures to operational dependencies.
• Facilitate risk workshops with business leaders and engineering teams to ensure consistent risk scoring and prioritization grounded in realistic threat scenarios and technical context.
• Maintain and enhance the enterprise risk register with detailed technical context including system dependencies, technology-layer impacts, exploit conditions, and risk scoring rationale.
• Support development of risk appetite thresholds, KRIs, and measurement models that reflect real-world threat activity, platform maturity, and evolving attacker capabilities.
• Review and validate risk remediation plans for technical accuracy, feasibility within system architecture, and expected reduction of identified threat vectors.
• Partner with engineering and security teams to understand technical assessments such as pen tests, red team operations, secure code reviews, cloud posture reviews, and vulnerability scans and convert findings into structured risk evaluations.
• Contribute to policy, standard, and governance framework improvements by integrating insights about system architecture, cloud controls, data protection mechanisms, and threat-informed defense requirements.
• Support internal and external audits by interpreting technical security requirements, collecting evidence from systems and platforms, and mapping controls to risks observed in the technology stack.
• Track emerging threats, vulnerabilities, and attacker tradecraft analyzing their relevance to the environment s architecture and advise leadership on potential risk and required mitigation strategies
• Support internal and external audits by interpreting requirements, gathering evidence, and mapping controls to risks.
• Track emerging threats and regulatory expectations, advising leadership on potential risk impacts

Formal Education Required:

Bachelor s in Computer Science, Management Information Systems, Information Security, or related field.

Experience and Certifications Required:

• 10+ years experience in risk management and compliance, IT operations, or security engineering, with 5+ years of experience in performing security control assessments, IT Governance, and contract management.
• 10+ years experience in Information Security with and strong technical knowledge of cybersecurity technologies
• 5+ years of experience in an audit and risk assessment environment
• 10+ years experience in a variety of technology disciplines including software development, systems engineering, systems integration, and technology evaluation
• Highly proficient in information security controls and frameworks such as NIST-CSF, HIPAA, SP-800-30, NIST 800-53, NIST 800-171, NERC CIP, PCI, ISO 27001/27002, ISO 27005, Center for Internet Security (CIS) 20 Critical Security Controls.
• Experience with public cloud service providers (AWS & Azure), specifically the types of industry-standard controls and best practices for configuring and managing these services.
• Experience in managing GRC software ServiceNow s GRC modules.