Note: The job is a remote job and is open to candidates in USA. Subsplash is an exciting award-winning team of 280+ mission-driven people committed to core values of humility, innovation, and excellence. The Senior GRC Analyst will act as a strategic lead to advance security and risk operations, identifying security gaps and implementing best practices to ensure compliance with evolving regulatory landscapes.
Responsibilities
- Audit Execution: Act as the primary point of contact for external auditors; lead the end-to-end execution of PCI DSS audits and support internal audit on IT SOX controls
- Data Mapping Maintenance: Develop and maintain a comprehensive data inventory and data flow diagrams. Track how sensitive data (PII, PCI) moves through our systems to ensure compliance with privacy regulations and security boundaries
- Framework Maturation: Map and implement controls across multiple frameworks (PCI DSS, NIST CSF) to eliminate redundancies and improve the organization’s security posture
- GRC Reporting: Track and report on GRC program health across compliance posture, risk register status, audit readiness, and control effectiveness. Present metrics and trends to leadership on a regular cadence
- User Access Reviews (UAR): Orchestrate and lead the quarterly and semi-annual user access review process across all critical systems (SaaS, Cloud Infrastructure, and Internal Tools)
- Joiner/Mover/Leaver Oversight: Monitor and validate that provisioning and deprovisioning processes are executed accurately and on time across critical systems. Flag exceptions, track remediation, and maintain documentation to support access control audits
- Program Ownership: Execute and maintain a comprehensive, year-round Security Awareness Training (SAT) program that meets PCI DSS requirements while driving actual behavioral change
- Phishing Simulations: Execute monthly or quarterly phishing simulations; analyze "fail rates" and provide targeted follow-up training to high-risk groups
- Content Curation: Select and deploy engaging security content, newsletters, and "security moments" to keep cybersecurity top-of-mind for all employees
- Reporting: Present program health metrics (completion rates, simulation trends, and reporting speed) to the Leadership team
- Vendor & Risk Execution: Execute the TPRM program—conducting vendor security reviews, tracking remediation to completion, and escalating high-risk findings to leadership
- Risk Register Ownership: Maintain and update the corporate risk register, ensuring remediation efforts are tracked, validated, and communicated to leadership
Skills
- 3–5 years of dedicated experience in GRC, Information Security, or Audit
- Deep practical knowledge of PCI DSS requirements and controls
- Experience performing Data Mapping exercises and maintaining Records of Processing Activities (RoPA)
- Proven experience managing phishing platforms (e.g., KnowBe4, Mimecast, or Vanta-integrated tools) and developing security training curricula
- Proven experience managing formal access review cycles and identity governance processes
- Proven experience administering a GRC platform, including automated evidence collection, control monitoring, and access review workflows
- Experience with SOX IT General Controls (ITGCs), including change management, logical access, computer operations controls, and segregation of duties (SoD)
- Demonstrated experience using AI tools to improve GRC workflows, automate reporting, or accelerate evidence collection and analysis
- FinTech or Financial Services industry experience is highly preferred
- Direct experience with Vanta is a significant advantage
Benefits
- Generous Paid Time Off
- Medical Coverage
- Dental Coverage
- Vision Coverage
- Short and long term disability and life insurance all free of charge
- Competitive Compensation
- 401k Matching
- Professional Development
- Top of the Line Equipment
- Referral Program
- Parental Leave
- Family-Friendly Culture
- The chance to work side-by-side with thought leaders in emerging tech
Company Overview