Senior GRC Analyst

The Opportunity

The Senior GRC Analyst role will be part of the Security GRC team at Postman.  The Security GRC team is responsible for the overall security posture of Postman by ensuring compliance with applicable regulations and contractual obligations and maintaining effective and efficient governance, risk, and compliance programs.  In addition, the Security GRC team is directly involved with supporting and enabling Sales and driving security and compliance initiatives to further the growth of Postman.

We seek a Senior GRC Analyst with extensive experience implementing, managing, and maturing compliance programs, including but not limited to SOC 2, ISO 27xxx, HIPAA, GDPR, CCPA, and FedRAMP.  This role must possess a significant level of technical knowledge that allows for clear communication with engineering stakeholders and the ability to provide actionable guidance and recommendations on processes (e.g. translate risk language to engineering requirements).

As a senior member of the Security GRC team, this role will be instrumental in guiding the strategy of the GRC program in partnership with senior management. In addition to technical acumen, the role requires an individual who is results-oriented and pragmatic and demonstrates effective problem-solving and communication skills. The Senior GRC Analyst often serves as a subject matter expert for colleagues and line-of-business managers, and experience with multiple technologies, compliance requirements and risk management methodologies is crucial.

What you’ll do

• Lead and coordinate high visibility projects for our risk & compliance roadmap, including: SOC2, ISO 27XXX, HITRUST, and FedRAMP.
• Contribute to the development, management, and ongoing improvement of the company risk program, compliance initiatives, and overall security risk posture.
• Lead the development and maturity of critical risk domains such as third party risk management and business resilience.
• Lead critical control activities with stakeholders across the business, quantifying risks, evaluating mitigations, and driving action to measurably reduce risk.
• Lead, participate, and innovate on processes to streamline compliance audit activities with external auditors and internal control owners to ensure successful completion of audit requirements with minimal toil.
• Establish and contribute to risk and compliance activities with an eye toward continuous controls monitoring automation.
• Act as a mentor, advisory, and escalation point for team members and stakeholders.

About You

• 7+ years of hands-on experience in cybersecurity governance, risk, and compliance, preferably within fast-paced technology companies.
• Bachelor’s degree in computer science, information security/cybersecurity, or related field or relevant work experience.
• Relevant certifications such as CISSP, CRISC, CISA, or CISM a plus.
• Knowledge of and experience implementing, managing, and maturing GRC programs with a bias to action, ability to design effective but pragmatic solutions with an ability to balance short term and long term goals.
• Proficient technical knowledge and familiarity with management information systems, cybersecurity, audits and internal controls.
• Experience working with engineering and non-engineering stakeholders to drive successful risk activities.
• Experience with establishing and maturing third party risk management programs, with a proven ability to balance third party risk with business need.
• Experience identifying gaps, creating and tracking correction action and mitigation plans to closure at scale.
• Self-motivated and well-organized to accomplish goals and tasks completely and on time.
• Experience successfully driving risk & compliance programs in globally distributed organizations.

The reasonably estimated base salary for this role ranges from $200,000 to $225,000, plus a competitive equity package. Actual compensation is based on the candidate's skills, qualifications, and experience.