Lead Security Risk Analyst (GRC)

Justworks is seeking a solutions-oriented Lead Security Risk Analyst who views GRC as a dynamic service that must be as efficient as the technology it governs.

You possess the analytical clarity to translate technical findings into meaningful risk narratives and are an optimizer who thrives on automation, preferring structured workflows over manual spreadsheets. In this role, you will help lead the maturity and scalability of our GRC operating model to protect Justworks’ assets, employees, and customers.

Reporting to the Director of GRC within the Digital Security organization, you will collaborate with cross-functional partners to deliver on our mission of enterprise-level security and operational excellence.

• Roadmap Execution: Support Digital Security / GRC leadership to execute a multi-year strategy that matures Justworks’ GRC function into a technology-enabled, enterprise grade program. Provide technical leadership to build future GRC capabilities.
• Risk Operations: Design and manage the end-to-end cyber risk lifecycle—identifying, quantifying, treating, and monitoring risks within a centralized Risk Register.
• Policy & Framework Implementation: Support the Director of GRC to define the Justworks risk management framework.  Maintain cyber security policies, standards and SOPs and map to controls/frameworks to ensure cross-functional alignment. (e.g. NIST CSF, NIST 800-53, NIST AI RMF, CIS, etc.).  Monitor emerging risks and adjust policies accordingly.  Manage the cyber security exception process.
• Continuous Compliance: Build and scale the "Audit-Once, Comply-Many" engine to automate evidence orchestration (e.g. SOC2, GDPR, etc.) and internal policy enforcement.  Monitor regulatory environment changes and impact.
• Supply Chain Resilience: Advance the Vendor Security Management program by evaluating software supply chain risks and automating third-party security assessments.
• Cyber Risk Liaison: Act as a key partner to Engineering and IT to translate policies, controls and risks ensuring "Security-by-Design" across the product lifecycle.  
• GRC Stack Optimization: Lead the evolution of the GRC technology stack, focusing on bi-directional integrations and automated telemetry to eliminate manual workflows.
• Risk Advisory & Influence: Facilitate security assessments for high-impact initiatives, translating technical gaps into meaningful business insights for stakeholders.
• Security Culture & Adaptive Awareness: Develop and deploy data-driven security training and communication programs that support compliance, target specific behavioral risks and foster a security-first culture.

As a Lead Security Risk Analyst, how results are achieved is paramount for your success and ultimately result in our success as an organization. In this role, your foundational knowledge, skills, abilities and personal attributes are anchored in the following:

• Good judgment - the exercise of critical thinking, analyzing and assessing problems and implications, identifying patterns, making connections of underlying issues, understanding risks and developing mitigation strategies, and taking ownership of the outcome.
• Resourcefulness - taking a can-do approach, even in the face of obstacles and constraints by assessing what’s in front of you and effectively and efficiently optimizing what you have, whether it's working on something new or thinking about how to do something better.
• Teamwork and communication - putting our collective best together through documentation, collaboration, relationship-building, listening, empathy, recruiting, and evangelism.
• Influence and leadership - fostering a community of knowledge-sharing, collaboration, mentorship, and forward-thinking.
• Skills and knowledge - the capacity to actively learn and apply specific domain knowledge, know-how, and best practices to continually enhance and improve.

In addition, all Justworkers focus on aligning their behaviors to our core values known as COGIS. It stands for:

• Camaraderie - Day to day you can be seen working together toward a higher purpose. You like to have fun. You’re an active listener, treat people respectfully, and have a strong desire to know and help others.
• Openness - Your default is to be open. You're willing to share information, understand other perspectives, and consider new possibilities. You’re curious, ask open questions, and are receptive to thoughts and feedback from others.
• Grit - You demonstrate grit by having the courage to commit and persevere. You’re committed, earnest, and dive in to get the job done well with a positive attitude.
• Integrity - Simply put, do what you say and say what you'll do. You’re honest and forthright, have a strong moral compass, and strive to match your words with your actions while leading by example.
• Simplicity - Be like Einstein: “Everything should be made as simple as possible, but no simpler.”

• At least 7+ years' experience directly in cybersecurity fields, with a demonstrated track record of leading complex GRC projects in at least two of the following areas:  cyber risk management, vendor security management, policy & compliance, security awareness and communication
• A deep understanding of risk assessment methodology, NIST 800-53, CIS, NIST Cybersecurity Framework, NIST AI RMF and associated security and privacy rules
• Strong knowledge and experience with operational risk management, covering the full lifecycle of activities, including risk identification, assessment, mitigation, monitoring, and reporting
• Functional knowledge of security domains and information security industry standard and best practices
• Strong knowledge of third-party assessments, IT risk management, regulatory requirements and compliance and its overall business processes, controls and risk exposure
• Ability to identify and recommend tools, processes, and software to automate and continuously improve security and compliance practices. 
• Previous experience with GRC solutions 
• Technical understanding of cloud-based security in an AWS environment 
• Proven track record as a strong communicator both in written and oral presentations; capable of rapidly creating detailed, yet concise documentation
• Proven analytical abilities and using data/facts for decision-making
• Exceptional organizational skills with the ability to prioritize and manage multiple projects at the same time.
• A self-motivated person who can influence and drive cross-functional teams, promoting timely and effective communication
• Good organizational skills, proactive and self-sufficient with a proven ability to work independently and prioritize deliverables
• Security Certifications of CISSP, CISM, CRISC, CISA a plus

The base wage range for this position based in our New York City Office is targeted at $192,500.00 to $211,750.00 per year.

#LI-Hybrid #LI-CE1