Senior Information Security GRC Analyst

About the Team/Role

WEX is seeking an experienced Information Security Governance, Risk, and Compliance (GRC) Analyst to join our dynamic security team. In this role, you will be responsible for developing, implementing, and managing our organization’s security governance framework, assessing and mitigating risks, and ensuring compliance with applicable regulations and standards. As a security analyst, you will lead complex projects, provide strategic insights to security related tasks, and guidance to other teams across the enterprise.

How you'll make an impact

• Develop, implement, and maintain security policies, standards, and guidelines in alignment with regulatory and industry requirements.

• Assist in efforts to assess and enhance the organization’s information security governance framework, ensuring consistent application across all business units.

• Provide guidance and support to business units in implementing and adhering to security policies, standards and procedures.

• Monitor and report findings, and metrics on the effectiveness of security governance initiatives to senior management

• Conduct risk assessments, including identifying, analyzing, and prioritizing risks, to determine the potential impact on the organization.

• Collaborate with business units to develop and implement risk mitigation strategies, ensuring that security controls are appropriate and effective.

• Continuously monitor and review the organization’s risk posture, adjusting strategies as needed to address emerging threats.

• Prepare and present risk assessment findings, metrics, and recommendations to stakeholders, including executive management.

• Ensure the organization’s compliance with relevant regulatory requirements, industry standards (e.g., ISO 27001, PCI-DSS, NIST, GDPR, HIPAA, DORA, etc.), and internal policies.

• Conduct regular audits and assessments to verify adherence to security controls and compliance requirements.

• Serve as a subject matter expert on security compliance, providing advice and guidance to teams across the organization.

• Participate in incident response activities, including investigation, containment, and recovery.

• Conduct root cause analysis of security incidents.

• Develop and maintain incident response plans and procedures..

• Manage and oversee third-party audits, including coordination of responses to audit findings and ensuring remediation of any identified issues.

• Prepare and submit compliance reports to regulatory bodies as required.

• Assess and manage the security posture of third-party vendors and service providers.

• Ensure that third-party contracts include appropriate security requirements.

• Prepare and develop corrective action plans.

• Prepare and deliver reports on metrics, compliance status, and risk management activities to executive leadership and other stakeholders.

• Develop and deliver security awareness and training programs to educate employees on security policies, procedures, and best practices.

• Promote a culture of security awareness throughout the organization, encouraging proactive risk management and compliance.

Experience you'll bring

• Bachelor’s degree in Information Security, Computer Science, or a related field.

• Experience in information security in a Governance, Risk, and Compliance (GRC) role.

• In-depth knowledge of information security frameworks, standards, and regulations.

• Proven experience in risk management and compliance activities.

• Experience with industry regulatory compliance framework (e.g. PCI-DSS, HITRUST, SOX/SOC, NIST, FedRamp, FISMA, etc.).

• Demonstrated ability to take initiative and accountability for achieving result.

• Understanding of cloud-based infrastructure components with specific understanding of the security risks presented in a decentralized and hybrid environment

• Experience with security audit processes and responding to regulatory inquiries.

• Experience with security industry tools and best practices.

• Strong analytical, problem-solving, and decision-making skills.

• Excellent communication and interpersonal skills with the ability to effectively convey technical information to non-technical stakeholders.

• Ability to work independently and as part of a team in a fast-paced, dynamic environment.

• Strong project management skills with the ability to manage multiple priorities simultaneously

• Experience with gathering metrics and creating dashboards to be presented to executive management

• Certified Information Systems Auditor (CISA)

• Certified Information Systems Security Professional (CISSP)

• Certified in Risk and Information Systems Control (CRISC)

• CompTIA’s Security+ (Security+).