Senior Governance, Risk, Compliance (GRC) Analyst
Headway · New York, United States · 2 wk ago
HybridLegal$162k–$202k/yrFull-time
About the role
Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program!
Responsibilities
- Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines.
- Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals.
- Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking.
- Operate the centralized risk register — identifying, assessing, and tracking technical security risks through mitigation, and surfacing risk-informed priorities to engineering and security leadership.
- Partner cross-functionally with Privacy, Legal, IT, and Engineering to embed compliance into how Headway operates — not bolt it on after the fact.
Requirements
- You have 5+ years of experience in a GRC, compliance, or security risk role.
- You have working knowledge of at least two of: HITRUST, SOC 2, PCI-DSS, or HIPAA.
- You've used a GRC platform like Vanta, Drata, OneTrust, or similar to automate evidence collection or manage controls.
- You communicate compliance requirements clearly to both technical and non-technical audiences.
- You default to building repeatable processes over one-off heroics.
- You're excited about using AI and modern tooling to scale compliance operations.
Qualifications
- You have a bachelor's degree in Computer Science, Information Systems, or a related field.
- You have a CISSP, CISM, or equivalent certification.
- You have experience with HIPAA regulations and best practices.
- You have experience with GRC platforms and tools.
- You have experience with risk assessments and mitigation strategies.
Skills
- Experience with HITRUST, SOC 2, PCI-DSS, or HIPAA.
- Knowledge of GRC platforms and tools.
- Experience with risk assessments and mitigation strategies.
- Strong communication skills.
- Ability to build repeatable processes.
- Experience with AI and modern tooling.
Benefits
- Compensation range: $161,600 to $202,000 based on qualifications, experience, and location.
- Equity compensation.
- Medical, Dental, and Vision coverage.
- HSA / FSA.
- 401K.
- Work-from-Home Stipend.
- Therapy Reimbursement.
- 16-week parental leave for eligible employees.
- Carrot Fertility annual reimbursement and membership.
- 13 paid holidays each year as well as a Holiday Break during the week between December 25th and December 31st.
- Flexible PTO.
- Employee Assistance Program (EAP).
- Training and professional development.
Pay
The expected base pay range for this position is $161,600 to 202,000 based on a variety of factors including qualifications, experience, and geographic location.
Schedule
Not specified.