Jobs · Legal · New York

Senior Governance, Risk, Compliance (GRC) Analyst

Headway · New York, United States · 2 wk ago
HybridLegal$162k–$202k/yrFull-time

About the role

Headway handles sensitive health data for millions of patients — and that responsibility demands a security and compliance program that scales with the business. We're building out our dedicated GRC team to improve and mature our program!

Responsibilities

  • Support HITRUST, SOC 2, PCI-DSS, and HIPAA audit readiness — collecting evidence, coordinating with assessors, tracking control gaps and remediation timelines.
  • Build and manage the vendor security assessment lifecycle — questionnaires, SOC 2/ISO reviews, risk scoring, and policy enforcement across procurement and renewals.
  • Stand up and run Headway's security awareness training program — onboarding modules, phishing simulations, annual compliance training, and completion tracking.
  • Operate the centralized risk register — identifying, assessing, and tracking technical security risks through mitigation, and surfacing risk-informed priorities to engineering and security leadership.
  • Partner cross-functionally with Privacy, Legal, IT, and Engineering to embed compliance into how Headway operates — not bolt it on after the fact.

Requirements

  • You have 5+ years of experience in a GRC, compliance, or security risk role.
  • You have working knowledge of at least two of: HITRUST, SOC 2, PCI-DSS, or HIPAA.
  • You've used a GRC platform like Vanta, Drata, OneTrust, or similar to automate evidence collection or manage controls.
  • You communicate compliance requirements clearly to both technical and non-technical audiences.
  • You default to building repeatable processes over one-off heroics.
  • You're excited about using AI and modern tooling to scale compliance operations.

Qualifications

  • You have a bachelor's degree in Computer Science, Information Systems, or a related field.
  • You have a CISSP, CISM, or equivalent certification.
  • You have experience with HIPAA regulations and best practices.
  • You have experience with GRC platforms and tools.
  • You have experience with risk assessments and mitigation strategies.

Skills

  • Experience with HITRUST, SOC 2, PCI-DSS, or HIPAA.
  • Knowledge of GRC platforms and tools.
  • Experience with risk assessments and mitigation strategies.
  • Strong communication skills.
  • Ability to build repeatable processes.
  • Experience with AI and modern tooling.

Benefits

  • Compensation range: $161,600 to $202,000 based on qualifications, experience, and location.
  • Equity compensation.
  • Medical, Dental, and Vision coverage.
  • HSA / FSA.
  • 401K.
  • Work-from-Home Stipend.
  • Therapy Reimbursement.
  • 16-week parental leave for eligible employees.
  • Carrot Fertility annual reimbursement and membership.
  • 13 paid holidays each year as well as a Holiday Break during the week between December 25th and December 31st.
  • Flexible PTO.
  • Employee Assistance Program (EAP).
  • Training and professional development.

Pay

The expected base pay range for this position is $161,600 to 202,000 based on a variety of factors including qualifications, experience, and geographic location.

Schedule

Not specified.

Similar jobs