Senior GRC Analyst
The Opportunity
Morgan & Morgan is one of the largest plaintiff law firms in the country, with over 6,000 employees and 100+ offices. The Risk & Resilience program is in full build mode, with a governance structure set, the first Business Impact Analysis (BIA) complete, and frameworks mapped out. However, there is a need for execution capacity.
What You’ll Own
Third-Party Risk Management: Build and own the end-to-end TPRM process, including risk tiering, assessment criteria, and escalation thresholds. Lead risk assessments for the firm’s highest-exposure vendor relationships, such as case management, e-discovery, and payment processing.
Policy Lifecycle: Run the full policy lifecycle, including drafting, review cadence, approval workflows, and firm-wide attestation tracking. Write policy content directly, identifying and closing gaps against ISO 27001, NIST CSF, and CIS v8.1 before they become audit findings.
Risk Management: Own the enterprise risk register, methodology, scoring calibration, and quarterly review cadence. Lead control testing and gap assessment in Vanta, and design remediation plans. Spot emerging risk trends and bring recommendations.
Security Awareness: Assist with the design of the security awareness program strategy, including content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions. Analyze effectiveness data and adjust the program based on results.
Audit & Compliance Readiness: Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries. Own the audit calendar and evidence readiness posture.
Reporting & Program Visibility: Build and maintain the GRC reporting suite for CIO-level consumption, including risk posture snapshots, control testing results, and TPRM exposure summaries. Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director.
Cross-Program Coordination: Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions. Coordinate with the Privacy function on data inventory, state privacy law obligations, and third-party data handling risks.
What We’re Looking For
4–6+ years in GRC, IT audit, compliance, or information security
Deep hands-on experience in a GRC platform; Vanta strongly preferred
Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; ability to map controls across multiple frameworks
ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)
Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation
You’ve designed a security awareness program
Comfortable operating independently
Bachelor’s degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered
Benefits
Morgan & Morgan offers an excellent benefits package including medical and dental insurance, 401(k) plan, paid time off and paid holidays.
Equal Opportunity Statement
Morgan & Morgan provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.
E-Verify
This employer participates in E-Verify and will provide the federal government with your Form I-9 information to confirm that you are authorized to work in the U.S. If E-Verify cannot confirm that you are authorized to work, this employer is required to give you written instructions and an opportunity to contact Department of Homeland Security (DHS) or Social Security Administration (SSA) so you can begin to resolve the issue before the employer can take any action against you, including terminating your employment.
Privacy Policy
Here is a link to Morgan & Morgan's privacy policy.
Create a Job Alert
Interested in building your career at Morgan & Morgan, P.A.? Get future opportunities sent straight to your email.
Apply for this job
* indicates a required field