Cyber Risk Analyst / GRC Analyst – M&A Due Diligence - 100% remote (EST)
Optomi, in partnership with a global healthcare client is looking to hire 2 different positions (Cybersecurity Risk & GRC Analyst) to help with due diligence for several M&A's. Cyber Risk Analyst and/or GRC Analyst to support security and compliance due diligence for mergers and acquisitions (M&A). These roles are critical in assessing acquisition targets, identifying material cyber and compliance risks, and enabling leadership to make informed decisions quickly.
Both roles will play a key part pre- and post-acquisition, with an immediate focus on rapid value during due diligence.
This is an L2 / advisory role—you will evaluate, analyze, document, and escalate risks and gaps, but will not perform hands-on control implementation.
Depending on experience, candidates may be aligned primarily to Risk or GRC, with close collaboration across both domains.
Primary Focus for Risk Analyst: Evaluating the security and operational risk of acquisition targets
Responsibilities include:
- Assess cyber risk across domains such as:
- Identity & access management
- Cloud and infrastructure security
- Third-party/vendor risk
- Incident response & breach history
- Vulnerability management
- Data protection and resilience
- Evaluate risk severity, likelihood, and business impact
- Identify inherited risks that may require executive awareness or deal-level remediation planning
- Document risks in alignment with internal risk methodologies and scoring models
- Escalate high-impact risks to appropriate risk, security, or integration teams
Primary Focus for GRC Analyst: Ensuring alignment with internal frameworks, policies, and regulatory obligations
Responsibilities include:
- Evaluate acquisition targets against internal and external frameworks such as:
- NIST, ISO 27001, SOC 2, HIPAA, HITRUST, or similar
- Assess policy maturity, governance structure, and compliance posture
- Identify gaps against internal security, privacy, and compliance standards
- Document findings clearly for remediation ownership by downstream implementation teams
- Support post-merger compliance tracking and reporting
Qualifications:
- 4+ years of experience in Cyber Risk, GRC, Security Assessments, or IT Audit
- Direct M&A due diligence experience (strongly preferred)
- Experience working in enterprise or highly regulated environments (healthcare strongly preferred)
- Strong understanding of cybersecurity risk and/or compliance frameworks
- Ability to assess incomplete information and operate effectively under time pressure
- Excellent written and verbal communication skills for executive and cross-functional audiences
Preferred Qualifications
- Experience supporting pre-deal and post-deal M&A integration
- Healthcare, life sciences, or global enterprise experience
- Familiarity with risk quantification or control maturity modeling
- Certifications such as:
- CISA, CRISC, CISSP, CISM, ISO Lead Auditor, HITRUST (preferred, not required)
