We are looking for a detail-oriented and analytically driven GRC Risk Analyst to join a healthtech organization. In this role, you will take a risk-first approach to governance, risk, and compliance — with a strong emphasis on quantitative risk analysis using the FAIR (Factor Analysis of Information Risk) framework. Working under the guidance of the GRC Senior Manager, you will lead and support risk quantification efforts, compliance program activities, and cross-functional security initiatives. This is an opportunity to deepen your expertise in risk management while contributing to a mature, well-rounded GRC program.
Logistics: Onsite in Boston, MA.
Compensation: $100-130k with equity perks.
Responsibilities:
- Lead the application of the FAIR framework to quantify and communicate information risk in financial terms, enabling data-driven decision-making by leadership.
- Conduct threat event frequency and loss magnitude analyses to produce probabilistic risk models for key enterprise and technology risks.
- Build and maintain a risk register that incorporates FAIR-based risk scenarios, prioritized by quantified exposure and business impact.
- Develop and present risk reporting dashboards and executive summaries that translate technical risk into business language.
- Support the development and adherence of risk mitigation strategies, tracking treatment plans through to completion.
- Perform ongoing risk assessments across internal systems, processes, and third-party vendors, incorporating FAIR methodology where applicable.
- Assist in the implementation and continuous monitoring of compliance frameworks including SOC 2, ISO 27001, NIST Cybersecurity Framework, HIPAA, and HITRUST.
- Support audit activities by gathering evidence, conducting preliminary assessments, and assisting in the remediation of audit findings.
- Monitor the organization's adherence to internal policies, relevant regulations, standards, and contractual obligations.
- Partner cross-functionally with IT, Engineering, Legal, HR, and other stakeholders to document and validate compliance controls within the GRC platform.
- Provide support in incident response activities, including documentation, coordination, and post-incident analysis.
- Assist in the development and delivery of security awareness and training programs.
- Identify and implement process improvements within the GRC program to improve efficiency and effectiveness.
Qualifications:
- Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field.
- Minimum of 3 years of demonstrated experience in GRC, with a meaningful focus on risk management.
- Hands-on experience applying the FAIR framework (or comparable quantitative risk methodology) to real-world risk scenarios.
- Strong understanding of GRC concepts, principles, and practices.
- Demonstrated familiarity with relevant regulations, standards, and frameworks: SOC 2, ISO 27001, NIST Cybersecurity Framework, HIPAA, and HITRUST.
- Excellent analytical and problem-solving skills with strong attention to detail.
- Effective communication skills, with the ability to translate complex risk data into clear, actionable business insights.
- Proven ability to navigate ambiguity and complexity, turning uncertainty into clarity.
- Detail-oriented with strong organizational and time-management skills — able to balance multiple projects and deadlines.
Preferred:
- Compliance and security certifications such as CompTIA Security+, CISSP, CISA, CISM, CRISC, or equivalent GRC certifications.
- FAIR certification (Open FAIR) or formal FAIR training from FAIR Institute or RiskLens.
- Prior healthcare compliance experience and knowledge of HIPAA and/or HITRUST.
- Experience administering or using GRC platforms (e.g., ServiceNow GRC, Archer, Vanta, Drata, or similar).
- Familiarity with Jira or other project management tools for organizing and managing daily work.
Candidates must be authorized to work in the United States.
