Apply on Employer Site

Sargent & Lundy · 1 day ago

Senior GRC Analyst

Chicago, IL

Full-time

Hybrid

Senior Level

$100K/yr - $144K/yr

5+ years exp

Sargent & Lundy is a leading consulting engineering firm specializing in the power and energy sectors. They are seeking a Senior GRC Analyst to lead key pillars of Governance, Risk, and Compliance with a focus on Information Security and Third Party Risk Management, while driving measurable outcomes through data analysis and reporting.

ElectronicsEnergyInformation Technology

Growth Opportunities

No H1B

Responsibilities

Lead and mature the Third-Party Risk Management (TPRM) program: Develop & manage vendors inventory, conduct risk reviews of third-party vendors, define tiering/scoping, evaluate controls, track obligations/findings through closure, and standardize evidence retention in collaboration with Legal and Procurement

Drive strong contract management with Legal and Procurement: Standardize security and privacy clauses, review S&L client contracts, negotiate requirements, and ensure obligations are tracked, owned, and reported

Own the security awareness & training program end-to-end: Develop curriculum, coordinate communications, execute phishing simulations, analyze outcomes, and improve effectiveness using KPI/KRI dashboards and trend reporting

Administer and optimize GRC platforms and workflows (e.g., Hyperproof) to maintain visibility into risks, assessments, findings, and audit deliverables; establish SLAs and performance indicators

Develop risk management & risk assessment practice, conduct risk assessments, develop and manage risk register with clear tracking of risks and accountability

Advance security governance by drafting, maintaining, and operationalizing policies, standards, procedures, and roles & responsibilities; lead change management and communications to ensure policy implementation and adoption

Coordinate evidence and execute control readiness for ISO 27001, SOC 2, NIST CSF, CMMC (gap analysis, control testing, POA&Ms), and support automation that reduces workload

Support privacy-aligned practices (e.g., GDPR): contribute to data classification/handling standards, data mapping/records of processing, privacy-by-design reviews, incident/breach alignment, and retention practices

Oversee governance for Business Continuity and Disaster Recovery and Backup & Recovery in partnership with IT (plan maintenance, exercises, lessons learned, reporting)

Lead cross-functional coordination with IT, HR, Finance, Legal, and business teams to embed compliance into operations and accelerate remediation of findings

Manage security tasks/projects and report progress via standardized dashboards, scorecards, and executive-ready narratives, highlighting risk, performance, and trends

Define, publish, and automate metrics & management reporting (KPIs/KRIs) for training effectiveness, phishing trends, vendor risk, audit readiness, privacy/policy adoption, and control performance

Continuously upgrade information security skills, contribute to Information Security team skill development with playbooks, enablement sessions, and knowledge-sharing

Support government contract compliance reviews and tracking, ensuring obligations are documented, monitored, and evidenced

Qualification

ISO 27001NIST CSFSOC 2GRC platformsGDPRRisk managementData analysisVendor riskCISSPCISMCRISCCommunicationCollaborationProblem-solving

Required

Bachelor's degree in computer science, information systems, or related field; or equivalent professional experience

5+ years in GRC or related domains, including leadership/ownership of programs or workstreams

Strong understanding of ISO 27001, SOC 2, NIST CSF; experience with CMMC readiness

Practical knowledge of privacy and GDPR with the ability to implement policy via procedures, controls, communications, and training

Proven expertise in risk management, compliance operations, policy/standards, vendor risk, resilience, security training/awareness, and audit readiness

Advanced data analysis skills with the ability to design and maintain KPI/KRI dashboards, translate data into insights, and present executive-ready reporting

Familiarity with security technologies across on-prem and cloud environments; strong problem-solving and systems thinking

Professional certifications (e.g., CISSP, CISM, CRISC) are advantageous