Senior GRC Analyst

United StatesUnited States·Orlandosenior
Grc AnalystCybersecurity
0 views0 saves0 applied

Quick Summary

Key Responsibilities

risk tiering, assessment criteria, and escalation thresholds — from scratch Lead risk assessments for the firm’s highest-exposure vendor relationships: case management, e-discovery,

Requirements Summary

methodology, scoring calibration,

Technical Tools
Grc AnalystCybersecurity

At Morgan & Morgan, the work we do matters. For millions of Americans, we’re their last line of defense against insurance companies, large corporations or defective goods. From attorneys in all 50 states, to client support staff, creative marketing to operations teams, every member of our firm has a key role to play in the winning fight for consumer rights. Our over 6,000 employees are all united by one mission: For the People.

Senior GRC Analyst

Morgan & Morgan | Risk & Resilience Program

  • Build and own the end-to-end TPRM process: risk tiering, assessment criteria, and escalation thresholds — from scratch
  • Lead risk assessments for the firm’s highest-exposure vendor relationships: case management, e-discovery, payment processing, and others
  • Bring risk acceptance and remediation recommendations to the Director; own the analysis behind the decision
  • Run the full policy lifecycle: drafting, review cadence, approval workflows, and firm-wide attestation tracking
  • Write policy content directly — you’re not inheriting a library, you’re building it, translating framework requirements into language that works for a law firm
  • Identify and close policy gaps against ISO 27001, NIST CSF, and CIS v8.1 before they become audit findings
  • Own the enterprise risk register: methodology, scoring calibration, and quarterly review cadence
  • Lead control testing and gap assessment in Vanta; design remediation plans
  • Spot emerging risk trends and bring recommendations
  • Assist with the design of the security awareness program strategy: content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions
  • Analyze effectiveness data and adjust the program based on results, not just completion rates
  • Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries
  • Own the audit calendar and evidence readiness posture — you’re not responding to requests as they land, you’re ahead of them
  • Build and maintain the GRC reporting suite for CIO-level consumption: risk posture snapshots, control testing results, TPRM exposure summaries
  • Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director
  • Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions
  • Coordinate with the Privacy function (in build) on data inventory, state privacy law obligations (FL, CA, NY, and others), and third-party data handling risks
  • Once the GRC Analyst is hired, serve as a working mentor without formal management authority

What We’re Looking For

  • 4–6+ years in GRC, IT audit, compliance, or information security 
  • Deep hands-on experience in a GRC platform; Vanta strongly preferred 
  • Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; you’ve mapped controls across multiple frameworks at the same time
  • ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)
  • Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation
  • You’ve designed a security awareness program
  • Comfortable operating independently
  • Bachelor’s degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered

#LI-MB1

What We Offer

~1 min read

Morgan & Morgan is a leading personal injury law firm dedicated to protecting the people, not the powerful. This success starts with our staff.  For full-time employees, we offer an excellent benefits package including medical and dental insurance, 401(k) plan,  paid time off and paid holidays.

Morgan & Morgan provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

This employer participates in E-Verify and will provide the federal government with your Form I-9 information to confirm that you are authorized to work in the U.S. If E-Verify cannot confirm that you are authorized to work, this employer is required to give you written instructions and an opportunity to contact Department of Homeland Security (DHS) or Social Security Administration (SSA) so you can begin to resolve the issue before the employer can take any action against you, including terminating your employment. Employers can only use E-Verify once you have accepted a job offer and completed the I-9 Form.   

Here is a link to Morgan & Morgan's privacy policy.

Location & Eligibility

Where is the job
Orlando, United States
On-site at the office
Who can apply
US

Listing Details

Posted
June 30, 2026
First seen
June 30, 2026
Last seen
July 1, 2026

Posting Health

Days active
0
Repost count
0
Trust Level
60%
Scored at
June 30, 2026

Signal breakdown

freshnesssource trustcontent trustemployer trust
Morganmorganjobsapplynow

Americas largest personal injury law firm with 1000+ lawyers in 100+ offices nationwide

Employees
6k+
Founded
1988
View company profile
Newsletter

Stay ahead of the market

Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.

A
B
C
D
Join 12,000+ marketers

No spam. Unsubscribe at any time.

MorganmorganjobsapplynowSenior GRC Analyst