GRC Consultant
Posted
Role: GRC Consultant
Location: Oakland, CA (Hybrid On-site required week 1 and monthly thereafter)
Duration: 45 months (initial engagement)
Overview: The Client is seeking a hands-on Cyber GRC & Data Security Governance Consultant to lead a foundational "clean-and-build" initiative. This is not an advisory or project management role; we require a true GRC practitioner who can independently own and execute governance processes end-to-end. The ideal candidate will have deep, hands-on experience working within GRC platforms, building and managing controls, risk, compliance, and audit processes, and will also support the development of a comprehensive Data Security Governance program.
Core Responsibilities & Deliverables
Required Experience
Location: Oakland, CA (Hybrid On-site required week 1 and monthly thereafter)
Duration: 45 months (initial engagement)
Overview: The Client is seeking a hands-on Cyber GRC & Data Security Governance Consultant to lead a foundational "clean-and-build" initiative. This is not an advisory or project management role; we require a true GRC practitioner who can independently own and execute governance processes end-to-end. The ideal candidate will have deep, hands-on experience working within GRC platforms, building and managing controls, risk, compliance, and audit processes, and will also support the development of a comprehensive Data Security Governance program.
Core Responsibilities & Deliverables
- GRC Process Ownership & Execution: Own and execute core Cyber GRC functions including building and managing control libraries, risk registers, compliance workflows, evidence collection processes, policy exceptions, and audit response activities
- NIST CSF Validation: Conduct a deep-dive review of current security controls (Identity, Network, Cloud) to assess alignment, effectiveness, and documentation gaps against NIST CSF/NIST 800-53
- GRC Platform Management (Hyperproof): Serve as the primary hands-on administrator of Hyperproof the organization's sole GRC platform configuring and managing controls, risks, policies, and audit artifacts. Lead the migration from CIS Top 20 to NIST CSF within Hyperproof, including framework selection, control remapping, and coordination with Hyperproof support as needed. Prior experience with platforms such as Archer, ServiceNow GRC, OneTrust, or AuditBoard is a plus
- Data Security Governance (DSG): Design and implement a comprehensive data governance framework covering data classification, handling standards, access governance, retention policies, encryption requirements, and DLP controls. Near-term deliverable is a structured 1015 page DSG report built on existing organizational templates and resources
- Policy Centralization: Review, rationalize, and migrate existing policies and SOPs into the GRC platform while ensuring alignment to controls, standards, and regulatory requirements
- Audit Readiness: Establish sustainable audit and compliance processes including documentation standards, evidence tracking, version control, and review cadences
- Risk Register Re-Prioritization & Control Management: Re-categorize and objectively re-score approximately 100 existing risks in Hyperproof using a weighted factor analysis methodology, considering business, compliance, and regulatory risk dimensions. Assign data owners, action items, and ETAs, and monitor remediation progress. Engage business stakeholders directly to validate risk scores against real-world operational impact
- Third-Party Risk Management (TPRM): Own and operate the TPRM program within Hyperproof, including tracking vendor security assessment questionnaires, following up on outstanding responses, and maintaining an up-to-date vendor risk pipeline. Escalate high-risk findings and ensure vendor risk is reflected in the overall risk register
Required Experience
- 5+ years in Cyber GRC (hands-on): Proven experience owning and executing GRC programs, not just coordinating or supporting them
- GRC Tool Expertise (Hyperproof Required): Hands-on experience configuring and managing Hyperproof is strongly preferred; candidates with equivalent experience in Archer, ServiceNow GRC, OneTrust, or AuditBoard will be considered but must be prepared to ramp on Hyperproof immediately upon joining
- Framework Expertise: Strong experience implementing and operationalizing NIST CSF and/or NIST 800-53
- GRC Process Depth: Demonstrated experience building and managing control libraries, risk registers, compliance workflows, audit processes, and governance deliverables
- Data Security Governance: Experience defining and implementing data classification, handling standards, access governance, retention, encryption, DLP, and third-party data risk
- Technical Writing: Proven ability to develop detailed, actionable security policies, standards, and SOPs
- Cyber Literacy: Strong understanding of security controls (MFA, EDR, SIEM, Encryption, etc.) to validate effectiveness of implementations
- Third-Party Risk Management: Experience running vendor risk programs, including issuing and tracking security assessment questionnaires, maintaining vendor risk registers, and escalating findings through a formal TPRM process
- Stakeholder Engagement & On-Site Availability: Ability and willingness to be on-site in Oakland during the first week of engagement and at least once per month thereafter. Comfort engaging directly with business owners to understand operational, regulatory, and compliance risks this role requires relationship-building, not just platform work
