GRC Analyst

7+ years in Vulnerability Assessment / Vulnerability Management. Proficiency with vulnerability tools: Nessus, Qualys (plus experience with AppScan, Trustwave, Burp Suite, Nipper is a strong advantage). Solid grasp of application security concepts and assessment methodologies. Strong knowledge of core cybersecurity concepts (threats, vulnerabilities, risk, confidentiality/integrity/availability, cryptography). Expertise with common frameworks and taxonomies: CVSS, OWASP Top 10. Knowledge of system, application, and database hardening techniques and secure configuration benchmarks. Strong understanding of Internet security and networking protocols. Experience in cloud security (IaaS/PaaS/SaaS) and risks unique to cloud environments. Ability to interface confidently with both technical and non-technical stakeholders; proven client-facing communication skills (written and verbal). Demonstrated ability to work independently, meet schedules, and deliver to timelines in a distributed team environment. Analytical mindset with the ability to identify, prioritize, and explain advanced threats and misconfigurations. Strong security reporting acumen—turning scan data into clear narratives, visuals, and decisions for executives and engineers. Availability outside of standard working hours for high-priority events. Scripting skills (Python, Perl, Shell/Bash) for automation, data wrangling, and integration (Nice to Have). Software development background or familiarity with SDLC/Develops practices (Nice to Have). Experience building reports/dashboards in BI or native security platforms (e.g., Qualys/Nessus dashboards, Power BI, Tableau) (Nice to Have). Ability to collaborate across cultures/time zones; adaptable, detail-oriented, and comfortable with changing priorities (Nice to Have). Positive, constructive approach with strong teamwork and stakeholder management (Nice to Have).

Manage the full vulnerability lifecycle from asset onboarding and scan configuration through triage, tracking, remediation coaching, and verified closure. Ensure alignment with applicable configuration and security standards (e.g., NIST, PCI DSS) and provide audit ready evidence. Perform vulnerability and configuration assessments; deliver timely, accurate assessment reports tailored for technical and non-technical stakeholders. Design, implement, and maintain dashboards and visualizations that demonstrate assessment coverage, risk posture, and remediation effectiveness. Produce executive summaries, technical deep-dives, and KPI packs for clients. Track and report SLA performance, exposure trends, MTTR, risk reduction, and exception/acceptance statuses. Validate data quality across scanners and CMDB sources; reconcile false positives/duplicates; document scope and methodology. Present findings in governance forums, QBRs, and remediation working sessions; capture actions and owners. Implement and refine processes, capabilities, and techniques for vulnerability management and security testing; drive ongoing platform maintenance and upgrades. Track vulnerability disclosures and threat intelligence; rapidly assess relevance, prioritize assets, and coordinate accelerated scans/mitigations. Communicate actionable alerts to internal and external teams regarding threats to network, application, and OS platforms. Serve as an escalation point for scanning and testing issues; provide clear remediation guidance and compensating controls. Support risk assessments, control selection, and corrective action plans; assist with audit requests and evidence collection. Define, implement, and continuously improve KPIs/OKRs and operational metrics related to vulnerability management and reporting. Develop and maintain security writeups, standard operating procedures, runbooks, and client-facing documentation. Maintain strict confidentiality and handle sensitive client data responsibly.