Experienced or Senior GRC Analyst

About the Role 

Hotman Group is a boutique cybersecurity and GRC consulting firm doing meaningful work for clients who need GRC done right ranging from Fortune 1000 companies to high-growth startups. We are looking for an experienced GRC practitioner who is ready to work directly with clients, own deliverables end to end, and contribute to a team that holds itself to a high standard. This is not an entry point. We expect you to bring your expertise and use it. 

This is a full-time, remote, contract-to-hire position. Top performers move into permanent roles within 6 months. 

What You Will Do 

As an Experienced or Senior GRC Analyst at Hotman Group you will work directly with clients to help them build, mature, and sustain their cybersecurity and compliance programs. This is active delivery work. You will: 

• Lead assessments and audits of security and IT control environments 
• Design, implement, and mature cybersecurity and compliance programs 
• Develop risk registers, conduct risk assessments, and track remediation efforts 
• Create and refine policies, standards, and procedures aligned with top frameworks including SOC 2, ISO 27001, NIST CSF, HIPAA, HITRUST, CMMC, and others 
• Prepare clients for internal audits and external assessments 
• Translate technical, regulatory, and business requirements into clear, actionable deliverables for client stakeholders 
• Communicate findings, manage client feedback, and drive outcomes even when stakeholders push back 
• Mentor junior analysts and contribute to the growth of our GRC practice 
• Participate in peer review of deliverables before they go to clients — your work will be reviewed and you will review others 

You will work across multiple industries on diverse engagements. No two projects are the same and no day looks exactly like the last. 

What You Bring 

• Hands-on GRC experience with a track record of owning deliverables, producing frameworks-based documentation, and driving remediation -- not just supporting programs from the inside 
• Deep working knowledge of compliance standards including SOC 2, ISO 27001, NIST CSF, HIPAA, and HITRUST 
• Experience communicating findings and recommendations directly to clients or senior internal stakeholders -- you can hold a room, manage pushback, and present complex findings in plain language 
• Excellent writing skills -- your deliverables are clear, polished, and do not require heavy editing before they go to a client 
• Strong critical thinking and professional judgment -- you know when to escalate, when to hold your position, and when to ask for help 
• A high level of accountability and ownership -- you manage your own workload, communicate proactively, and hold yourself to deadlines without being managed closely 
• Comfort working independently in a fully remote environment with minimal hand-holding 
• A default toward communication — you keep the team informed, you acknowledge quickly, and you do not go dark on a deliverable or a client 

Active certifications such as CISA, CISM, CISSP, or CRISC are strongly preferred. If you do not currently hold a relevant certification, we expect you to be actively pursuing one. 

This role requires direct accountability for work product and outcomes. If your experience has been primarily internal, supporting programs from the inside without stakeholder-facing delivery responsibility, this role will be a significant adjustment. 

Requirements 

• Permanent authorization to work in the U.S. -- no sponsorship of any kind now or in the future 
• Able to pass a background check 
• Reliable high-speed internet and a secure, private remote workspace 

Our Hiring Process 

Our process is designed to be straightforward but rigorous. In addition to a written questionnaire and video responses, finalists will complete a practical skills assessment before advancing to a panel interview with our delivery team. The assessment reflects the type of work you will do on day one. If you are confident in your GRC expertise, this is your opportunity to show it. 

Why Hotman Group 

At Hotman Group we are not just another consulting firm. You will work alongside people who care about the craft and push each other to do better. No politics, no silos, no hierarchy between you and the people making decisions. 

You will touch more GRC frameworks, more industries, and more client situations in one year here than most practitioners see in five. You will grow because the work demands it. 

The clients you serve will actually notice your work. You are not a number on a headcount. Your name is on the deliverable. 

If you want to do real GRC work, get better at it every day, and work with a team that holds itself to a high standard — this is the place. 

No phone calls please.