GRC Analyst

The Opportunity 

We are hiring a Security GRC & Risk Analyst to own the governance, risk, and compliance execution layer across a holding company and portfolio of businesses. This is a build-oriented role with a defined scope: you will be the internal anchor for our SOC 2 Type II audit, NIST CSF remediation roadmap, security policy library, vendor risk program, and client-facing security questionnaires.

You will work directly with the Cybersecurity Manager and a vCISO partner, collaborate with the Data Privacy legal team as a peer on overlapping policy areas, and engage regularly with portfolio company stakeholders. A dedicated internal Data Privacy legal team owns regulatory compliance - GDPR, CCPA, breach notification, and data subject rights. This role owns the technical controls layer: the evidence, the frameworks, the audit coordination, and the vendor risk program.

Join us in this full-time role, based in our Dallas Office at the Link: 2601 Olive Street, Dallas, TX. Be part of a vibrant community where amazing people, data & insights, and perpetual innovation converge to shape the future of digital commerce!

About This Role at Momentum

What You'll Do

SOC 2 & NIST CSF Program

• Own the internal SOC 2 Type II evidence collection process, keeping controls audit-ready year-round. Manage the audit timeline, day-to-day liaison with the external auditor, and remediation finding closure between cycles.

• Own the NIST CSF remediation roadmap: maintain the gap register, report progress to the VP and vCISO on a defined cadence, and coordinate with portfolio company IT teams to assess and close control gaps.

• Build and maintain a unified controls library mapping SOC 2 Trust Services Criteria, NIST CSF subcategories, and applicable regulatory requirements.

• Prepare the organization for bi-annual NIST CSF assessments, ensuring controls are documented and defensible.

Security Policy & AI Governance

• Operationalize the enterprise-wide information security policy library across the corporate entity and portfolio companies. Inventory gaps against SOC 2, NIST CSF, and applicable regulations; draft, publish, and version-control policies in coordination with the vCISO.

• Build and maintain annual policy attestation workflows across all employees. Bridge with the Data Privacy legal team on overlapping areas: data classification, retention, and incident notification.

• Develop and maintain the AI governance framework: tool intake review, data handling risk assessment, and acceptable use policy. Evaluate AI tools proposed across the corporate entity and portfolio companies against security and compliance standards.

• Own AI-related policy documentation and track emerging regulatory requirements including the EU AI Act and NIST AI RMF.

Risk Management & Vendor Risk

• Build and maintain a risk register with risk-to-control mapping. Define and document formal risk tolerance and appetite in coordination with the vCISO and leadership.

• Own the third-party risk management program. Define and implement a tiered due diligence model (critical, high, medium, low) and conduct recurring reviews of critical service providers.

• Manage vendor risk assessments for tools under evaluation — SASE, CASB, DLP, AI governance tooling, and security platform consolidation. Coordinate with the Data Privacy legal team on vendors with material data processing obligations.

• Lead operationalization of the GRC platform (OneTrust) for centralized vendor inventory, risk scoring, and lifecycle management.

Client Questionnaires & Audit Support

• Manage and respond to inbound security questionnaires from portfolio company clients (SIG, CAIQ, and custom formats). Build and maintain a response library to improve turnaround time and accuracy.

• Coordinate with the Cybersecurity Operations Engineer to validate technical control responses and keep answers current as the security stack evolves.

• Own ITGC audit controls across identity, endpoint, cloud, and SaaS platforms. Support internal audit responses and evidence requests beyond the annual SOC 2 cycle.

BCP/DR & Security Awareness

• Own BCP/DR formalization: develop a business continuity charter, coordinate Business Impact Analysis across the corporate entity and portfolio companies, define RTO/RPO for critical operations, and ensure crisis management is embedded in the IR framework.

• Manage the KnowBe4 security awareness training program: campaign management, phishing simulations, completion tracking, and leadership reporting.

• Manage the security testing program as the organization transitions from annual to continuous autonomous pentesting. Own vendor relationships, track findings to remediation, and produce executive-ready reporting.

Qualifications

Required

• 5-7 years in GRC, security compliance, risk management, or a closely related security function.

• Hands-on experience owning or supporting a SOC 2 Type II audit: evidence collection, control mapping, and auditor coordination.

• Solid working knowledge of NIST CSF: gap assessments, control mapping, and remediation tracking.

• Demonstrated experience building or formalizing a security policy library, not just updating existing documents.

• Experience managing third-party and vendor risk assessments using a tiered risk model.

• Experience responding to client security questionnaires: SIG, CAIQ, or similar formats.

• Clear understanding of the boundary between GRC and legal/privacy functions. Proven ability to work alongside a legal team without blurring lanes.

• Strong written communication: you can translate technical controls into clear, accurate language for clients, auditors, and executives.

• Disciplined project management: you own timelines, follow up without being asked, and don't let things fall through.

• Active daily use of AI and automation. We operate at 100% internal AI adoption. Non-negotiable.

Preferred Technical Experience

• GRC platforms: OneTrust, Drata, Vanta, Whistic, or similar.
• Security awareness platforms: KnowBe4 or equivalent.
• ITGC working knowledge across identity (Okta), SaaS (Google Workspace), cloud (AWS, GCP, Azure), and endpoint (CrowdStrike).
• BCP/DR frameworks: BIA methodology, RTO/RPO definition, and tabletop exercise facilitation.
• AI governance frameworks: NIST AI RMF or EU AI Act.
• Familiarity with CASB, DLP, or cloud security posture tooling from a compliance and documentation standpoint.
• Private equity, holding company, or multi-entity compliance environment experience strongly preferred.

Commitment to Diversity and Inclusion at Momentum

At Momentum, our commitment to change for the better is reflected in our dedication to fostering a culture of belonging, inclusion, and diversity. We recognize diversity and inclusion as key components of our company's success and growth. Recognizing the ongoing journey ahead, we are determined to make lasting impacts through the collective efforts of our Leadership team, People & Culture team, and every employee.

Momentum is an equal opportunity employer, considering all qualified applicants regardless of characteristics protected by law. These include, but are not limited to, race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, genetic information, color, ancestry, and Veteran status. We actively seek qualified applicants from diverse backgrounds, with no consideration of criminal histories, in alignment with applicable legal requirements.

Should a reasonable accommodation be necessary for the application process and beyond, we are eager to review and provide reasonable accommodations as needed, in compliance with applicable laws.

Total Rewards

At Momentum, we prioritize the well-being of the whole individual. We are committed to supporting our people in every moment that matters on their journey with us! We are pleased to offer a comprehensive total rewards package designed to provide protection, peace of mind, and a focus on overall well-being while helping our people plan for the future.

The base salary range for this position may vary based on location. Actual compensation will be determined by role, level, and location, considering additional factors such as job-related skills, experience, and relevant education or training. For roles eligible for remote work, the base salary is tailored to the designated work location. In addition to the base salary, candidates may be eligible to receive a discretionary annual bonus, determined based on both the company's business performance and individual contributions. The People & Culture team will provide specific details during the hiring process.

We take pride in offering a comprehensive benefits package for our full-time employees, encompassing healthcare benefits, a 401(k) plan with an employer match, short-term and long-term disability coverage, life insurance, paid time off, parental leave, and various paid holidays, among other perks.

Our workplace offers opportunities for involvement in a wide range of challenging and impactful projects, across diverse industries and business models, fostering career advancement and development within our growing  organization. The culture is highly collaborative and supportive, contributing to a fulfilling professional journey.

Note on Confidentiality

Any personal data collected during the application process will be treated with the utmost confidentiality and privacy.