Sr. GRC Analyst

Sr. GRC Analyst About Subsplash Subsplash is an exciting award-winning team of 280+ mission-driven people who are committed to our core values of humility, innovation, and excellence. Founded in 2005, we’ve remained family owned and operated while pioneering the market with the first ever church mobile app. Since then, we’ve been working together to build The Ultimate Engagement Platform™ for churches, Christian ministries, non-profits, and businesses around the world. We find excitement in serving our 14,000+ clients, creating impactful products, and delighting the millions of people who use our platform every day. Subsplash has won awards for best mobile experience, been voted top 100 Washington's Best Workplaces by the Puget Sound Business Journal, created some of the most downloaded apps of all time, and built enterprise software for world-class brands like XBOX, Microsoft, Samsung, Expedia, and Cisco; yet, at the end of the day, we love making a lasting impact and a difference in our world. Working at Subsplash is more than just a job; we are a team of people who are courageous, inventive, and passionate about doing meaningful work every day. Don’t take our word for it—head to Glassdoor and see for yourself! About the Team The IT Team at Subsplash is the foundation that maintains all the activities and services that are required to support business functions as well as ensuring proper security across all IT systems. We are passionately focused on delivering delightful support to our internal customers. We achieve this by providing robust day-to-day technical support that empowers our fellow Subsplash employees to perform their best work most often. Beyond daily technical support, our team handles crucial functions such as access management, user provisioning and deprovisioning, new hardware and software setup, and diligently works to keep our dues and subscription spend under budget. About the Role The Senior GRC Analyst acts as a strategic lead to advance security and risk operations. In this role, you will integrate people, policy, and technology to drive operational excellence and framework maturity. You will be responsible for identifying security gaps, implementing best practices, and maturing our control environment to ensure we stay ahead of evolving regulatory and threat landscapes. We are building an AI-first compliance function, and this role is expected to lead from the front in identifying and deploying AI tools that scale our GRC program. Compensation The total compensation for this position is between $95,000-$105,000/yr depending on experience level. Essential Functions of This Role: Compliance Program Management & Audit Leadership     Audit Execution: Act as the primary point of contact for external auditors; lead the end-to-end execution of PCI DSS audits and support internal audit on IT SOX controls.     Data Mapping Maintenance: Develop and maintain a comprehensive data inventory and data flow diagrams. Track how sensitive data (PII, PCI) moves through our systems to ensure compliance with privacy regulations and security boundaries.     Framework Maturation: Map and implement controls across multiple frameworks (PCI DSS, NIST CSF) to eliminate redundancies and improve the organization’s security posture.     GRC Reporting: Track and report on GRC program health across compliance posture, risk register status, audit readiness, and control effectiveness. Present metrics and trends to leadership on a regular cadence. 2. Access Governance & Identity Management     User Access Reviews (UAR): Orchestrate and lead the quarterly and semi-annual user access review process across all critical systems (SaaS, Cloud Infrastructure, and Internal Tools).   Joiner/Mover/Leaver Oversight: Monitor and validate that provisioning and deprovisioning processes are executed accurately and on time across critical systems. Flag exceptions, track remediation, and maintain documentation to support access control audits. 3. Security Awareness & Phishing Program     Program Ownership: Execute and maintain a comprehensive, year-round Security Awareness Training (SAT) program that meets PCI DSS requirements while driving actual behavioral change.     Phishing Simulations: Execute monthly or quarterly phishing simulations; analyze "fail rates" and provide targeted follow-up training to high-risk groups.     Content Curation: Select and deploy engaging security content, newsletters, and "security moments" to keep cybersecurity top-of-mind for all employees.     Reporting: Present program health metrics (completion rates, simulation trends, and reporting speed) to the Leadership team. 4. Risk and Vendor Management     Vendor & Risk Execution: Execute the TPRM program—conducting vendor security reviews, tracking remediation to completion, and escalating high-risk findings to leadership.     Risk Register Ownership: Maintain and update the corporate risk register, ensuring remediation efforts are tracked, validated, and communicated to leadership. Desired Qualifications: Experience: 3–5 years of dedicated experience in GRC, Information Security, or Audit (FinTech or Financial Services industry experience is highly preferred).  Technical Mastery: Deep practical knowledge of PCI DSS requirements and controls. Data Governance: Experience performing Data Mapping exercises and maintaining Records of Processing Activities (RoPA). SAT Strategy: Proven experience managing phishing platforms (e.g., KnowBe4, Mimecast, or Vanta-integrated tools) and developing security training curricula. IAM Expertise:  Proven experience managing formal access review cycles and identity governance processes. Systems: Proven experience administering a GRC platform, including automated evidence collection, control monitoring, and access review workflows. Direct experience with Vanta is a significant advantage. SOX IT Controls: Experience with SOX IT Ge