Cybersecurity GRC Program Lead

Echo is seeking a Cybersecurity GRC Program Analyst to build the operating system for security governance, risk, controls, evidence, and exceptions across the enterprise. This is a hands-on role for someone who can select and drive adoption of a primary cybersecurity framework, build the control ownership model, build & improve evidence operations, accelerate questionnaire throughput, and create practical governance mechanisms that work with real engineering and business teams.  Own the automated CCM platform.  This role is not limited to policy writing or audit coordination. It is intended to make security governance real and measurable across the enterprise by building practical operating mechanisms around risk, controls, evidence, exceptions, and stakeholder accountability. In the staffing plan, this role is explicitly intended to select and operationalize the primary framework, likely starting with NIST CSF 2.0 while mapping outward to   SOX ITGC, SOC2   Type2,   ISO 27001 , NIST AI RMF, ISO 42001   and other requirements for customer s , audit, and international needs.   Justification   Echo   is reassessing its policy foundation, including formal expectations for information security governance, access control, supplier security, and compliance review. What is needed now is a leader who can turn those policies into a durable governance operating system with clear ownership, evidence discipline, exception management, and measurable accountability.   Hiring Requirements   What you will do   Lead   selection , adoption, and operationalization of Echo’s primary cybersecurity framework and related standards structure, with NIST CSF 2.0 as the   likely management   layer   Build and   maintain   a control ownership model across Technology, Engineering, Platform, Network, EUC, Asset, Data, Integrations, and Security   Translate existing policies into measurable operating practices, control expectations, evidence requirements, review cadences, and exception workflows   Partner with security architecture, engineering, and operations teams to ensure that governance expectations are practical, technically grounded, and enforceable   Drive enterprise risk and control assessments, including facilitating discussions on control design, effectiveness, and remediation priorities   Build an evidence library structure while defining repeatable collection, review, reuse, and freshness cadences   Improve security questionnaire workflows through standardized responses, evidence reuse, service-level expectations, and clearer ownership   Coordinate third-party security intake and help define tiering, minimum security requirements, documentation expectations, and escalation paths   Partner with Internal Audit and business stakeholders on readiness efforts, compliance reviews, and operational audit support   Track policy exceptions, control gaps, remediation commitments, and overdue actions through closure, including clear owners and time bounds   Perform User Access Reviews   compliant to SOX ITGC and SOC2/ISO27001   Provide security governance input on supplier security requirements, contractual obligations, and ongoing review expectations   Produce reporting for leadership on framework maturity, control ownership, policy currency, evidence readiness, exception status, and risk trends   Lead the evolution to and support of continuous compliance capabilities to improve control visibility, evidence freshness, and audit readiness   Manage and evolve the organization’s trust center, including published security documentation, customer-facing assurance materials, and the processes that keep content current and supportable   What success looks like   In the first 60 to   90 days , this role is expected to produce a framework decision package, define the control ownership model, stand up an evidence library structure, improve questionnaire operations, and   establish   practical workflows for exceptions and third-party intake. Over 12 months, success means framework adoption becomes measurable, control ownership is visible, evidence is reusable, customer and audit due diligence become less reactive, and policy exceptions and control gaps are actively managed.   What you bring   5 + years in cybersecurity GRC, security risk, audit readiness, compliance operations, or related functions, with clear experience building or maturing governance operating models   2+ years of GRC experience in a public company.   Experience with SOX ITGC controls.   Under standing of   regulatory and SEC requirements for a public company.   Strong experience operationalizing NIST CSF and translating controls across frameworks such as ISO 27001, SOX, SOC 2, or similar frameworks   Experience building or maturing security governance programs in complex enterprise environments with multiple technical stakeholders   Experience with risk assessments, control design reviews, exception management, and remediation tracking   Strong understanding of third-party risk, supplier security reviews, security questionnaires, and governance workflows that scale beyond one-off reviews   Experience partnering with technical teams to influence architecture, engineering, and operations outcomes in a practical, technically credible way   Ability to turn policy and framework language into concrete operating practices, ownership expectations, and measurable evidence   Strong writing, stakeholder management, and executive communication skills   Preferred qualifications   GRC experience with a public company   for SEC and regulatory reporting requirements ,   i.e.   10K, 8K .   Experience supporting SOC 2, ISO 27001, CTPAT, SOX or similar audit/readiness efforts   Experience with evidence management, control testing, internal audit coordination, or related assurance processes   Experience with   automated   continuous compliance platforms, including evi