GRC Lead Analyst II

The Opportunity

Root is changing the way an industry works by leveraging technology and data to build the best products possible, and the information security team at Root is a key contributor to that effort. Teams are given ownership over projects and results, as we’ve found that the people closest to the problems are the best at solving them. Root is also a “work where it works best” company, and we will support you working in whatever location works best for you across the US.
 

Root’s Information Security team is dedicated to managing information security risk within the organization, while enabling development and product teams to do their cutting-edge work, and we’re looking for a GRC Lead Analyst II to join us. In this role, you’ll be a key contributor to the execution and continued development of Root’s risk management processes, compliance program, and governance activities to appropriately manage risk and address regulatory requirements.
 

Root is a “work where it works best” company. This means we will support you working in whatever location that works best for you across the US.

Salary Range: $128,235 - $160,294 (Bonus and LTI Eligible)

How you will make an impact

• Significantly contribute to the ongoing development and maturation of Root’s information security risk management processes to appropriately manage risk in alignment with the organization's risk appetite and continuously monitor the risk landscape/control environment

• Conduct regular risk assessments across the organization, working with a variety of teams/functions to identify, evaluate, and mitigate risks

• Drive and support compliance with Root’s information security regulatory requirements, performing readiness assessments, ensuring policies and controls adequately address relevant requirements, reporting on Root’s compliance status, and driving remediation efforts as necessary

• Lead the ongoing development and management of Root’s information security control framework

• Perform analysis of the information security control environment to monitor effectiveness, identify gaps, and inform compliance reporting

• Facilitate issue management/risk mitigation activities, collaborating with teams across the organization to identify appropriate risk remediation strategies and track remediation to completion

• Develop and manage information security policies and standards

• Perform control design and effectiveness testing of information security controls

• Define, monitor, and report on key metrics related to the control environment

• Participate in regulatory exams and other third-party audits

• Coach others on applying risk management practices and a risk-based approach to security; Contribute to the creation of a risk-aware culture
   

What you will need to succeed

• 5+ years of experience in executing information security risk management activities, including risk assessment, response, and monitoring processes

• Expert-level understanding of information security control frameworks, standards, and regulations (such as NIST CSF, PCI DSS, and insurance data security laws or similar)

• In-depth experience designing and evaluating controls to reduce information security risk

• Excellent problem solving skills and attention to detail

• Experience developing reports and metrics including data analysis and data visualization

• Strong leadership skills; naturally collaborative, excels at influencing without direct authority

• Proven ability to balance security with the ongoing needs of the business while maintaining compliance and meeting risk management requirements

• Active security certification (CISM, CISSP, CIA, CISA, etc.) preferred

• Familiarity with applying security controls in public cloud environments (e.g. AWS)