Security GRC Analyst

Your Role:

We are seeking an experienced Security Governance, Risk, and Compliance (GRC) Analyst who can help expand our Security efforts and play a critical role in safeguarding Alpaca’s systems, data, and client assets from evolving risks and threats to ensure the security and integrity of our Firm. This role involves assessing risks, monitoring compliance, and collaborating with internal and external stakeholders to ensure adherence with our security policies, regulations, and best practices.

The role requires a deep understanding of Cybersecurity principles, risk management, compliance and standard frameworks with a proven track record of managing security risks and cross functional collaboration. The Security Team is 100% distributed and remote. 

This role will be reporting directly to the CISO.

Things You Get To Do:

• Assist the CISO with developing and maintaining a comprehensive Security program including policies and procedures to ensure compliance with relevant regulations and standards
• Ensure compliance with SOC 2 Type 2, ISO 27001, CSA Star, GDPR, and external regulatory requirements
• Conduct regular risk assessments, gap analysis, and develop risk treatment plans
• Apply statistical models to risk frameworks, translating risk into quantifiable metrics (such as FAIR)
• Collaborate with the CISO to provide strategic guidance on Security matters and respond to emerging risks
• Manage and maintain an up to date security control framework
• Facilitate periodic user access reviews 
• Manage and coordinate internal and external audits, including preparation of audit responses and corrective action plans
• Collaborate with other departments to mitigate security risks and collect evidence as necessary
• Manage Alpaca’s supply chain security risks by performing regular assessments of our third parties
• Provide training and awareness to employees on cybersecurity policies and compliance requirements
• Assist the Security team with triaging of security events 

Who You Are (Must-Haves):

• Excited about Alpaca’s mission and what we’re building
• At least 3 years of experience in the development and execution of risk management and compliance functions
• Strong knowledge of diverse information security and compliance standards, encompassing SOC 2, ISO 27001, CSA, NIST, GDPR, CCPA, FINRA, and SEC cybersecurity guidelines
• Experience with managing risk assessments, gap analysis, and risk treatment planning
• Strong familiarity with Cloud Service Providers 
• Experience with audit preparation, response, and corrective action plan development
• Excellent communication and interpersonal skills, allowing for effective stakeholder engagement, issue advocacy, and strategic alignment to ensure  Security concerns are prioritized in a manner that minimizes business risk
• Available for on-call rotations and after hour responses as needed

 Who You Might Be (Nice-to-Haves):  

• Bachelor’s degree in Information Technology or a related field
• Security related certifications such as CISSP, CRISC, GIAC is a plus
• Understanding of financial and privacy regulations
• Experience in the financial services industry
• Experience working at startups
• Business acumen to be able to balance tradeoffs between stakeholders and technology feasibility and budget constraints