Sign upLog in

Senior GRC Analyst

Black Kite

Boston, MA

Apply
JOB DETAILS
SKILLS
Access Control, Analysis Skills, Auditing, CISA - Certified Information Systems Auditor, Cloud Computing, CompTIA - Computing Technology Industry Association, CompTIA Security+, Document Management, Documentation, Ecosystems, Email Security, Endpoint Security, Enterprise Protection, Environmental Compliance, Financial Compliance, ISO (International Organization for Standardization), Industry/Trade Analysis, Information/Data Security (InfoSec), Internal Audit, Maintain Compliance, Network Security, Process Management, Production Control, Risk, Risk Analysis, Risk Management, Security Analysis, Team Player, U.S. National Institute of Standards and Technology (NIST), Vulnerability Scanners, Writing Skills
LOCATION
Boston, MA
POSTED
Today

ABOUT BLACK KITE

Black Kite is the global leader in third-party cyber risk intelligence, trusted by more than 3,000 organizations worldwide. We give security and business leaders a continuous, outside-in view of their entire vendor ecosystem — translating complex cyber, financial, and compliance signals into clear, actionable risk intelligence.

We go beyond open standards-based cyber ratings. Black Kite helps organizations make smarter risk decisions, strengthen business resilience, and scale their third-party cyber risk management programs in an increasingly complex digital environment. Our work has earned consistent recognition from customers and industry analysts alike.

WHY BLACK KITE

We’re a fast-moving, high-impact team solving one of the most critical challenges in cybersecurity today. If you’re looking to do meaningful work alongside sharp, collaborative people — and grow your career in a space that matters — you’re in the right place.

THE OPPORTUNITY

The Senior GRC Analyst reports to the Director of Information Security and owns three primary functions: the compliance platform (Vanta), inbound customer security assessments, and FedRAMP ConMon execution support. This is an independent practitioner role — direction comes from the Director, but you own your work without step-by-step guidance.

The "Senior" in this title is earned by the scope, not just the experience level. Owning the compliance platform means auditors see your work directly. Owning customer assessments means your responses are read by enterprise security teams before they sign. Supporting FedRAMP ConMon means authorization status depends in part on what you produce monthly. The stakes are real.

WHAT YOU’LL OWN

Compliance platform (Vanta) — primary owner

  • Own the compliance platform end-to-end: evidence library currency, control mapping accuracy, framework completeness across SOC 2, ISO 27001, FedRAMP, and GDPR

  • Evidence is current year-round — not assembled at audit time; no stale or missing evidence in any active certification domain

Customer security assessments — primary owner

  • Own the inbound customer assessment intake and response process — all RFPs and security questionnaires are assigned, tracked, and responded to within defined SLA

  • Collaborate with sales, legal, and technical teams on complex questionnaire responses; escalate novel or sensitive items to the Director

  • Maintain and improve the questionnaire response library across all active frameworks

FedRAMP ConMon — execution support

  • Support monthly ConMon reporting — vulnerability scan results, POA&M updates, and evidence — as primary executor

  • Maintain POA&M tracking accuracy; flag aging items to the Director before they breach defined thresholds

TPCRM and compliance support

  • Support third-party risk identification, assessment, and monitoring activities as directed

  • Monitor compliance framework and regulatory changes; assess impact and surface findings to the Director with a recommended response

  • Support internal audit processes — evidence coordination, control testing documentation, and auditor request responses

WHAT YOU BRING

  • 2–4 years of hands-on experience in GRC, compliance, or information security

  • Practical working knowledge of SOC 2, NIST, or ISO 27001 applied in a real compliance environment

  • Experience producing compliance evidence, contributing to audit cycles, or managing specific framework control domains independently

  • Familiarity with cloud services principles and their security and compliance implications

  • General knowledge of core security domains: network security, email security, endpoint protection, vulnerability scanning, access controls, log management

  • Strong written communication — audit-ready documentation produced independently

PREFERRED

  • Hands-on experience administering Vanta or an equivalent compliance platform as a primary owner — not just a user

  • Direct experience with FedRAMP ConMon — monthly reporting, POA&M tracking, evidence production

  • Experience owning or significantly contributing to a customer security questionnaire response program

  • Familiarity with TPCRM programs and vendor questionnaire workflows

  • Active or in-progress certification: CompTIA Security+, CISA, CRISC, ISO 27001 Lead Auditor/Implementer, or equivalent

The expected base salary range for this role is $100,000-$115,00 per year. Compensation at Black Kite is more than just base pay — we offer a total rewards program that includes performance-based bonuses, equity, flexible healthcare options, paid time off, and retirement savings programs. The annual base salary range for this position represents a nationwide market range and reflects a broad spectrum of salaries for this role across the United States. Actual compensation will depend on factors such as qualifications, skills, experience, and the scope, complexity, and location of the role.

About the Company

B

Black Kite

Resume Resources

Free Resume TemplatesFree Resume Builder