Senior GRC Analyst

Morgan & Morgan | Risk & Resilience Program

Reports To: Director of Business Continuity 

Department: Information Security / Risk & Resilience

Type: Full-Time

The Opportunity

Morgan & Morgan is one of the largest plaintiff law firms in the country — 6,000+ employees, 100+ offices, and a caseload that doesn’t wait. The Risk & Resilience program is in full build mode: governance structure is set, the first BIA is complete, and the frameworks are mapped. What’s missing is execution capacity.

This is not a maintenance role. You’re joining at the ground floor of a GRC program that needs to be built from a standing start — TPRM methodology, policy lifecycle, risk register calibration, awareness program design. You’ll own workstreams end-to-end, not coordinate them. You report directly to the Director of Business Continuity, who owns the GRC function and sets program direction.

If you want to inherit a mature program and tune it, this isn’t for you. If you want to build one — with real ownership, real scope, and a clear path to being the person who shapes how risk is managed across a national law firm — read on.

What You’ll Own

Third-Party Risk Management

• Build and own the end-to-end TPRM process: risk tiering, assessment criteria, and escalation thresholds — from scratch
• Lead risk assessments for the firm’s highest-exposure vendor relationships: case management, e-discovery, payment processing, and others
• Bring risk acceptance and remediation recommendations to the Director; own the analysis behind the decision

Policy Lifecycle

• Run the full policy lifecycle: drafting, review cadence, approval workflows, and firm-wide attestation tracking
• Write policy content directly — you’re not inheriting a library, you’re building it, translating framework requirements into language that works for a law firm
• Identify and close policy gaps against ISO 27001, NIST CSF, and CIS v8.1 before they become audit findings

Risk Management

• Own the enterprise risk register: methodology, scoring calibration, and quarterly review cadence
• Lead control testing and gap assessment in Vanta; design remediation plans
• Spot emerging risk trends and bring recommendations

Security Awareness

• Assist with the design of the security awareness program strategy: content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions
• Analyze effectiveness data and adjust the program based on results, not just completion rates

Audit & Compliance Readiness

• Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries
• Own the audit calendar and evidence readiness posture — you’re not responding to requests as they land, you’re ahead of them

Reporting & Program Visibility

• Build and maintain the GRC reporting suite for CIO-level consumption: risk posture snapshots, control testing results, TPRM exposure summaries
• Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director

Cross-Program Coordination

• Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions
• Coordinate with the Privacy function (in build) on data inventory, state privacy law obligations (FL, CA, NY, and others), and third-party data handling risks
• Once the GRC Analyst is hired, serve as a working mentor without formal management authority

What We’re Looking For

• 4–6+ years in GRC, IT audit, compliance, or information security 
• Deep hands-on experience in a GRC platform; Vanta strongly preferred 
• Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; you’ve mapped controls across multiple frameworks at the same time
• ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)
• Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation
• You’ve designed a security awareness program
• Comfortable operating independently
• Bachelor’s degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered

#LI-MB1