High-Level Overview

Benevity is seeking a Governance, Risk & Compliance (GRC) Analyst to support and grow our security governance, risk, privacy, and regulatory program. In this role, you will contribute to the execution of Benevity’s GRC program by supporting compliance activities, assisting with risk assessments, contributing to third-party risk management, responding to client due diligence requests, and helping maintain the policies and controls that strengthen trust with our clients, partners, and stakeholders.

Working alongside experienced GRC professionals, you will build your skills in information security, compliance, and risk management while helping ensure Benevity aligns with leading standards, privacy laws, and regulatory requirements. This is a hands-on role with significant learning and growth opportunities across governance, risk, audit, and privacy domains.

What you'll do:

Governance & Policy

• Assist in maintaining and rolling out security and privacy policies, standards, and control frameworks aligned to ISO 27001, SOC 2, NIST, PCI DSS, GDPR, PIPEDA, FINTRAC, and other global regulations.
• Support policy exception management, attestation processes, and identify opportunities for process improvement.

Risk Management

• Assist with enterprise risk assessments, including vendor and process-level reviews.
• Support maintenance of the risk register, track remediation activities, and assist with risk treatment planning.
• Contribute to Benevity’s Third-Party Risk Management (TPRM) program, including vendor onboarding assessments, ongoing monitoring, and remediation tracking.

Compliance & Audit

• Support audit readiness and response efforts for ISO 27001, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and other frameworks.
• Assist with evidence gathering, control validation, and auditor engagement.
• Leverage GRC platforms to support audit, privacy, and compliance workflows.

Client Support & Sales Enablement

• Support the sales process by responding to client inquiries related to security, privacy, and compliance.
• Complete customer security questionnaires, RFPs, and third-party risk management (TPRM) requests.
• Partner with sales and client success teams to provide timely, accurate responses that build client trust.

Privacy and Regulatory

• Support privacy-related initiatives across jurisdictions (GDPR, PIPEDA, CCPA/CPRA, and others).
• Collaborate with legal and data governance teams to help ensure compliance with data protection and financial crime regulations.
• Assist with FINTRAC-related compliance requirements, including reporting and risk assessments related to AML/ATF obligations.
• Monitor regulatory changes (privacy, AML, financial crime) and help align internal processes accordingly.

Advisory & Awareness

• Partner with business and technical teams to support the embedding of risk and compliance into projects and initiatives.
• Assist in delivering reporting and insights (dashboards, risk metrics, summaries) for leadership.
• Contribute to Benevity’s Security Awareness & Training program, including awareness campaigns, training modules, and phishing simulations.
• Contribute to training, documentation, and awareness activities that strengthen Benevity’s security, privacy, and compliance culture.

What you'll bring:

• 2–4 years of experience in cybersecurity, governance, risk, compliance, or privacy, ideally in a SaaS or technology-driven environment. (For a Junior GRC Analyst, we welcome candidates with 0–2 years of experience, including relevant internship, co-op, or academic project experience.)
• Working knowledge of security, privacy, and regulatory frameworks including ISO 27001, NIST, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and/or CCPA/CPRA.
• Exposure to or experience with GRC tooling (e.g., OneTrust, Hyperproof, SecurityPal, AuditBoard, Drata) to support policy, risk, audit, privacy, and vendor risk workflows.
• Familiarity with risk assessment methodologies, vendor risk concepts, and compliance evidence gathering.
• Experience or willingness to support client due diligence processes (security questionnaires, RFPs, TPRM).
• Ability to communicate risk, security, privacy, and regulatory concepts clearly to both technical and non-technical stakeholders.
• Strong organizational skills, attention to detail, and a proactive approach to learning and problem-solving.
• An interest in leveraging automation and AI to streamline GRC processes and enhance efficiency is a plus.
• Certifications such as Security+, CISM, CISA, CRISC, or CIPM/CIPP are valued; candidates actively pursuing certification are encouraged to apply.

Are you looking to thrive in a stimulating work environment?  

Join Levio, a leader in digital transformation, and take your career to the next level. You will work alongside high-caliber professionals on ambitious, large-scale technology projects, directly embedded in our clients’ environments. At Levio, we value expertise, curiosity, and continuous improvement — and we give you the space to grow.  

About the Role

Are you looking to thrive in a stimulating work environment?  

Join Levio, a leader in digital transformation, and take your career to the next level. You will work alongside high-caliber professionals on ambitious, large-scale technology projects, directly embedded in our clients’ environments. At Levio, we value expertise, curiosity, and continuous improvement — and we give you the space to grow.  

About the Role

Why Join Levio?  

• Work on complex, high impact digital transformation projects  
• Collaborate with experienced, multidisciplinary teams  
• Continuously develop your technical and professional expertise  
• Enjoy flexibility, autonomy, and a strong people first culture  
• Be part of an organization that values diversity, inclusion, and innovation  

Role and Responsibilities 

Privacy & Data Protection Architecture 

• Define and maintain enterprise privacy-by-design and privacy-by-default architectures. 
• Architect data protection controls across applications, infrastructure, cloud, and data platforms. 
• Establish standards for data classification, handling, retention, archiving, and secure destruction. 
• Ensure consistent application of data protection controls across on-premise, cloud, and hybrid environments. 

Regulatory & Governance Leadership 

• Architect privacy governance frameworks aligned with GDPR, Quebec Law 25, PIPEDA, and ISO/IEC 27701. 
• Define control baselines, assurance mechanisms, and compliance monitoring models. 
• Support executive decision-making related to privacy risk, compliance posture, and regulatory exposure. 
• Collaborate with legal, internal audit, and GRC teams to ensure regulatory alignment. 

Data Security & Risk Management 

• Architect encryption, key management, and secrets management strategies. 
• Define data loss prevention (DLP) architectures and monitoring mechanisms. 
• Ensure strong access controls and segregation of duties for sensitive data. 
• Lead privacy risk assessments for complex systems, cloud platforms, AI solutions, and analytics environments. 

Data Lifecycle & Enterprise Integration 

• Architect solutions for data discovery, data mapping, and records of processing activities (RoPA). 
• Ensure privacy requirements are integrated into SDLC, DevSecOps, and data engineering pipelines. 
• Support privacy requirements for AI, machine learning, and advanced analytics use cases. 
• Ensure auditability, traceability, and accountability of data usage. 

Third-Party & Cloud Data Protection 

• Define architectures for secure data sharing with third parties and vendors. 
• Establish data protection requirements for outsourcing, SaaS, and cloud providers. 
• Architect controls for cross-border data transfers and data residency requirements. 

Incident & Breach Management (Privacy Context) 

• Support design of data breach detection, response, and notification processes. 
• Act as senior advisor during privacy incidents and regulatory reporting. 
• Ensure evidence collection and documentation meet regulatory expectations. 

Leadership & Advisory 

• Act as the senior subject matter expert for data protection and privacy architecture. 
• Mentor privacy analysts, GRC professionals, and security architects. 
• Communicate privacy risks, architectural decisions, and mitigation strategies to executives and boards. 
• Represent the organization with regulators, auditors, and external stakeholders when required. 

Qualifications and Experience 

• Deep expertise in data protection and privacy-by-design principles. 
• Strong understanding of privacy regulations and standards: GDPR, Quebec Law 25, PIPEDA, ISO/IEC 27701 
• Ability to design enterprise data protection architectures across: Applications, Databases, Cloud platforms, Data lakes and analytics environments 
• Expertise in data classification, data mapping, and records of processing activities (RoPA). 
• Strong knowledge of data security controls: Encryption (at rest, in transit, and in use), Key management systems (KMS, HSM), Tokenization, anonymization, and pseudonymization, Data Loss Prevention (DLP) 
• Experience architecting identity and access controls for sensitive data: Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Privileged Access Management (PAM) 
• Ability to design data retention, archiving, and secure data destruction strategies. 
• Familiarity with cloud-native data protection and governance tools: Azure Purview / Microsoft Purview, AWS Macie, Google Cloud DLP
• Experience integrating privacy and data protection into: DLC and DevSecOps pipelines, Data engineering and analytics workflows
• Ability to assess privacy risks in AI, machine learning, and large-scale data processing systems.
• Strong understanding of logging, monitoring, auditability, and evidence collection.
• Experience with privacy management and GRC platforms: OneTrust, TrustArc, ServiceNow GRC
• CIPP/E, CIPP/C, CIPM, ISO/IEC 27701 Lead Implementer / Lead Auditor, CDPSE, CISSP (an asset)

Compensation (Ontario)  

The salary range provided reflects a good faith estimate based on factors such as experience, technical expertise, location, and relevant certifications. Final compensation will be determined according to the specific circumstances of each candidate. 

Estimated salary range: $110,000 to $150,000 per year. 

This posting is a current hiring need.

Benefits and Work Environment  

Levio offers a comprehensive and flexible benefits package designed to support your professional growth and personal wellbeing, including:  

• 4 weeks of cumulative vacation starting from day one  

• Flexible working hours  

• Professional Development Allowance (PDA) for training, computer equipment, and physical activities  

• Training tailored to your areas of expertise  

• Registered Retirement Savings Plan (RRSP) with employer contribution up to 3% of gross salary  

• Modular group insurance plan 

• Public transportation or parking reimbursement when required  

• Referral bonuses  

• 11 statutory holidays  

• Personal days  

• An active social life (5to7 events, social club, healthy snacks, coffee, and more)  

Position Details  
 

• Employment type: Full time, permanent  
   

Notice on the Use of Artificial Intelligence in Recruitment 

We use AI enabled tools to help sort and review applications based on job related criteria. Final decisions regarding candidate progression are always made by a human recruiter. 

Employment Equity  

Levio subscribes to the principle of employment equity and applies an equal access employment program for women, Indigenous peoples, visible minorities, ethnic minorities, and persons with disabilities.  

We value diversity and inclusion and are committed to creating a healthy, accessible, and rewarding work environment that highlights the unique contributions of our employees. Accommodations are available upon request for candidates participating in all aspects of the selection process.  

High-Level Overview

Benevity is seeking a Senior Governance, Risk & Compliance (GRC) Analyst to elevate our security governance, risk, privacy, and regulatory posture. In this senior role, you will drive the execution, innovation, and continuous improvement of Benevity’s GRC program. You will lead compliance activities, conduct risk assessments, contribute to third-party risk management, respond to client due diligence requests, support FINTRAC/AML obligations, and influence policies and controls that strengthen trust with our clients, partners, and stakeholders.

As a trusted advisor across teams, you will help ensure Benevity aligns with leading standards, privacy laws, and regulatory requirements while fostering a culture of security, compliance, and accountability. You’ll also mentor junior members of the team, helping to grow Benevity’s next generation of security and compliance professionals, with a focus on developing proactive and innovative approaches to GRC challenges.

What you'll do:

Governance & Policy

• Contribute to the development, maintenance, and rollout of security and privacy policies, standards, and control frameworks aligned to ISO 27001, SOC 2, NIST, PCI DSS, GDPR, PIPEDA, FINTRAC, and other global regulations.
• Support policy approval, exception management, and attestation processes, actively seeking opportunities for process improvement and automation
  
  

Risk Management

• Lead and execute enterprise-wide risk assessments, including vendor and process-level reviews.
• Maintain and improve the risk register, track remediation activities, and support risk treatment planning.
• Contribute to Benevity’s Third-Party Risk Management (TPRM) program, including vendor onboarding assessments, ongoing monitoring, and remediation tracking.
  
  

Compliance & Audit

• Lead audit readiness and response efforts for ISO 27001, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and other frameworks.
• Coordinate evidence gathering, control validation, and auditor engagement.
• Leverage GRC platforms to streamline audit, privacy, and compliance workflows.

Client Support & Sales Enablement

• Support the sales process by responding to client inquiries related to security, privacy, and compliance.
• Complete customer security questionnaires, RFPs, and third-party risk management (TPRM) requests.
• Partner with sales and client success teams to provide timely, accurate responses that build client trust.
  
  

Privacy and Regulatory

• Support privacy-related initiatives across jurisdictions (GDPR, PIPEDA, CCPA/CPRA, and others).
• Collaborate with legal and data governance teams to ensure compliance with data protection and financial crime regulations.
• Assist with FINTRAC-related compliance requirements, including reporting and risk assessments related to AML/ATF obligations.
• Monitor regulatory changes (privacy, AML, financial crime) and help align internal processes accordingly.

Advisory, Awareness & Mentorship

• Partner with business and technical teams to embed risk and compliance into projects and initiatives.
• Deliver reporting and insights (dashboards, risk metrics, executive summaries) for leadership.
• Lead Benevity’s Security Awareness & Training program, including the design, delivery, and continuous improvement of awareness campaigns, training modules, and phishing simulations.
• Contribute to training, documentation, and awareness activities that strengthen Benevity’s security, privacy, and compliance culture.
• Mentor and coach junior team members, providing guidance, feedback, and knowledge sharing to support their growth and development.

What you'll bring:

• 5+ years of experience in cybersecurity, governance, risk, compliance, or privacy, ideally in a SaaS or high-growth environment.
• Strong knowledge of security, privacy, and regulatory frameworks including ISO 27001, NIST, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and CCPA/CPRA.
• Hands-on experience with GRC tooling (e.g., OneTrust, Hyperproof, SecurityPal, AuditBoard, Drata) to manage policies, risks, audits, privacy, and vendor risk workflows.
• Proven success in conducting risk assessments, managing vendor risk/TPRM, maintaining risk registers, and driving remediation.
• Experience supporting client due diligence processes (security questionnaires, RFPs, TPRM).
• Ability to clearly communicate risk, security, privacy, and regulatory concepts to both technical and non-technical stakeholders.
• Strong organizational and project management skills with experience leading cross-functional initiatives.
• A demonstrated interest and track record in leveraging automation and AI to streamline GRC processes and enhance efficiency.
• Certifications such as CISM, CRISC, CISSP, CISA, or CIPM/CIPP are highly valued.

High Level Role Overview

Benevity is looking for a Principal Information Security Analyst to join our Security Operations team. In this senior-level role, you will provide technical leadership and operational oversight across a team of analysts responsible for threat detection, alert triage, incident response, and vulnerability management.

This role is ideal for someone with deep hands-on experience in security operations who is also energized by the opportunity to work alongside AI. We are actively integrating AI tools into our SecOps practice to accelerate triage, investigation, detection engineering, and analyst productivity, and this role will play a meaningful part in shaping how we do that. You should be comfortable navigating AI tools, building your own skills with them, identifying practical use cases, and partnering with the team to put them into production.

You will serve as both a senior escalation point and a coach, helping elevate the team's ability to respond to threats in a cloud-native environment while modernizing how the work gets done.

What you'll do:

• Lead daily Security Operations workflows, including triage, escalation, and resolution of alerts from core security tooling such as EDR, WAF, CSPM, SIEM, and cloud-native platforms
• Lead and coordinate security incident response across the full lifecycle, from detection and containment through eradication, recovery, and lessons learned, serving as incident commander for significant events
• Drive and oversee the triage, investigation, and resolution of alerts generated across all security tooling, not just those escalated by the MDR provider
• Act as the technical lead and escalation point for Managed Detection and Response (MDR) activities, ensuring timely review and validation of escalated alerts
• Identify, evaluate, and operationalize AI-assisted approaches to SecOps work, including AI-augmented triage, investigation, summarization, detection engineering, and reporting
• Build your own fluency with AI tooling and help the broader team develop the same skills, sharing patterns that work and being honest about ones that don't
• Apply a healthy degree of skepticism to AI outputs, validating findings and helping the team understand where AI assists the work and where human judgment still owns the decision
• Develop and continuously refine incident response processes, detection logic, and triage playbooks to improve clarity and effectiveness
• Oversee the vulnerability management lifecycle, ensuring timely identification, prioritization, remediation tracking, and stakeholder coordination
• Collaborate with GRC, Product Security, DevOps, and Infrastructure teams to improve detection coverage, alert fidelity, and log quality
• Partner with our Senior Fraud Analyst on cross-functional investigations where fraud and cyber threats intersect, contributing SecOps expertise without owning the fraud function day-to-day
• Serve as a subject matter expert in cloud-native security operations with strong understanding of containerized and API-driven environments
• Support the development, tracking, and reporting of KPIs and metrics to measure and improve team performance
• Conduct post-incident reviews and root-cause analysis, driving preventive control enhancements
• Mentor junior and mid-level analysts, providing feedback, coaching, and opportunities for growth

What you'll bring:

• 7+ years of experience in information security or security operations, with at least 2 years in a team lead or senior analyst capacity
• Proven experience triaging and responding to alerts across a broad suite of tools including CSPM, WAF, EDR, SIEM, and cloud-native logging platforms
• Familiarity with MDR service models and hands-on experience validating escalated alerts
• Hands-on experience leading security incident response, including acting as incident commander, coordinating cross-functional responders, managing communications, and producing post-incident artifacts
• Practical experience using AI tools in a security or technical context, with a clear point of view on where they add value, where they fall short, and how to get them production-ready
• Curiosity and willingness to keep building AI skills as the tooling evolves, and an interest in helping teammates do the same
• Awareness of the security considerations that come with using AI tools in a SecOps environment (data handling, prompt hygiene, output validation)
• Demonstrated ability to work independently, while recognizing when to seek input or escalate appropriately
• Strong critical thinking and communication skills with the ability to analyze complex data, challenge assumptions, and drive resolution
• Experience developing or refining operational playbooks, triage guides, and incident workflows
• Deep understanding of cloud security best practices, threat detection, and modern attacker tactics, techniques, and procedures
• Familiarity with common security frameworks such as NIST CSF, CIS Controls, and ISO 27001
• A strong sense of ownership and accountability, with the ability to act as a self-starter who can lead initiatives from concept to completion
• Demonstrated ability to collaborate across technical and non-technical teams to drive effective outcomes
• Experience fostering a positive and inclusive team environment, with a focus on team building, talent development, and shared success
• A passion for teaching and mentoring others, helping team members grow their skills and confidence
• Preferred certifications include GCIH, GCFA, OSCP, or CISSP

About The Role

The Cybersecurity GRC Manager is accountable for maturing and scaling engineering-driven governance, risk, and compliance programs that support the security, privacy, and regulatory-compliant posture of the organization. The ideal candidate will bring a unique blend of deep technical security acumen and GRC expertise, enabling the creation of GRC workflows that are measurable, automated, and resilient. This is a strategic, cross-functional, and customer-facing role reporting to the Director of Governance, Risk, & Compliance. 

A successful candidate will have a comprehensive understanding of cybersecurity and privacy industry frameworks (e.g., NIST, ISO, SOC 2, CCPA, GDPR, HIPAA). They will be responsible for transforming governance, risk, and compliance practices into proactive, testable capabilities using automation, continuous auditing, and AI-driven solutions. 

Proficiency with AI tools (LLMs, prompt engineering, generative‑AI workflows) is a core requirement – you’ll use AI to streamline GRC workflow creation and implementation, evidence generation, and security risk mitigation. Experience with designing and implementing autonomous “agentic AI” solutions is preferred. 

Responsibilities 

• Drive a compliance operating model that includes automated control testing, self-service reporting, and AI-enhanced risk analysis. Implement continuous control monitoring and evidence collection pipelines integrated into cloud-native and on-prem environments. 
• Partner with engineering and product teams to define and codify security and compliance requirements as part of the SDLC. Introduce automated security/compliance tests into CI/CD pipelines to support shift-left practices. 
• Use generative AI for compliance gap detection, policy mapping, risk triaging, and customer assurance functions. 
• Oversee security and privacy assurance activities and assessments, internal/external audits, and attestation/certification initiatives (e.g., SOC 2, ISO 27001). Lead internal readiness for third-party audits and external assessments and maintain ongoing compliance posture. 
• Utilize automation and GRC platforms to optimize gathering and maintenance of audit readiness documentation and audit evidence. 
• Utilize AI-driven solutions to manage the organization’s responses to customers’ and partners’ cybersecurity requests (e.g. information security questionnaires). 
• Enhance and execute third-party security risk management practices, including inherent / residual security risk assessment, vendor / supplier security due diligence reviews, vendor / supplier inventory management, ongoing security monitoring, and risk reporting. 
• Build and maintain enterprise-level risk registers; facilitate and monitor security risk acceptance processes; design and maintain security risk measurement and monitoring including risk reporting. 
• Grow and expand cybersecurity guidance through development and maintenance of cybersecurity policies, standards, and procedures. 
• Manage security awareness programs through administration of regular security trainings, phishing simulations, and corporate communications. 

Skills And Qualifications   

Required Experience 

• Bachelor’s degree in computer science, Cybersecurity, or related engineering field; advanced degree preferred. 
• Minimum 5 years of progressive experience in cybersecurity, security engineering, and/or risk management. 
• Proven success managing compliance programs in cloud-native, SaaS/PaaS environments with high automation maturity. 
• Demonstrated ability to manage customer-facing compliance engagements and audit preparation. 

Technical and Domain Expertise 

• Deep knowledge of, and experience working with, industry frameworks (NIST SP800-53, ISO 27001, SOC 2, CCPA, GDPR, HIPAA).  
• Strong familiarity with AI/ML usage in security programs and risk analysis.  
• Experience implementing and administering GRC tools/platforms. 
• Proficiency in cloud security, AI security, secure development / DevSecOps practices, and infrastructure-as-code (IaC) security tooling. 
• Experience implementing automated compliance and control validation pipelines. 

Soft Skills 

• Excellent communication, stakeholder management, and executive reporting skills. 
• Ability to influence cross-functional teams and operate in fast-paced, high-growth environments. 
• Strong analytical, critical thinking, and decision-making capabilities.