Security Consultant II – GRC Team

Location: Pittsburgh, PA

Job Type: Full Time / Permanent

The GRC Security Consultant II will report to the Chief Executive Officer and be a part of Governance, Risk, and Compliance (GRC) Team consulting practice, working both independently and as part of a team


  • Proactively assist in the management of several clients and keep management updated with progress and issues.
  • Establish effective working relationships directly with clients.
  • Demonstrate and apply a thorough understanding of complex information systems. Quickly gain a working knowledge of client’s IT/Security environments through conversations and observations.
  • Lead assessments of client environments against industry standard frameworks to identify client’s current state of program maturity and identify applicable risks.
  • Work with clients to identify and document their desired maturity state and risk-balanced state and develop a gap assessment and roadmap to guide the process of maturing towards their desired state.
  • Work with clients to document client’s security program through the development of appropriate policies, standards, and processes.
  • Advise client’s teams at all levels from the C-Suite to individual contributors regarding information security governance through mediums such as presentations, reports, and visualizations.
  • Create, develop, and mature catalog of GRC services and contribute to the improvement of all services.
  • Contribute to the development of best practice frameworks suitable for use during assessments and improvement planning, and integration with assessment toolsets.
  • Contribute to the information security community, primarily focused on the areas where company operates.
  • Support other engagements, such as those being led by the Blue Team and/or Red Team.
  • Continually research and learn new technologies and techniques through a mix of self-guided and formal training.
  • Cultivate new and existing client relationships to develop business opportunities.
  • Perform other duties as assigned.

Education & Experience:

  • 4 or more years of experience in Information Security with a focus on protecting companies through building a security program, security governance documentation, and engineering systems to be robust and resistant to attack.
  • Familiarity with common security frameworks and regulations such as SOX, HIPAA/HITECH, PCI-DSS, GDPR, NIST 800 series, FedRAMP, ITIL, ISO 27001/2, COBIT, and SOC 2.
  • Familiarity with risk assessment techniques and risk management program documentation.
  • Familiarity with approaches to assessing and managing third-party risk.
  • Clear understanding of emerging information security trends, including changes in security frameworks and regulatory requirements.
  • Flexibility to accommodate changing schedules of client and project needs and willingness to work extended hours when needed.
  • Ability to write clear and concise information security policies, standards, and processes.
  • Preferred Skills
    • Ability to conduct an information security risk assessment.
    • Ability to conduct an information security maturity assessment.
    • Strong project management skills, problem solving/critical thinking skills, and verbal and written communication skills.
    • CISSP or equivalent training and certification.
    • Prior consulting experience, especially with a focus on partnering with companies to improve the robustness of their security program or establish a robust security program from scratch.
    • Ability to describe and communicate complex technical security concepts to technical and non-technical audiences.
    • Strong written and verbal communication skills, including the ability to present at information security events and conferences, and to curate content such as writing blog posts and written reports.