Overview

The Security Governance Analyst reports to the CISO and supports outsourced security programs and assessments by identifying potential threats, evaluating controls, and contributing to plans that prevent or mitigate risks. The role works across multiple standards and frameworks including NIST CSF, ISO 27001, HITRUST, and CIS Controls to help strengthen client security posture. The Analyst also provides essential governance support to the vCISO team by delivering risk register updates, control gap analysis, policy benchmarking, and maturity scoring inputs. This ensures vCISOs have accurate, organized, and current information to inform strategic recommendations, security roadmaps, and executive-level presentations.

Job Description

• Analyze SOC reports, vulnerability assessments, policy gaps, and third-party risk data.

• Maintain and update the Risk Register according to SLA expectations.

• Document likelihood, impact, remediation recommendations, and supporting evidence.

• Review and benchmark client policies against CyberSecOp templates and standards.

• Map client environments to frameworks including NIST CSF, CIS Controls, ISO 27001, and HITRUST.

• Support maturity scoring and document areas for improvement.

• Coordinate governance tasks with Program Managers to align with client schedules.

• Work with Vulnerability Management to interpret scan findings and identify priorities.

• Partner with SOC analysts to understand recurring threats or systemic risks.

• Maintain accurate and current client asset inventories.

• Prepare governance, risk, and compliance reports for CISO and vCISO review.

• Draft Quarterly Business Review and year-end presentation content.

• Analyze phishing campaign data to identify user behavior trends.

• Assist in evaluating cyber insurance readiness and required controls.

• Support evidence collection for assessments and audits.

• Assist in corrective action planning and document remediation progress.

• Maintain accurate and organized governance documentation.

• Additional responsibilities may be assigned as needed.

Risk Register SLAs:

• Enter newly identified risks within 5 business days.

• Update open risks monthly or per reporting cadence.

• Archive closed risks within 5 business days.

Requirements

• Experience in cybersecurity governance, GRC, compliance, or risk analysis.

• Knowledge of NIST CSF, ISO 27001, CIS Controls, and HITRUST.

• Ability to interpret vulnerability and SOC reports.

• Strong technical writing and documentation skills.

• Experience with GRC platforms such as Apptega, RiskOptics, A-Scend, or Risk Cognizance.

• Strong organizational and analytical skills.

Preferred Certifications: CRISC, CISM, CISA, CISSP, ISO 27001 Implementer or Auditor.