Associate Lead Consultant

We are looking forward to hireNIST Professionals in the following areas :

Position Name: Associate Consultant - GRC, NIST

Job Description:

• We are looking for a senior cybersecurity GRC (Governance, Risk, and Compliance) professional.
• Strong background in GRC frameworks such as NIST CSF, ISO 27001, and similar standards.
• Hands-on experience with risk management processes, security documentation writing, and security assessments.
• Candidates will work closely with different teams within the cybersecurity practice, COEs, business teams, and customer cybersecurity teams.
• Candidate will analyze the cybersecurity risks associated with the implementation of security solutions, secure processes, and computing environment changes.
• Candidates will collaborate with other cybersecurity teams to help clients prioritize and implement risk-mitigating controls and solutions.
• Candidate should also be able to lead the creation of security governance documentation and TTX simulation exercises to support enterprise Incident response.
• Exposure to GRC/Audit tools/platforms is an added advantage

Job Responsibilities:

1. Governance, Risk, and Compliance (GRC):

• Lead and execute security assessments against recognized frameworks like NIST CSF, ISO 27001, SOC 2, and others.
• Develop, implement, and manage GRC initiatives for customers.
• Perform gap assessments and provide recommendations for compliance and risk mitigation.
• Drive development and maintenance of risk management processes and tools.
• Conduct Business Impact Analysis (BIA) for critical business applications and support continuity planning efforts.

2. Security Documentation and Policy Development:

• Draft, review, and refine security policies, procedures, and technical documentation.
• Develop security documentation such as risk assessment reports, compliance roadmaps, certification support materials, and security architecture governance artifacts.
• Create documentation to support the establishment and operationalization of Security Architecture Review Boards (SARB), including charters, workflows, and review templates.
• Ensure all documentation aligns with industry best practices and regulatory requirements.

3. Security Assessments:

• Conduct in-depth security assessments, including readiness assessments for certifications (e.g., ISO 27001 certification audits, NIST CSF Maturity assessments).
• Evaluate the effectiveness of existing security controls and provide actionable recommendations for improvement.
• Facilitate security control mapping exercises between frameworks (e.g., ISO 27001, NIST CSF, PCI-DSS, HIPAA, NIS2, DORA etc.).

4. Incident Response and Tabletop Exercises:

• Design and document incident response tabletop scenarios and playbooks tailored to organizational risks.
• Lead the execution of tabletop exercises involving cross-functional teams to validate incident readiness.
• Analyze results of simulations to identify gaps and enhance incident response capabilities.

5. Collaboration and Stakeholder Management:

• Work closely with customer security teams to understand their environment, challenges, and objectives.
• Provide technical and strategic advisory to customers regarding cybersecurity best practices.
• Act as the primary point of contact for GRC-related initiatives, ensuring clear communication and alignment.

6. Communication and Reporting:

• Create detailed reports and presentations tailored for both technical teams and leadership audiences.
• Communicate technical concepts effectively to non-technical stakeholders.

7. Training and Awareness:

• Support security awareness, phishing and training initiatives for customers to enhance their understanding of GRC practices.
• Mentor team members and provide guidance on GRC activities.
• Exposure to phishing simulation and awareness tools/platforms added advantage.

8. Required Qualifications and Skills:

• Experience: 1015 years of experience in cybersecurity GRC roles, including hands-on exposure to frameworks like ISO 27001, NIST CSF, SOC 2, and others.
• Documentation Expertise: Proven ability to create clear, concise, and technically accurate security policies, procedures, risk reports, playbooks, and governance documents.
• Assessment & Simulation Skills: Experience conducting BIA, security assessments, and tabletop exercises, and developing supporting documentation such as IR scenarios and SARB governance materials.
• Communication: Excellent written and verbal communication skills; ability to engage with both technical and non-technical stakeholders.
• Framework Knowledge: In-depth understanding of governance, risk management, and compliance frameworks and their implementation.
• Certifications: Preferred certifications include ISO 27001 Lead Auditor/Implementer, CISSP, CISA, CISM, CRISC, or other relevant certifications. (Mandatory at least 1)

Soft Skills:

• Strong stakeholder management and collaboration abilities.
• Ability to work independently and lead GRC initiatives in complex environments.
• Analytical mindset and problem-solving skills.