Senior IT Security GRC Specialist

At EcoVadis, security is a product feature and a primary driver of customer trust and satisfaction. We are seeking a results-oriented IT Security GRC Senior Associate to safeguard our assets and global reputation, and act as a strategic partner to our sales and product teams.

You will lead risk mitigation strategies and ensure compliance with global standards, fostering a culture of security across our organization and partner ecosystem, while promoting business acceleration. This is a high-impact opportunity for an expert to design and continuously develop a world-class GRC program that aligns with our strategic goals, removes friction from sales cycles, and exceeds the evolving customer expectations and regulatory needs.

Key Responsibilities:

• Develop and implement GRC Strategy:

  • Create, author, develop and implement a comprehensive GRC strategy, which includes policies, procedures, and security requirements that aligns with industry best practices and regulatory requirements.

  • Deploy, maintain and continuously develop a proprietary control framework that is consistent with the organization’s compliance requirements and needs.

  • Support in conducting risk and control assessments, and identify, evaluate, and prioritize potential threats and vulnerabilities.

  • Author and conceptualize original risk mitigation plans and corrective actions to address risks effectively.

  • Collaborate with Product teams to ensure "Compliance-by-Design," providing requirements and highlighting security risks during the discovery phase of new features and improvements.

• Ensure Regulatory and Industry Standards Compliance:

  • Stay abreast of relevant laws, regulations, security frameworks and industry standards (e.g. GDPR, ISO 27001, NIS2, SOC 2,...), and work towards ensuring the organization’s compliance with them.

  • Promote awareness of applicable laws and regulations towards employees and upper management.

  • Conduct regular audits and assessments to monitor compliance and identify areas of improvement.

  • Be an active participant in third party audits, including leading them to support IT Security needs.

• Support Business Processes:

  • Perform deep-dive analysis and author technical responses for security questionnaires, translating complex internal security controls into customized client-facing documentation.

  • Review and provide expert analysis of security clauses in contracts, drafting customized security requirements for clients and suppliers.

  • Participate in clients meetings to address cybersecurity concerns and requirements,

  • Conduct and document security reviews of SaaS applications, producing original risk assessment reports and designing mitigation recommendations.

  • Building and maintaining a Security Trust Center or similar customer-facing resources.

• Provide Strategic Guidance:

  • Become one of the main points of contact for senior management on GRC matters, and create strategic advisory materials/models detailing the impact of GRC initiatives on business decisions.

  • Develop and maintain strong relationships with key stakeholders across the organization.

• Ensure Functional Supervision

  • Provide expert guidance and alignment for the GRC team; act as the technical mentor and "quality gatekeeper" for key deliverables, including security awareness program and third-party risk assessments.

• Deliver IT Security Reporting:

  • Develop, support and maintain key performance indicators (KPI) for the Security function.

  • Gather, analyze and report on security metrics and compliance status.

  • Prepare and design customized presentations and reports to senior management on the status of the IT Security program, including key risks, threats, and vulnerabilities.

• Implement AI-Powered GRC Operations:

  • Lead the practical adoption of Generative AI tools (LLMs, AI Agents) to automate evidence collection, draft security policies, and summarize regulatory changes, significantly increasing team efficiency.

Note: This job description is intended to provide a general overview of the position. It is not intended to be an exhaustive list of duties and responsibilities.