Job Description
CapTech is an award-winning consulting firm that collaborates with clients to achieve what’s possible through the power of technology. At CapTech, we’re passionate about the work we do and the results we achieve for our clients. From the outset, our founders shared a collective passion to create a consultancy centered on strong relationships that would stand the test of time. Today we work alongside clients that include Fortune 100 companies, mid-sized enterprises, and government agencies, a list that spans across the country.
The Information Security GRC Team Lead leads CapTech’s Governance, Risk, and Compliance (GRC) function, helping set the strategy and owning the execution, and continuous improvement of the programs that keep CapTech and our clients secure and compliant. This is a hands-on leadership role: you will lead and mentor a GRC analyst while remaining personally engaged in the work, running assessments, engineering automation, and setting technical direction.
You will own CapTech’s compliance posture across SOC 2, NIST 800-53, and NIST AI RMF, along with applicable privacy regulations; mature our third-party risk management program; modernize the GRC function through automation and GRC engineering; and establish the governance practices that allow CapTech to adopt AI safely. This position reports to the Head of Information Security and operates with a high degree of autonomy to make decisions and set direction with minimal oversight.
Key Responsibilities:
Leadership & Team Management
- Lead, mentor, and develop a GRC analyst, setting priorities, coaching for growth, and serving as the escalation point for complex risk and compliance matters.
- Operate as a player-coach: remain hands-on in assessments, engineering, and analysis while coordinating the team’s day-to-day execution and quality.
- Help set the strategic direction and roadmap for the GRC program, driving initiatives to completion and making decisions independently with minimal oversight.
- Define goals, metrics, and quality standards for the team; provide input into performance reviews and team goals; and participate in hiring, onboarding, and career development.
- Report on risk and compliance posture to executive leadership, translating technical risk into business terms for non-technical stakeholders.
Governance, Risk & Compliance
- Own and mature CapTech’s compliance programs across SOC 2, NIST 800-53, and NIST AI RMF, ensuring controls are well-designed, operating effectively, and continuously monitored.
- Extend the compliance program to applicable privacy and regulatory obligations, including HIPAA and GDPR/CCPA, as driven by CapTech’s client base.
- Lead internal control assessments, gap analyses, and audit-readiness activities; manage external audits and coordinate evidence collection end to end.
- Develop, maintain, and enforce the information security policy suite, partnering with policy owners to keep documentation current and aligned to controls.
- Identify, assess, and prioritize information security risks; drive remediation to closure against SLAs, negotiating compensating controls with stakeholders where appropriate.
Third-Party Risk Management
- Own and enhance the Third-Party Risk Management (TPRM) framework, policy, process, and supporting technology in alignment with SOC 2 requirements.
- Oversee technical risk evaluations and due diligence of third-party vendors, tools, and services, and recommend actions to strengthen vendor security posture.
- Lead responses to inbound client and partner security questionnaires, and support business development and contract-negotiation teams to ensure security terms align with RFPs and agreed contracts.
GRC Engineering & Automation
- Own and administer CapTech’s GRC / compliance-automation platform, driving continuous control monitoring and automated evidence collection.
- Design and build workflow automations and integrations across security, IT, and compliance tooling to reduce manual effort, improve data quality, and accelerate audit readiness.
- Instrument GRC metrics, dashboards, and reporting so that control health and risk posture are continuously visible to stakeholders.
AI Governance & AI-Enabled GRC
- Establish and run CapTech’s AI governance program (covering AI-use policy, model/tool inventory, and risk assessment), aligned to recognized frameworks such as the NIST AI Risk Management Framework and ISO/IEC 42001.
- Assess and govern the risk of AI tools and AI-enabled vendors, integrating AI risk into the existing TPRM and control frameworks.
- Leverage AI responsibly to accelerate GRC work, using large language models to draft and maintain policies, cross-walk controls across frameworks, and analyze and respond to security questionnaires.
- Build AI-enabled automations and agents to streamline GRC tasks such as evidence review, risk triage, and reporting.
- Serve as a subject-matter advisor on AI risk and secure AI adoption for CapTech.
Security Awareness & Reporting
- Own the security awareness and training program, including selection, delivery, and new-hire training aligned to company policy.
- Produce technical and executive-level reporting on the effectiveness of the information security and compliance program.
Qualifications
Basic Qualifications
- 6+ years of experience in Information Security, Governance/Risk/Compliance, IT Audit, or a related field, including prior experience leading or mentoring team members or driving major security and compliance initiatives.
- Working understanding of SOC 2, NIST 800-53, and NIST AI RMF or similar frameworks required.
- One or more of the following certifications, or an agreed certification to be attained within an agreed timeframe: ISACA Certified in Risk and Information Systems Control (CRISC) or ISACA Certified Information Security Manager (CISM).
- Demonstrated ability to communicate technical risk in non-technical terms to executives and business stakeholders.
- Strong problem-solving, analytical, and critical-thinking skills, with the proven ability to set direction and make decisions independently.
Preferred Qualifications
- Additional certifications such as Certified Information Systems Auditor (CISA), Certified in Governance, Risk and Compliance (CGRC), or equivalent risk/audit/compliance credentials.
- Hands-on experience owning or administering a GRC / compliance-automation platforms
- Experience automating GRC workflows through scripting or integration tooling (e.g., Python, PowerShell, APIs, or iPaaS / no-code automation platforms).
- Experience establishing or operating an AI governance program, with familiarity in the NIST AI RMF and ISO/IEC 42001.
- Experience with privacy and regulatory frameworks such as HIPAA and GDPR/CCPA.
- Prior experience in a consulting environment or supporting Fortune 100 and other regulated clients.
- Prior experience with vendor management and third-party risk assessments.
- Strong knowledge of the Microsoft Office suite of tools.
Additional Information
We want everyone at CapTech to be able to envision a lasting and rewarding career here, which is why we offer a variety of career paths based on your skills and passions. You decide where and how you want to develop, and we help get you there with customizable career progression and a comprehensive benefits package to support you along the way. Alongside our suite of traditional benefits encompassing generous time off, health coverage, disability insurance, paid family leave and more, we’ve launched extended benefits to help meet our employees’ needs.
- Learning & Development – Programs offering certification and tuition support, digital on-demand learning courses, mentorship, and skill development paths
- Modern Health –A mental health and well-being platform that provides 1:1 care, group support sessions, and self-serve resources to support employees and their families through life’s ups and downs
- Carrot Fertility –Inclusive fertility and family-forming coverage for all paths to parenthood – including adoption, surrogacy, fertility treatments, pregnancy, and more – and opportunities for employer-sponsored funds to help pay for care
- Fringe –A company paid stipend program for personalized lifestyle benefits, allowing employees to choose benefits that matter most to them – ranging from vendors like Netflix, Spotify, and GrubHub to services like student loan repayment, travel, fitness, and more
- Employee Resource Groups – Employee-led committees that embrace and incorporate diversity and inclusion into our day-to-day operations
- Philanthropic Partnerships – Opportunities to engage in partnerships and pro-bono projects that support our communities.
- 401(k) Matching – Generous matching and no vesting period to help you continue to build financial wellness
CapTech is committed to providing a flexible work environment and helping our employees achieve a work-life balance that suits their individual needs. Employees must be available to work onsite in a client location or a CapTech office as requested. We allow CapTech employees to work remotely when compatible with CapTech and client needs.
CapTech is an equal opportunity employer committed to fostering a culture of equality, inclusion and fairness — each foundational to our core values. We strive to create a diverse environment where each employee is encouraged to bring their unique ideas, backgrounds and experiences to the workplace. As part of this commitment, CapTech will ensure that persons with disabilities are provided reasonable accommodations. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or to receive other benefits and privileges of employment.
At this time, CapTech cannot transfer nor sponsor a work visa for this position. Applicants must be authorized to work directly for any employer in the United States without visa sponsorship.