Senior GRC Risk Analyst

Company Overview

Job Overview

Come join the Governance, Risk, and Compliance (GRC) team at Intuit! We are looking for an exceptional, results-driven professional to join our world-class team and drive the maturity of our enterprise security risk program.

The cybersecurity risk landscape is constantly evolving. The Senior GRC Risk Analyst will play a crucial role in protecting our customers and our company by performing comprehensive security and compliance reviews of our vendors and partners and ensuring they meet our rigorous security requirements and regulatory obligations.

This role will also be instrumental in managing and maintaining the Enterprise Security Risk Register and the Security Issue Tracking process. The analyst will be responsible for identifying, assessing, mitigating, monitoring, and reporting on information security risks, ensuring timely remediation and providing transparent metrics to executive leadership. Finally, this position will actively support and maintain Intuit's security policies and standards, while tracking and implementing security controls aligned with frameworks such as ISO 27001 and PCI DSS.

We pride ourselves on being innovative and agile. This is an exciting opportunity to work across all business units, influence our security control environment, and contribute directly to the financial trust and stability of our platform.

Responsibilities

• Third-Party Security Risk Management: Lead and execute end-to-end security assessments (initial and ongoing) of third-party vendors, suppliers, and partners, focusing on inherent risk, control maturity, and compliance with industry standards and contractual obligations.

• Risk Register & Issue Management: Own the management and maintenance of the Enterprise Security Risk Register, ensuring accurate categorization, impact analysis, and consistent scoring of identified risks.

• Remediation Tracking: Oversee the security issue tracking process, working closely with control owners across Engineering, Product, and IT teams to define appropriate remediation plans, monitor progress, and escalate overdue items to GRC leadership.

• Policy & Control Implementation: Actively support the ongoing lifecycle of our Information Security Policies and Standards by reviewing, updating, and aligning them to current and emerging regulatory and security framework requirements (e.g., NIST 800-53, PCI DSS).

• Security Control Assessments: Participate in internal security control self-assessments and evidence collection efforts, helping to ensure continuous compliance and audit readiness.

• Executive Reporting: Develop clear, concise, and actionable risk reporting and metrics (KRIs) for GRC leadership and executive stakeholders, translating technical security issues into business risk context.

• Cross-Functional Collaboration: Establish strong, trusted partnerships with internal stakeholders (e.g., Legal, Procurement, Engineering, Product) to embed security and risk management practices early in the business lifecycle.

• Process Improvement: Identify and advocate for opportunities to leverage automation and tooling to streamline risk and vendor assessment processes, enhancing efficiency and accuracy.

Qualifications

• Experience: 4+ years of hands-on experience in Information Security, focusing on GRC, security risk management, third-party risk, or technical security auditing within a regulated industry, preferably fintech.

• Domain Expertise: Strong functional knowledge of widely adopted security frameworks, including NIST CSF, NIST 800-53, ISO 27001, and proven experience with PCI DSS compliance requirements.

• Third-Party Assessment Skills: Demonstrated ability to perform detailed security reviews of third-party documentation (e.g., SOC reports, penetration tests, security questionnaires) to identify security gaps and associated risks.

• Risk Methodology: Experienced in applying risk management methodologies, covering the full lifecycle of activities: identification, quantitative/qualitative assessment, mitigation planning, monitoring, and reporting.

• Technical Acumen: Foundational understanding of common enterprise technology concepts, including cloud environments (AWS, Azure, GCP), network security, application security, and data protection.

• Certifications: Security-related certifications such as CRISC, CISM, CISSP, CISA, are highly desirable.

• Communication & Project Management: Exceptional written and verbal communication skills, with the ability to articulate complex risk issues clearly to both technical and non-technical audiences. Proven ability to manage multiple projects and deadlines simultaneously in a fast-paced environment.

• Education: BS/BA College Education in a related field (e.g., Computer Science, MIS, Cybersecurity).

Intuit provides a competitive compensation package with a strong pay for performance rewards approach. This position will be eligible for a cash bonus, equity rewards and benefits, in accordance with our applicable plans and programs (see more about our compensation and benefits at Intuit®: Careers | Benefits). Pay offered is based on factors such as job-related knowledge, skills, experience, and work location. To drive ongoing fair pay for employees, Intuit conducts regular comparisons across categories of ethnicity and gender. The expected base pay range for this position is: