Description

At Alpaca, we're building the future of financial services, and security is paramount. We're seeking an experienced Security Governance, Risk, and Compliance (GRC) Analyst to join our growing Security team. In this critical role, you will be instrumental in expanding our security efforts and safeguarding Alpaca's systems, data, and client assets against evolving risks and threats, ensuring the security and integrity of our firm.

You will be responsible for assessing risks, diligently monitoring compliance, and collaborating effectively with both internal and external stakeholders to ensure strict adherence to our security policies, relevant regulations, and industry best practices. This role demands a deep understanding of cybersecurity principles, comprehensive risk management methodologies, and various compliance and standard frameworks, coupled with a proven track record of successfully managing security risks and fostering seamless cross-functional collaboration.

The Security Team at Alpaca is fully distributed and remote, offering flexibility and autonomy. This position reports directly to the Chief Information Security Officer (CISO).

Things You'll Get To Do

• Support the CISO in developing and maintaining a comprehensive Security program, including robust policies and clear procedures, to ensure ongoing compliance with all relevant regulations and industry standards.
• Ensure meticulous compliance with key frameworks and regulations, including SOC 2 Type 2, ISO 27001, CSA Star, GDPR, and other applicable external regulatory requirements.
• Conduct thorough and regular risk assessments and gap analyses, and develop effective risk treatment plans to mitigate identified vulnerabilities.
• Apply statistical models to our risk frameworks, translating identified risks into quantifiable metrics (such as FAIR) to provide a data-driven understanding of potential impact.
• Collaborate closely with the CISO to provide strategic guidance on critical Security matters and proactively respond to emerging risks and threats.
• Manage and maintain a consistently up-to-date security control framework, ensuring its relevance and effectiveness.
• Facilitate periodic and comprehensive user access reviews to maintain the principle of least privilege.
• Manage and coordinate both internal and external audits, including the meticulous preparation of audit responses and the development of effective corrective action plans.
• Collaborate effectively with other departments across the organization to mitigate identified security risks and efficiently collect necessary evidence for compliance efforts.
• Proactively manage Alpaca’s supply chain security risks by performing regular and thorough security assessments of our third-party vendors.
• Develop and deliver engaging training and awareness programs to employees on critical cybersecurity policies and essential compliance requirements.
• Provide crucial assistance to the Security team in the timely and efficient triaging of security events.

Who You Are (Must-Haves)

• Genuine excitement about Alpaca’s mission and a strong commitment to the innovative solutions we are building.
• A minimum of 3 years of demonstrable experience in the development and effective execution of risk management and compliance functions within a security context.
• Strong and comprehensive knowledge of diverse information security and compliance standards, including but not limited to SOC 2, ISO 27001, CSA, NIST frameworks, GDPR, CCPA, FINRA, and SEC cybersecurity guidelines.
• Proven experience in effectively managing risk assessments, conducting thorough gap analyses, and developing actionable risk treatment plans.
• Strong familiarity with the security considerations and service models of major Cloud Service Providers.
• Demonstrated experience in managing audit preparation processes, crafting clear and concise audit responses, and developing effective corrective action plans.
• Excellent communication and strong interpersonal skills, enabling effective engagement with diverse stakeholders, clear advocacy for security priorities, and strategic alignment to ensure Security concerns are appropriately prioritized to minimize business risk.
• Willingness and availability to participate in on-call rotations and respond to after-hour security incidents as needed.

Who You Might Be (Nice-to-Haves)

• Bachelor’s degree in Information Technology or a closely related field.
• Relevant security certifications such as CISSP, CRISC, or GIAC are considered a significant plus.
• A solid understanding of relevant financial and privacy regulations.
• Previous experience working within the financial services industry.
• Experience working in a dynamic startup environment.
• Strong business acumen, with the ability to effectively balance trade-offs between stakeholder needs, technological feasibility, and budget constraints.

Note: If you feel strongly that you have what it takes for this role but don’t check 100% of the boxes—that’s okay—we encourage you to apply anyway and highlight what you can bring to the table.