Search all jobs
Browse jobsOrlando, FL › Senior GRC Analyst

Senior GRC Analyst

Morganmorganjobsapplynow · Orlando, Florida, United States · Posted Jun 30, 2026

Apply on company site   Track it in JobSkout

At Morgan Morgan, the work we do matters. For millions of Americans, we’re their last line of defense against insurance companies, large corporations or defective goods. From attorneys in all 50 states, to client support staff, creative marketing to operations teams, every member of our firm has a key role to play in the winning fight for consumer rights. Our over 6,000 employees are all united by one mission: For the People.

Senior GRC Analyst

Morgan Morgan | Risk Resilience Program

Reports To: Director of Business Continuity

Department: Information Security / Risk Resilience

Type: Full-Time

The Opportunity

Morgan Morgan is one of the largest plaintiff law firms in the country — 6,000+ employees, 100+ offices, and a caseload that doesn’t wait. The Risk Resilience program is in full build mode: governance structure is set, the first BIA is complete, and the frameworks are mapped. What’s missing is execution capacity.

This is not a maintenance role. You’re joining at the ground floor of a GRC program that needs to be built from a standing start — TPRM methodology, policy lifecycle, risk register calibration, awareness program design. You’ll own workstreams end-to-end, not coordinate them. You report directly to the Director of Business Continuity, who owns the GRC function and sets program direction.

If you want to inherit a mature program and tune it, this isn’t for you. If you want to build one — with real ownership, real scope, and a clear path to being the person who shapes how risk is managed across a national law firm — read on.

What You’ll Own

Third-Party Risk Management

Build and own the end-to-end TPRM process: risk tiering, assessment criteria, and escalation thresholds — from scratch

Lead risk assessments for the firm’s highest-exposure vendor relationships: case management, e-discovery, payment processing, and others

Bring risk acceptance and remediation recommendations to the Director; own the analysis behind the decision

Policy Lifecycle

Run the full policy lifecycle: drafting, review cadence, approval workflows, and firm-wide attestation tracking

Write policy content directly — you’re not inheriting a library, you’re building it, translating framework requirements into language that works for a law firm

Identify and close policy gaps against ISO 27001, NIST CSF, and CIS v8.1 before they become audit findings

Risk Management

Own the enterprise risk register: methodology, scoring calibration, and quarterly review cadence

Lead control testing and gap assessment in Vanta; design remediation plans

Spot emerging risk trends and bring recommendations

Security Awareness

Assist with the design of the security awareness program strategy: content calendar, phishing simulation progression, targeted training for high-risk roles, and Program Champions

Analyze effectiveness data and adjust the program based on results, not just completion rates

Audit Compliance Readiness

Serve as a point of contact for cyber insurance audits, major client security due diligence, and regulatory inquiries

Own the audit calendar and evidence readiness posture — you’re not responding to requests as they land, you’re ahead of them

Reporting Program Visibility

Build and maintain the GRC reporting suite for CIO-level consumption: risk posture snapshots, control testing results, TPRM exposure summaries

Identify maturity gaps against framework requirements and bring prioritized roadmap recommendations to the Director

Cross-Program Coordination

Interface with the BC/DR and Crisis Management program on control alignment, vendor dependencies surfaced in BIAs, and recovery capability assumptions

Coordinate with the Privacy function (in build) on data inventory, state privacy law obligations (FL, CA, NY, and others), and third-party data handling risks

Once the GRC Analyst is hired, serve as a working mentor without formal management authority

What We’re Looking For

4–6+ years in GRC, IT audit, compliance, or information security

Deep hands-on experience in a GRC platform; Vanta strongly preferred

Strong working knowledge of ISO 27001, NIST CSF, and CIS v8.1; you’ve mapped controls across multiple frameworks at the same time

ISC2 CC/CCSP or ISACA CRISC/CISA required, or other ISC2 or ISACA related certifications (CISSP, CISM)

Direct experience leading external audits or client security due diligence as primary point of contact, including findings negotiation

You’ve designed a security awareness program

Comfortable operating independently

Bachelor’s degree in Information Security, Risk Management, Computer Science, or related field; equivalent experience considered

#LI-MB1

Benefits

Morgan Morgan is a leading personal injury law firm dedicated to protecting the people, not the powerful. This success starts with our staff. For full-time employees, we offer an excellent benefits package including medical and dental insurance, 401(k) plan, paid time off and paid holidays.

Equal Opportunity Statem…

Apply on company site