Principal GRC Analyst (Risk, IA, Controls)

About Druva 

Druva, the autonomous data security company, puts data security on autopilot with a 100% SaaS, fully managed platform to secure and recover data from all threats. The Druva Data Security Cloud ensures the availability, confidentiality, and fidelity of data - providing customers with autonomous protection, rapid incident response, and guaranteed data recovery. The company is trusted by its more than 6,000 customers, including 65 of the Fortune 500, to defend business data in today’s ever-connected world. Amidst a rapidly evolving security landscape, Druva offers a $10 million Data Resiliency Guarantee ensuring customer data is protected and secured against every cyber threat. Visit druva.com and follow us on LinkedIn, Twitter and Facebook.

Establish a formal and robust Risk Management/Governance Program which will identify and assess risks to build realistic plans to remediate and sustain a control environment driven by multiple compliance frameworks.

Responsibilities:

Internal Audit

• Evaluate the adequacy and effectiveness of applicable policies, procedures, processes, systems and internal controls.
• Perform gap analysis on policy requirements aligned to various operational and Technology processes.
• Provide monitoring and independent oversight of the execution of technology, info security, and information management risk as they relate to policy and standards, including the independent oversight of the build out of a new front line process dedicated to the end-to-end risk management lifecycle.
• Develop, implement, and support an effective control review and challenge process to provide transparency, accountability and escalation of control effectiveness.
• Validate/evaluate appropriateness, completeness, effectiveness and sustainability of corrective actions taken to address situations defined as issues.

Risk Management

            Strategic Planning 

• Provide input into the annual business strategy and planning processes to ensure strategic risks are identified, appropriately considered and documented.
• - Embedding an appropriate risk culture

Assessment

• Perform on-going monitoring and assessments of risks captured in the risk register to enable the identification of top risks, potential new risks or emerging risks
• Provide oversight and support to ensure the Company’s risk appetite, control framework and policies are clearly documented, communicated and adhered to
• Create and maintain appropriate key risk indicators (KRIs) and trigger limits to track the trends in risk exposures.
• Ensure appropriate and insightful risk reporting including reporting to the Risk Committee and development and monitoring of KRIs
• Own allocated risks in the risk register and facilitate regular risk and control assessments. This may include strategic and operational (including data, IT and cyber security), risks.
• Monitor and assess operational risk exposures, events, business and IT incidents to ensure such cases are appropriately escalated.
• Support the business in development and implementation of appropriate risk controls to mitigate such incidents.

Collaboration

• Collaborate with internal partners to ensure effective key controls are appropriately designed and are operating effectively to mitigate identified risks in the risk register.
• Where relevant, partner with relevant business stakeholders to design and implement pragmatic recommendations and actions for reducing exposures to risk where these exceed appetite or tolerance, ensuring the timely communication of such with the Risk Owner.
• To lead and conduct risk assessments, reviews or investigations of topics that may arise from time to time. This may include risk assessments on important outsourcing or third-party risk management arrangements, second line of hot risk topics or areas of concerns, emerging risks, new business initiatives or regulatory topics.
• Lead, contribute and/or deliver risk training and awareness initiatives on behalf of the Risk team as may be required.

Skills

• Strong foundation with active experiences in delivering multiple frameworks including SOC2, ISO, CSA etc.
• Experience in a cloud environment like AWS being used as an IaaS.
• Relevant experience with risk frameworks like NIST RMF, FAIR model
• Experience in creating and delivering risk reports to senior management.
• Strong analytical and problem-solving skills
• Excellent communication and interpersonal skills.
• Ability to work independently and as part of a team
• Strong attention to detail and organisational skills.
• Proficiency in risk management software and tools.
• Knowledge of regulatory requirements and industry standards.

Qualifications

• Bachelor's degree in any discipline with relevant experience in an information security environment.
• Relevant certifications in compliance, audit, cloud security, or related fields (e.g. CRISC, CISSP, CISM CISA, etc.)
• 10+ years experience with at least 5 years experience in risk management or relevant fields.