Senior GRC Consultant

What You Will Do

• Own and lead GRC advisory engagements across 3 to 5 client accounts spanning SOC 2, ISO 27001, ISO 42001, HIPAA, CMMC, GDPR, PCI DSS, and other frameworks.
• Conduct risk assessments and gap analyses that give clients a clear, prioritized picture of where they stand and what they need to do — not a generic checklist, but actionable guidance tailored to their environment, stage, and risk appetite.
• Design and facilitate tabletop exercises for incident response, business continuity, and disaster recovery scenarios. You run the room, drive the discussion, document findings, and turn the output into concrete remediation plans.
• Advise clients at the executive level on compliance strategy, framework selection, control design, and audit readiness. You are their fractional security and compliance advisor, not just a task executor.
• Work inside GRC platforms (Drata, Secureframe, Vanta, Thoropass, and others) daily to map controls, collect evidence, remediate findings, and maintain audit readiness across your client portfolio.
• Coordinate directly with external auditors during Type I and Type II examination periods, managing evidence requests, auditor communications, and remediation timelines.
• Draft and maintain client security policies, procedures, and compliance documentation aligned to applicable frameworks. Your writing is audit-ready and does not require someone else to clean up after you.
• Complete security questionnaires and vendor risk assessments on behalf of clients, ensuring accuracy and timely delivery.
• Conduct user access reviews, vendor assessments, and control testing across client environments.
• Collaborate with our IT operations and security teams on cross-functional deliverables such as onboarding and offboarding workflows, MDM compliance, endpoint security evidence, and vulnerability remediation tracking.

What a Typical Week Looks Like

Monday you start by reviewing the status of your client portfolio — one client has a SOC 2 Type II audit window opening in three weeks, another just kicked off an ISO 27001 implementation, and a third needs a risk assessment completed before their board meeting next month. You prioritize the audit-prep work, push three evidence items to close in Drata, and send the auditor a status update. After lunch you switch to the ISO client and finalize the control mapping you started last week, flagging two gaps that need remediation before the Stage 1 audit.

Tuesday is advisory-heavy. You run a tabletop exercise for a client’s engineering and leadership team — a simulated ransomware scenario that pressure-tests their incident response plan. You facilitate the discussion, capture observations, and by end of day you have a draft findings report with prioritized recommendations. In between, a different client pings you on Slack asking whether they need HIPAA if they are processing PHI through a subprocessor. You give them a clear, grounded answer and document the decision rationale.

We have built internal tooling and AI-powered workflows at Rovally that make a lot of this faster, more consistent, and less tedious than it sounds. You are not hand-jamming everything from scratch. But the tools work best when the person using them understands the context, knows how to prioritize, and can exercise judgment when a situation does not fit neatly into a template.

By Thursday you are drafting an Acceptable Use Policy for a new client, reviewing a security questionnaire response for accuracy, and jumping on a call with an auditor to clarify a testing request. Friday you wrap up outstanding items, update your task tracker, and flag anything that needs escalation before the weekend.

This is the pace. It is consistent, it is multi-threaded, and it requires someone who can hold multiple workstreams in their head without dropping balls.

Who You Are

The ideal candidate for this role is not defined by a specific title or pedigree. What matters most is how you work. These are the traits and behaviors that make someone successful at Rovally:

• You have led or co-led compliance engagements across multiple frameworks and multiple clients simultaneously. Single-company, single-framework experience alone is not sufficient for this role.
• You think like an advisor, not a checkbox operator. When a client asks whether they need a specific control, you do not just say yes or no — you explain the risk, the regulatory context, and the practical trade-offs so they can make an informed decision.
• You are self-directed. When you encounter something unfamiliar — a new framework, an unusual client architecture, an ambiguous audit requirement — your first instinct is to research it, not escalate it. You use documentation, framework standards, AI tools, and your own judgment before asking for help.
• You can run a room. Whether it is a tabletop exercise with a client’s leadership team or an audit kickoff call, you are comfortable facilitating, guiding the conversation, and keeping things on track.
• You communicate with professionalism. You can write a clear email to a client executive, draft a Slack message to an auditor, produce a risk assessment report that does not require someone else to clean up after you, and present findings to a non-technical audience.
• You handle ambiguity well. Not every engagement will have a playbook. You will encounter situations where you need to reason through the right approach, make a decision, and move forward.
• You take pride in your output. You double-check your evidence before submitting it. You proofread your emails. You own your work product.
• You are in it. This is your primary professional commitment, not a side engagement, not supplemental income. You are here to build a career in GRC consulting and compliance advisory.

Required Experience

• Three to six years of hands-on experience in GRC, compliance consulting, IT audit, or security advisory, with meaningful time spent managing multiple concurrent engagements or client accounts.
• Working knowledge of at least three of the following frameworks: SOC 2, ISO 27001, ISO 42001, HIPAA, CMMC, NIST 800-53, PCI DSS, GDPR, CCPA.
• Direct experience conducting risk assessments — not just filling out templates, but scoping, identifying threats, evaluating controls, and producing actionable findings that inform business decisions.
• Experience facilitating tabletop exercises or incident response simulations for client teams, including scenario design, facilitation, and findings documentation.
• Hands-on experience with at least one GRC platform: Drata, Secureframe, Vanta, Thoropass, Sprinto, or similar.
• Strong written and verbal communication skills. Client-facing advisory communication is a daily part of this role.

Preferred Experience

• Previous role at a GRC advisory firm, vCISO-as-a-service provider, or compliance MSP (Rhymetec, Eden Data, Risk3sixty, Echelon, BARR Advisory, or similar) where you managed a multi-client book.
• Previous role at an audit firm (Schellman, A-LIGN, Coalfire, Sensiba, Prescient Assurance, Johanson Group, KirkpatrickPrice, or similar) performing SOC 2 or ISO readiness assessments, control testing, or Type II examinations.
• Previous role at a GRC platform vendor (Drata, Secureframe, Vanta, Thoropass, Sprinto) in implementation, professional services, customer success, or a technical customer-facing capacity.
• Experience advising clients at the executive level on compliance strategy, framework prioritization, and security program maturity.
• Familiarity with cloud environments (AWS, GCP, Azure), identity providers (Okta, Google Workspace, Microsoft Entra ID), and the security and compliance patterns those environments use.
• Experience with policy development and security documentation beyond templates — you have drafted policies aligned to specific frameworks and tailored to a client’s operating environment.
• Relevant certifications: CISA, CRISC, Security+, ISO 27001 Lead Implementer or Lead Auditor, HITRUST CCSFP, or equivalent.

What We Offer

• Competitive salary commensurate with experience.
• Direct mentorship from the founder and high-performing CISOs and practitioners, with exposure to every major compliance framework in the market.
• Ownership of client relationships from day one. You are not a back-office resource. You are the face of the program to your clients.
• A small team where your contributions are visible and directly impact the company’s growth.
• Exposure to a diverse portfolio of VC-backed startups and growth-stage technology companies across industries.
• Access to leading GRC platforms, security tools, and AI-powered productivity tools to support your work.
• Remote-first environment with flexibility, balanced with clear expectations around availability and responsiveness during business hours.

What to Expect in Our Hiring Process

We are intentional about who joins the team, and we want the process to be transparent and respectful of your time.

• Application review. We read every application. A thoughtful cover note that explains why this specific role interests you will stand out more than a generic submission.
• Practical assessment. Before any interview, we will ask you to complete a short, real-world exercise. This may involve reviewing a client compliance scenario, drafting a risk assessment finding, scoping a tabletop exercise, or responding to a mock client question. This is how we evaluate the way you think and work, not just what you know.
• Conversation with the founder. If the assessment is strong, you will have a direct conversation about your experience, working style, and what you are looking for. This is a two-way conversation. We want you to evaluate us as much as we are evaluating you.
• Identity and background verification. Due to the nature of our work, Rovally team members operate with elevated access to client systems, sensitive data, and security infrastructure. All hires undergo identity verification through Clear, comprehensive background checks, and professional reference checks. This is standard across all roles and is communicated early in the process.

A Few Things to Know Upfront

This is a full-time position requiring dedicated commitment during standard business hours (9:00 AM to 5:00 PM Eastern). We have a strict policy against concurrent outside employment or freelance engagements. We need your full attention on the work, and our clients deserve that level of commitment.

This is a startup environment. The pace is fast, the scope is broad, and the expectations are high. If you have spent your career in a large enterprise where you owned a narrow slice of a compliance program, this will feel different. We encourage you to reflect on whether this type of environment is where you do your best work.

If you have read everything above and you are thinking, “This sounds like exactly what I want,” we would love to hear from you.

Rovally sits at the intersection of compliance, security, and IT operations, and that means the learning never stops. You will gain hands-on experience across every major compliance framework in the market, work directly with auditors, security engineers, and executive teams, and develop an advisory skill set that most GRC professionals do not get exposure to until much later in their careers. As we grow, so does the scope of what you will touch. The person who joins now will have the opportunity to grow with us, take on more complex engagements, and shape how we deliver this work at scale.

rovally.com  |  careers@rovally.com

Rovally is an equal opportunity employer.