ABC Supply is North America’s largest wholesale distributor of exterior and interior building products. ABC Supply is proud to be an employee-first company. In fact, we have won the Gallup Great Workplace Award every year since its inception in 2007, and Glassdoor has named us one of the best places to work in the country. Be part of a company that recognizes your talents, rewards your efforts, and helps you reach your full potential. At ABC Supply, we have YOUR future covered. Position Summary: The governance, risk and compliance (GRC) security analyst is a highly respected, influential, and in-demand role within the business. The position is responsible for supporting the security direction of the business, lowering risk, and elevating the company’s security posture. The GRC security analyst is expected to support the security strategy of the business within new and existing information system capabilities. Consequently, the position requires both an understanding of legacy systems, as well as new technologies and requirements. The GRC security analyst is also responsible for the planning and design of policies and maintenance. The ideal candidate is technical and possesses at least ten years of experience in IT, cybersecurity, compliance, and risk management. The role oversees the business’ security requirements and obligations mandated by standards and regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), General Data Protection Regulation (GDPR), Health Information Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). In tandem with security leadership, the GRC security analyst consistently assesses and validates the assurance of the security program. As a primary point of contact for internal and external auditors, the GRC security analyst monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the GRC security analyst must focus on strong risk management and corporate resiliency, and not be driven solely by compliance. Essential Job Duties: Serve on a distributed security and technology team responsible for establishing and maintaining data protection technical controls. Provide rigorous oversight of security systems and security configuration administration that reduces risk to enterprise systems and accounts. Identify, document, communicate, and remediate areas of security improvement that balance risk with business operations, as well as ensure controls are not weakening efficiencies or business innovation. Be dedicated to an ongoing security maturation program, where areas of strength are amplified and areas needing improvement are documented and remediated. Maintain a high degree of knowledge with current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Conduct security-related audits, compliance checks and external assessment processes, including but not limited to the NIST 800-53, NIST CSF, COBIT, ISO, MITRE ATT&CK, EU’s General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), Service Organization Controls (SOC) 2, California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI-DSS), Americans with Disabilities Act (ADA) and other applicable industry standards. Facilitate IT compliance of identified controls – for example, IT general controls (ITGCs), application, cloud, and cybersecurity. In tandem with risk management and security, direct and conduct ongoing risk analysis organization-wide in support of the GRC program. Assess, monitor, and remediate third-party security risk. Review and modify contracts for security concerns and business risk. Partner with business units to ensure adequate controls are available and enabled in production. Support and maintain a wide range of data protection technologies, including but not limited to DLP, CASB, behavioral analytics, insider threat, data classification, data governance and encryption. Analyze systems and data sources for accidental, malicious, and unauthorized activities. Ensure that the proper transport and storage of company information is maintained through data classification and data loss prevention (DLP). Work closely with security leadership, teammates, and stakeholders to evaluate and implement data protection controls that align with organizational risk posture and compliance requirements. Secure and monitor data on-premises, in cloud infrastructure and within applications required to support a dispersed remote workforce. Manage and test business rules protecting data, as well as the use and handling of data assets. Conduct data discovery to locate data at risk, as well as validate existing data storage has not been altered. Emphasize privacy, security, business resiliency and compliance frameworks. Maintain understanding of business processes to aid in managing enterprise data protection. Frequently interact with business units to understand their plans, risk posture and tolerance, and how to share responsibility and support their vision and business obligations securely. Document data protection policies and exceptions, and periodically review with business units. Align data protection policies and procedures with the corporate governance structure. Execute tactical requests supporting the strategic vision for rigorous and scalable data protection controls. Implement data protection projects from inception to completion on time and within budget. Effectively communicate knowledge of GRC controls across business units with a focus on, but not limited to, company practices, procedures, third-party integrations, product development and financials. Influence and validate metrics used in assessment of security program success and report them regularly to security and business leadership. Inspire business units to adopt cybersecurity security controls to reduce the attack surface. Make recommendations for improvements to ensure least privilege to data and rigorous security practices, without negatively impacting end-user experience or leading to employees attempting to circumvent controls. Openly support the organization and the security management team during times of adversity. Develop relationships with engineering, IT, incident response, SOC, and software engineering team members. Perform other duties as assigned. Skills and Experience: At least 10 years of experience in cybersecurity in one or more roles, including systems management, security analyst, compliance and regulations, risk management or audit. Demonstrated experience and thorough understanding of various cybersecurity frameworks, regulatory requirements, and laws such as, but not limited to NIST 800-53, NIST CSF, COBIT, ISO, PCI, ADA, SOX and Privacy (CCPA, GDPR). Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls. Preferably at least two years of experience in Amazon Web Services (AWS), Google Cloud Platform (GCP) and/or Microsoft Azure cloud computing security configuration and management. Proven understanding of business focus and processes, and ability to inject cybersecurity into the business through teamwork and influence. Strong team and collaboration skills, and track record of delivering GRC projects under tight deadlines. High level of integrity and trustworthiness, as well as confidence to represent the company and security leadership with the highest level of professionalism. Demonstrated experience conducting tabletop exercises. Capable of working with diverse teams and promoting a positive enterprise-wide security culture. Demonstrated project management, multitasking and organizational skills. Ability to obtain and preserve credibility with the team and external constituents through sustained industry knowledge. Ability to motivate teammates to achieve excellence and willingly share knowledge. Engage in continuous professional development. Additional Qualifications: Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and effective communication. Organized, efficient self-starter requiring minimal supervision. Understanding of service design, delivery concepts and control frameworks. Forward thinking with strong business acumen and flexibility. Highly focused on building and implementing a strong, cohesive team and security culture. Outstanding written and verbal, business, and cybersecurity communication skills. Education Requirements: Bachelor's degree in relevant field or equivalent experience. MBA or master’s degree in related field or equivalent experience. Certification Requirements: Cybersecurity Certifications in either CISSP, CISM, CISA, CRISC or GSLC are preferred. Benefits may include: Health, dental, and vision coverage - eligible after 60 days, low out of pocket 401(k) with generous company match - eligible after 60 days, immediately vested Employer paid employee assistance program Employer paid short term and long term disability Employer paid life insurance Flex spending Paid vacation Paid sick days Paid holidays Equal Opportunity Employer / Drug Free Workplace ABC Supply values diversity and we actively encourage women, minorities, and veterans to apply. ABC Supply Co., Inc. is the largest wholesale distributor of roofing in the United States and one of the nation's largest distributors of siding, windows and other select exterior and interior building products, tools and related supplies. Since our start in 1982, we've grown to become a national organization with more than 800 branches and other facilities in 49 states. Our success is the result of an unwavering focus on a single, simple guiding principle - treat contractors (large and small) with respect and give them the products and services they need to build their businesses. We offer high quality products, superior service and competitive pricing, ensuring the contractors have the products they need - when and where they need them.