Sr. Security GRC Solutions Architect

At Greenbrier, we do the hard work that matters. The Greenbrier Companies (NYSE:GBX) is powering the movement of products around the world as a leading designer, manufacturer and supplier of freight rail transportation equipment and services.

Greenbrier’s heritage of hard work and industrial innovation is celebrated at every level of our organization. We structure our business to support teams that deliver innovative solutions for our customers while positively impacting the world around us.

Greenbrier’s success begins with people. We believe in supporting our global workforce through our unwavering attention to Safety, Quality, Respect for People and Customer Satisfaction. Our Inclusion, Diversity, Engagement, Access and Leadership (IDEAL) commitment is rooted in these values, which lead to a culture where employees are engaged and feel good about coming to work every day.

Summary

The Sr. Security GRC Solutions Architect is rooted in IT SOX, SOC-1/2, NIST CSF 2.0, CIS and ISO compliance, the objective is automation. Microsoft E5 licensing is fully deployed, and Sentinel is enabled across the environment. Control evidence is tracked in spreadsheets.

The Sr. Security GRC Solutions Architect will be the 1st line of defense who understands the audit requirements deeply but possesses the technical acumen to leverage Sentinel, KQL, Logic Apps, and AuditBoard to automate evidence collection and near real-time monitoring.

They will work directly with the Sr. Manager - GRC and CISO to support the compliance program and IT organization during audits. Working with cross-functional, global teams and communicating with stakeholders at all levels across the company is a regular part of the position. Responsible for supporting IT control requirements and/or IT audit activities, including the development, implementation, and maintenance of processes, procedures, and operational structure. Requires strong attention to detail and the ability to work within established compliance and control frameworks.

Duties And Responsibilities

To perform this job successfully an individual must be able to perform the following essential duties satisfactorily. Other duties may be assigned to address business needs and changing business practices.

• Audit Preparations and Auditor Access: Bulk upload SOX/SOC audit requests to centralized tool during interim and roll-forward testing periods. Coordinate auditor access to Greenbrier systems, as needed.
• Audit Evidence Request Monitoring: Monitor audit evidence request tickets in centralized tool to ensure responses to auditors meet agreed upon milestones. Facilitate evidence request issues and coordinate meetings between IT stakeholders and relevant auditors.
• Compliance Liaison: Liaison between control owners and auditors/assessors for the evidence collection process and audit testing follow-ups. Assist Control Owners with evidence requests from auditors. Schedule meetings as needed.
• Control Automations: Facilitate and drive progress on control automation efforts, coordinating with subject matter experts, control owners, and automation teams.
• Control Changes: Ensure control description and design changes and relevant procedure documentation get updated into the GRC tool master control list in a timely manner.
• Control Failure Triage: Work with control owners/performers to perform root cause analyses on control issues and deficiencies, initiate risk-based remediation plans, and follow escalation procedures. May facilitate control remediation execution.
• Control Improvements: Support and implement control improvements, automation, and update relevant documentation, at the direction of management
• Control Monitoring: Using GRC Tool, monitor SOX/SOC controls for adequate completion by Control Owners and performers and secondary reviewers. Create dashboards for monitoring metrics by global region (U.S. vs. Europe)
• Control Remediations: Design and track all assigned remediation plans through to timely completion. Provide status updates of remediation plans to key stakeholders within the organization. Document as needed.
• Escalations: Proactively monitor audit follow-ups to identify potential control issues or failures, and missing or unavailable evidence, and follow internal escalation protocols immediately so GRC can triage.
• GRC Consultations: Provide audit, control, and evidence guidance to internal security and IT teams; Partner with internal and external stakeholders to assist the IT organization during audits.
• Automated Control Monitoring: Replace manual spreadsheet tracking by architecting and deploying Sentinel Analytics Rules and KQL queries that monitor controls (e.g., terminated user access, privileged account activity, and unauthorized changes).
• Evidence Orchestration (The "Vault" Strategy): Build and maintain Logic App Playbooks to automatically generate "Auditor-Ready" evidence packs upon control triggers, ensuring data is captured and preserved before log retention periods expire.
• AuditBoard & ServiceNow Integration: Optimize the integration between our GRC tool (AuditBoard) and our ITSM (ServiceNow) to automate task routing, remediation tracking, and evidence uploads.
• Root Cause Automation: Develop "SLA Breach" logic to detect process lags (e.g., HR termination vs. actual AD disablement) to provide GRC with immediate visibility into control failures before auditors find them.
• Continuous Compliance Liaison: Act as the technical bridge between IT Stakeholders and Auditors. Instead of manual follow-ups, you will build AuditBoard dashboards that provide stakeholders with real-time status of their compliance posture.
• Control Triage & Remediation: Work with control owners to perform root cause analysis on failures. If a control fails, you don't just document it; you help architect the technical fix or automation to prevent recurrence.
• Third-Party Risk (UpGuard): Leverage UpGuard to streamline the assessment of 3rd-party SOC reports and security postures, integrating these findings into our centralized risk register.
• Procedure Modernization: Update and maintain SOX/SOC Control Procedures to reflect automated workflows, ensuring that how we work matches how we are audited
  
  
  

Qualifications

The following generally describes requirements to successfully perform the assigned duties.

Minimum Qualifications

• Bachelor’s degree in Information Systems or a related field required.
• 5 years of IT audit experience at professional CPA firm, experienced at testing ITGCs for SOX Compliance and/or IT Controls for SOC-1 and SOC-2 compliance or other. OR
• 8 years in an IT GRC function, performing and/or implementing ITGCs for SOX Compliance and/or IT Controls for SOC-1 and SOC-2 Compliance.
• Proficiency in Excel (performing data manipulations such as pivots and macros, familiar with special formulas)
• Deep experience with Microsoft Sentinel and writing KQL (Kusto Query Language).
• Automation: Proven ability to build Azure Logic Apps or Power Automate workflows.
• E5 Stack: Expert-level understanding of the Microsoft E5 Security suite (Entra ID, Purview, Defender for Cloud).
• Proficiency in Microsoft Word and Excel is a must.
• Strong understanding of IT control requirements for IT SOX ITGC and SOC-1 and SOC-2 compliance.
• Excellent technical writing; hands on experience with documenting for audit purposes and procedure writing.
• Auditor Interactions: Negotiation with auditors, issue management, productive and constructive communication with auditors.
• Communicative: Highly responsive and collaborative. Skilled at conflict resolution.
• Problem Solving: Think strategically and solve problems effectively, partner with specialists to design effective, reliable controls, as much as possible. Ability to ask the right questions and understand complex technical topics.
• Task Management: Ability to prioritize and track multiple projects in parallel.
• Manage the micro projects and push tasks forward assigned to you utilizing Greenbrier tasking tools available
• Proactively communicate task blockers and project issues
• Identify tasks needed, self-prioritize based on goals of the team, and proactively seek information to keep projects moving with ease
• Trust Building: Excellent cross-cultural relationship and trust building, superb communication, and strong organizational skills.
  
  
  

Preferred Qualifications

• CISA, CISSP, CPA, or other relevant certifications are preferred.
• 1 years experience performing 3rd Party SOC Report Reviews, or performing SOC examinations and SOC reporting
• Experience performing or facilitating risk management and/or vendor risk assessment processes
• Bilingual in English and Spanish
• Understanding of security frameworks such as NIST CSF, ISO 27001.
• Ability to work on-site at our Lake Oswego, Oregon office; remote work from other locations may be considered based on business needs.
  
  
  

Work Environment And Physical Requirements

Work Environment

The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodation may be made to enable individuals with disabilities to perform the essential functions.

• In office environment, with some travel
  
  
  

Physical Activities And Requirements

Frequency Key

Not Applicable: Activity is not applicable to this occupation

Occasionally: Occupation requires this activity up to 33% of the time (0- 2.5 hours/day)

Frequently: Occupation requires this activity from 33% - 66% of the time (2.5- 5.5 hours/day)

Constantly: Occupation requires this activity more than 66% of the time (5.5 hours/day)

Working Postures

• Sit: Not Applicable
• Stand: Occasionally
• Walk: Occasionally
• Bend: Occasionally
• Kneel/Squat: Not Applicable
• Crawl: Not Applicable
• Climb: Not Applicable
• Reach Forward: Occasionally
• Reach Upward: Not Applicable
• Handling/Fingering: Constantly
  
  
  

Lift / Carry Requirements

• 5-10 lbs: Occasionally
• 10-25 lbs: Not Applicable
• 25-50 lbs: Not Applicable
• 50-75 lbs: Not Applicable
• 75 lbs: Not Applicable
  
  
  

Push / Pull Requirements

• Up to 10 lbs: Occasionally
• 10-25 lbs: Not Applicable
• 25-50 lbs: Not Applicable
• 50-75 lbs: Not Applicable
• 75 lbs: Not Applicable
  
  
  

EOE including Vet/Disability

Click here for more information: Know Your Rights

Greenbrier makes reasonable accommodations in the application and hiring process for individuals with known disabilities, unless providing accommodation would result in an undue hardship. Any applicant believing that he or she may need reasonable accommodation for any part of the application and hiring process should contact Greenbrier Human Resources at careers@gbrx.com or call us at 503-684-7000.

Email communication from The Greenbrier Companies (Greenbrier) will always come from a corporate email address that ends in @gbrx.com or from our applicant tracking system, iCIMS, after you have created a secure account and submitted your application. During the application process, you will create a secure account in our secure applicant tracking site that ends with “-gbrx.icims.com”. In this portal, we will ask you to provide your contact information, past employment history, education history and other job-related information.