Osg Security Jobs (NOW HIRING)

Job Summary:
OSG is growing its Governance, Risk, and Compliance function and is seeking an experienced GRC Cybersecurity Lead to take ownership of the cybersecurity GRC program. This high-visibility role involves working with executive leadership and various departments to manage and communicate cyber risk across the organization.
Responsibilities:
• Own enterprise-wide cyber risk analysis and reporting, from methodology to board-level dashboards.
• Develop and continuously refine risk assessment methodologies, scoring models, and risk appetite statements.
• Identify, evaluate, and quantify cybersecurity risks; recommend mitigation strategies and track remediation to closure.
• Lead annual and ad hoc enterprise risk assessments, including third-party/vendor risk reviews.
• Coordinate tabletop exercises and Incident Response Plan testing.
• Keep all cybersecurity policies, standards, and procedures current and aligned to NIST CSF, HITRUST CSF, HIPAA, and PCI DSS 4.0.
• Lead the annual policy review and approval cycle, including version control, exception management, and stakeholder sign-off.
• Develop and map controls across frameworks to minimize duplication and audit fatigue.
• Communicate policy changes and provide interpretive guidance to internal stakeholders and control owners.
• Partner with Compliance, IT, Engineering, Product, Legal, HR, Finance, and Operations to ensure risks are captured in OSG’s enterprise risk register.
• Maintain accuracy and completeness of the risk register; track treatment plans and accept/transfer/mitigate/avoid decisions.
• Facilitate risk review forums, steering committees, and quarterly risk governance meetings.
• Escalate critical or unresolved risks to the CISO and executive leadership.
• Work with Compliance to ensure cybersecurity policies meet regulatory requirements (HIPAA, PCI DSS, state privacy laws) and client contractual obligations.
• Support internal and external audits; HITRUST, SOC 2, PCI DSS, HIPAA, and client audits including coordinating evidence, responses, and remediation.
• Track regulatory and framework changes and translate them into actionable policy and control updates.
• Manage client-facing security questionnaires and assessments (CAIQ, SIG, HITRUST inheritance, custom questionnaires).
• Review MSAs, vendor contracts, BAAs, DPAs, and other agreements to confirm cybersecurity and data protection sections meet OSG and regulatory requirements.
• Validate clauses covering data protection, breach notification, audit rights, subcontractor controls, encryption, retention, and data return/destruction.
• Partner with Legal, Procurement, and Sales to negotiate security-related contract language.
• Maintain a library of standard security clauses, fallback positions, and contract templates.
• Serve as the senior subject-matter expert for GRC, mentoring analysts and influencing stakeholders across the organization without formal reporting authority.
• Build strong relationships with IT, Engineering, Product, Legal, Compliance, Privacy, Internal Audit, and HR.
Qualifications:
Required:
• Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related field.
• 8+ years of progressive experience in cybersecurity GRC, IT audit, information security, or compliance (at least 3 years focused on policy, risk, and/or compliance).
• Hands-on experience operating a cybersecurity risk register and end-to-end risk management lifecycle.
• Experience supporting audits or certifications under at least two of: NIST CSF, HITRUST, HIPAA, PCI DSS, SOC 2.
• Deep working knowledge of NIST CSF, HITRUST CSF, HIPAA Security and Privacy Rules, and PCI DSS 4.0.
• Familiarity with adjacent frameworks: SOC 2, ISO/IEC 27001, NIST SP 800-53, NIST SP 800-171.
• Experience reviewing and red-lining cybersecurity provisions in commercial contracts, BAAs, and DPAs.
• Experience with at least one GRC platform (Archer, ServiceNow GRC, OneTrust, LogicGate, AuditBoard, Hyperproof, Drata, Vanta, or similar).
• Strong written and verbal communication; able to translate technical risk into business language for executive, board, and client audiences.
• Proven ability to manage multiple workstreams and deadlines in a matrixed, cross-functional environment.
Preferred:
• One or more of: CISSP, CISA, CISM, CRISC, CIPP, HCISPP, HITRUST CCSFP, or PCI ISA.
• Experience in healthcare, financial services, fintech, payments, or other heavily regulated industries.
• Hands-on experience supporting HITRUST r2 certification and/or PCI DSS 4.0 attestation.
• Working knowledge of HIPAA, GDPR, CCPA/CPRA, and U.S. state privacy laws.
• Familiarity with cloud platforms (AWS, Azure, GCP) and SaaS environments, including shared responsibility models.
• Experience in an organization undergoing rapid growth, M&A activity, or platform modernization.
Company:
OSG delivers print and digital customer communication solutions. Founded in 1992, the company is headquartered in Carol Stream, USA, with a team of 501-1000 employees. The company is currently Late Stage.