KOHO is looking for a Senior GRC Analyst to build and establish our risk and compliance programs with a focus on automation and repeatability. You will be responsible for managing audits, third-party risk, vulnerability management, and advising security leadership as we work to financially empower a generation of Canadians.
What You'll Do
- Build up and establish a risk and compliance program with a focus on automation and repeatability for PCI DSS and SOC 2, Type 2.
- Obtain and prepare evidence packages for submission to auditors while building the program.
- Build up and/or establish a third party cybersecurity risk management program, vulnerability management program, and phishing program.
- Work with engineers and developers to triage vulnerabilities, assign risk, and prioritize fixes.
- Work with internal and external partners to identify cybersecurity risks, conduct assessments, and manage the ongoing risk posture.
- Create, maintain and communicate information security policies, standards, and procedures across the organization.
- Advise security leadership on risk management strategies, including risk mitigation, reduction, compensating controls, and residual risk analysis.
- Work with the People and Culture team to ensure all employees have a good baseline for security awareness.
- Support broader tech compliance requirements as it relates to RPAA, Mastercard, OSFI, and more.
What We're Looking For
- Bachelor’s degree in computer science, technology management, or a related technical or management field.
- Ability to be a self starter and own the risk and compliance roadmap.
- Excellent communication skills to communicate the organization's risk posture.
- Experience with PCI DSS, SOC2 Type II, and NIST 800-53/NIST CSF.
- Hands on experience with AWS Security Hub, GuardDuty, Inspector, CloudTrail, Config, SCPs, and other AWS native technologies.
- Experience leading audits and working with regulators.
- Experience in building automations and scripts to pull data and automate evidence retrieval.
- Ability to work cross functionally with strong soft skills to build partnerships and communicate risk clearly.
Nice to Have
- Familiar with OSFI guidelines (B-10 and B-13) and RPAA (Retail Payment Activities Act).
- Possess or are working towards a CISSP.
Technical Stack
- AWS Security Hub
- GuardDuty
- Inspector
- CloudTrail
- Config
- SCPs
Team & Environment
You will be part of the security team, reporting to the Senior Manager, Product Security. KOHO is a performance organization with a strong heart that cares deeply about outcomes. We value clarity, ownership, bold thinking, collaboration, creativity, and diverse perspectives, and we prioritize work-life integration.
Benefits & Compensation
- Competitive compensation & equity
- Generous vacation + Wellness days + Flex Days + holiday closure
- Remote-first environment + coworking support + yearly all hands retreat
- Access to coaching & growth programs
- Parental top-up & leave policies
- Comprehensive health benefits
- Power-up budgets for books, home office setup, phone & internet, AI tools, and professional development
Work Mode
This is a remote-first position for candidates located within Canada.
KOHO is an equal opportunity employer.
