• Senior GRC Analyst

    Sargent & Lundy (Chicago, IL)


    Description

    Sargent & Lundy is a leading consulting engineering firm specializing in the power and energy sectors. Since 1891, we have provided comprehensive engineering, design, and consulting services for both traditional and renewable power generation, grid modernization, nuclear power, and beyond. Our mission is to help clients achieve their energy goals effectively by leveraging advanced technologies and adopting sustainable practices.

    Role Overview

    Sargent & Lundy is seeking a proactive, data-driven, and detail-oriented Senior GRC Analyst to lead key pillars of Governance, Risk, and Compliance (GRC) with a primary emphasis on enterprise Information Security, TPRM, contract governance, and cross-functional coordination with Legal and Procurement. You will own cyber training, communications, and phishing simulations, and drive measurable outcomes through strong data analysis and dashboard reporting (KPIs/KRIs). You will support audit readiness and regulatory alignment across frameworks such as ISO 27001, SOC 2, NIST CSF /171 , and CMMC. You will also guide privacy-aligned practices (e.g., GDPR) and lead effective policy implementation through clear procedures, controls, and adoption plans.

    Essential Responsibilities

    + Lead and mature the Third-Party Risk Management (TPRM) program: Develop & manage vendors inventory, conduct risk reviews of third-party vendors, define tiering/scoping, evaluate controls, track obligations/findings through closure, and standardize evidence retention in collaboration with Legal and Procurement.

    + Drive strong contract management with Legal and Procurement: S tandardize security and privacy clauses, review S&L client contracts, negotiate requirements, and ensure obligations are tracked, owned, and reported.

    + Own the security awareness & training program end-to-end: D evelop curriculum, coordinate communications, execute phishing simulations, analyze outcomes, and improve effectiveness using KPI/KRI dashboards and trend reporting.

    + Administer and optimize GRC platforms and workflows (e.g., Hyperproof ) to maintain visibility into risks, assessments, findings, and audit deliverables; establish SLAs and performance indicators.

    + Develop risk management & risk assessment practice, c onduct risk assessments , develop and manage risk register with clear tracking of risks and accountability.

    + Advance security governance by drafting, maintaining , and operationalizing policies, standards, procedures, and roles & responsibilities; lead change management and communications to ensure policy implementation and adoption.

    + Coordinate evidence and execute control readiness for ISO 27001, SOC 2, NIST CSF, CMMC (gap analysis, control testing, POA&Ms), and support automation that reduces workload .

    + Support privacy-aligned practices (e.g., GDPR): contribute to data classification/handling standards, data mapping/records of processing, privacy-by-design reviews, incident/breach alignment, and retention practices.

    + Oversee governance for Business Continuity and Disaster Recovery and Backup & Recovery in partnership with IT (plan maintenance, exercises, lessons learned, reporting).

    + Lead cross-functional coordination with IT, HR, Finance, Legal, and business teams to embed compliance into operations and accelerate remediation of findings.

    + Manage security tasks/projects and report progress via standardized dashboards, scorecards, and executive-ready narratives, highlighting risk, performance, and trends. - Define, publish, and automate metrics & management reporting (KPIs/KRIs) for training effectiveness, phishing trends, vendor risk, audit readiness, privacy/policy adoption, and control performance.

    + Continuously upgrade information security skills, c ontribute to Information Security team skill development with playbooks, enablement sessions, and knowledge-sharing.

    + Support government contract compliance reviews and tracking, ensuring obligations are documented, monitored , and evidenced .

     

    Core Areas of Responsibility (Scope)

     

    + Information Security Governance, Policies, Standards, Procedures, and Roles & Responsibilities.

    + Risk Management – Information security risk management and risk assessments

    + Compliance management – Audit evidence management, audit coordination and compliance monitoring

    + Third Party Risk Management - Third Party Risk Management , Vendor Assessments , Client Contract Reviews and obligation management .

    + Security Awareness & Training — including communications and phishing simulations : Hoxhunt and Mimecast

    + Coordination with IT, HR, Finance, Legal, and Business Teams. - Security Tasks/Projects Management.

    + Metrics & Management Reporting — strong emphasis on data analysis and dashboarding . Information Security Team Skill Development.

    + Government Contract Compliance Reviews and Tracking.

    + Deep Knowledge of Governance & Privacy

    + Policy lifecycle management and control mapping; demonstrated ability to translate policy into procedures/controls and drive organization-wide policy implementation and adoption.

    + Privacy principles and GDPR-aligned practices (e.g., data classification/handling, data mapping/records of processing, privacy by design, incident/breach communications aligned to policy).

    + Compliance standards and frameworks (ISO 27001, NIST CSF, SOC 2, CMMC).

    + Third-party risk, software intake governance, audit readiness, and evidence management.

    + Security & TPRM Tools - TPRM platforms: ProcessUnity (Vendor Risk, Contract/Obligations, Issues/Findings tracking). - TPRM intelligence/workflow: OneTrust , BitSight (as applicable).

    + GRC/risk registers: Hyperproof (risk, controls, evidence, audits). - Data analytics and reporting: Power BI and Excel ( for KPI/KRI dashboards and executive reporting).

    + Business Continuity and Disaster Recovery Process Oversight. - Backup & Recovery Process Oversight.

    + Mentoring, cross functional team colla boration and executive reporting

     

    This position offers the flexibility of a hybrid schedule with the expectation of 3 days per week in our downtown Chicago office, and 2 days remote from home.

    Qualifications

    Required Qualifications

    + Bachelor’s degree in computer science, information systems, or related field; or equivalent professional experience.

    + 5+ years in GRC or related domains, including leadership/ownership of programs or workstreams.

    + Strong understanding of ISO 27001, SOC 2, NIST CSF; experience with CMMC readiness.

    + Practical knowledge of privacy and GDPR with the ability to implement policy via procedures, controls, communications, and training.

    + Proven expertise in risk management, compliance operations, policy/standards, vendor risk, resilience, security training/awareness, and audit readiness.

    + Advanced data analysis skills with the ability to design and maintain KPI/KRI dashboards, translate data into insights, and present executive-ready reporting.

    + Familiarity with security technologies across on-prem and cloud environments; strong problem-solving and systems thinking.

    + Professional certifications (e.g., CISSP, CISM, CRISC) are advantageous .

    Soft Skills

    + Compassionate Candor : Provide candid, actionable feedback to enhance team performance and individual growth.

    + Seek to Understand : Embrace curiosity and a commitment to continuous learning, fostering an environment of collaboration and innovation.

    + We Before Me : Actively collaborate and engage diverse perspectives to ensure collective success.

    + Do What You Say : Take ownership of commitments, prioritizing and delivering on key initiatives.

    + Light Up Learning : Encourage bravery in trying new ideas , sharing failures as opportunities for growth and learning.

    + Driven by Passion : Connect personal passion to the mission, demonstrating resilience in the face of challenges while pursuing organizational goals.

     

    Why Join Us?

     

    + Work in an established company that values innovation and growth.

    + Engage with a collaborative team that is dedicated to making a meaningful impact in the energy sector.

    + Gain exposure to cutting-edge projects and contribute to data-driven decision-making processes.

     

    We do not sponsor employees for work authorization in the U.S. for this position.

     

    Award-Winning Benefits

     

    At Sargent & Lundy, we care about the health and well-being of our employees. Our commitment extends beyond the workplace, offering comprehensive healthcare plans and generous paid time off to support our team members in every aspect of their lives. We understand the importance of work-life balance, which is why we are proud to provide competitive, award-winning benefits. Our dedication to employee satisfaction has earned us the prestigious Top Workplaces Culture Excellence Award for compensation and benefits in 2022, 2023, and 2024.

     

    Health & Wellness Financial Benefits Work-Life Balance

     

    + Health Plans: Medical, Dental, Vision

    + Life & Accident Insurance

    + Disability Coverage

    + Employee Assistance Program (EAP)

    + Back-Up Daycare

    + FSA & HSA

    + 401(k)

    + Pre-Tax Commuter Account

    + Merit Scholarship Program

    + Employee Discount Program

    + Corporate Charitable Giving Program

    + Tuition Assistance

    + First Professional Licensure Bonus

    + Employee Referral Bonus

    + Paid Annual Personal/Sick Time (PST)

    + Paid Vacation

    + Paid Holidays

    + Paid Parental Leave

    + Paid Bereavement Leave

    + Flexible Work Arrangements

     

    Compensation Range

     

    $100,010.00 - $144,190.00

     

    Transparency Statement

     

    Sargent & Lundy discloses compensation ranges that comply with all local and state regulations. The total compensation package for eligible positions will include a base salary or an hourly rate and a comprehensive benefits package, reflecting our commitment to rewarding performance and supporting the overall well-being of our employees. Individuals may also be eligible to participate in our yearly discretionary bonus.

     

    Awards & Recognition

     

    Equal Opportunity

     

    Sargent & Lundy is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, national origin, disability status, protected veteran status, or any protected status as defined by applicable law.

     

    CityChicago

     

    StateIL

     

    CountryUnited States

     

    Area of InterestInformation Technology

     

    TypeFull Time - Regular

     

    Job ID2025-19627

     

    Business GroupCEO Group

     

    DepartmentInformation Security