Senior GRC Analyst

About ModMed

At ModMed, we’re not just building software—we’re reimagining the healthcare experience. Founded in 2010 by a practicing physician and a successful tech entrepreneur, we took a radically different approach: we hired doctors and taught them how to code. This "for doctors, by doctors" philosophy has allowed us to create an AI-enabled, specialty-specific cloud platform that places patients at the center of care.

When you join ModMed, you’re joining an award-winning team recognized for innovation and employee satisfaction. From our Global Headquarters in Boca Raton, Florida, and extensive employee base in Hyderabad, India, we are a team of 4,500+ passionate problem-solvers on a mission to increase medical practice success and improve patient outcomes.

• Consistently ranked as a Top Place to Work
• 2025 Globee Business Awards: Gold Globee for “Technology Team of the Year”
• 2025 Black Book Awards: Ranked #1 EHR in 11 Specialties
• Florida Venture Forum: Venture-Backed Company of the Year

We are growing fast, thinking big, and we are just getting started. Ready to modernize medicine with us?

Job Description Summary

The Senior GRC Analyst is responsible for leading and maturing key components of ModMed’s Governance, Risk, and Compliance program. This role partners closely with security, technology, legal, compliance, and business stakeholders to proactively identify, assess, and mitigate risk while ensuring ongoing compliance with regulatory and industry standards. The incumbent operates as a trusted advisor, driving continuous improvement of GRC processes, frameworks, and controls across the enterprise.

The Senior GRC Analyst is responsible for designing, enhancing, and scaling GRC processes, including enterprise risk assessments, third-party risk management, audit readiness, and security awareness programs. This role contributes directly to improving program maturity, efficiency, and sustainability across ModMed.

What You'll Do

• Lead the development, implementation, and ongoing maintenance of enterprise cybersecurity policies, standards, and procedures.
• Own and evolve components of the cybersecurity governance framework, ensuring alignment with business strategy, risk appetite, and regulatory obligations.
• Serve as a subject matter expert on GRC frameworks and best practices, advising leadership on governance decisions and tradeoffs.
• Partner cross-functionally to embed governance requirements into operational and technology processes.
• Lead and independently execute enterprise and third-party risk assessments, including methodology refinement and scoping decisions.
• Evaluate complex risk scenarios, identify control gaps, and recommend prioritized, risk-based mitigation strategies.
• Monitor risk remediation efforts, challenge effectiveness of controls, and escalate material risks as appropriate.
• Contribute to the ongoing maturation of the enterprise risk management and third-party risk management programs.
• Own and lead compliance activities for major regulatory and industry frameworks (PCI, HIPAA, SOC 2, CIS Controls, NIST CSF).
• Act as a primary point of contact for internal and external auditors, independently managing audit readiness, execution, and remediation efforts.
• Interpret evolving regulatory requirements and translate them into actionable controls and processes for the business.
• Drive continuous improvement of compliance processes, reducing audit friction and improving control sustainability.
• Design and continuously improve security awareness and training initiatives based on risk trends and audit findings.
• Advise business partners and leadership on risk-conscious decision-making and secure-by-design practices.
• Measure and report on program effectiveness and adoption.
• Develop and present executive-level reporting on GRC metrics, risk posture, audit outcomes, and program maturity.
• Ensure comprehensive, defensible documentation for audits, risk assessments, and governance decisions.
• Provide insights and recommendations to senior security leadership based on data and trend analysis.

What You'll Bring

• Bachelor’s degree in Information Security, Cybersecurity, Information Technology or equivalent education and experience.
• Minimum of 7 years of experience in information security GRC, or related fields.
• Experience with PCI, HIPAA, SOC2, CIS Controls, and risk management, enterprise security risk management, and security awareness.
• Proficiency in PCI and security risk assessments methodologies and tools.
• Excellent problem-solving skills.
• Strong communication and interpersonal skills.

It's a Plus If You Have

• Familiarity with healthcare industry regulations.
• Strong understanding of security frameworks and standards (NIST CSF, PCI, HIPAA, SOC2, CIS Controls).
• Experience with GRC tools and technologies.
• PCIP, ISACA, CISM Certification.

ModMed Benefits Highlight

At ModMed, we believe it’s important to offer a competitive benefits package designed to meet the diverse needs of our growing workforce. Eligible Modernizers can enroll in a wide range of benefits:

• Comprehensive medical, dental, and vision benefits, including a company Health Savings Account contribution.
• 401(k): ModMed provides a matching contribution each payday of 50% of your contribution deferred on up to 6% of your compensation. After one year of employment with ModMed, 100% of any matching contribution you receive is yours to keep.
• Generous Paid Time Off and Paid Parental Leave programs.
• Company paid Life and Disability benefits, Flexible Spending Account, and Employee Assistance Programs.
• Company-sponsored Business Resource & Special Interest Groups that provide engaged and supportive communities within ModMed.
• Professional development opportunities, including tuition reimbursement programs and unlimited access to LinkedIn Learning.
• Global presence and in-person collaboration opportunities; dog-friendly HQ (US), Hybrid office-based roles and remote availability for some roles.
• Weekly catered breakfast and lunch, treadmill workstations, Zen, and wellness rooms within our BRIC headquarters.

Key skills/competency

• Governance
• Risk Management
• Compliance
• Cybersecurity Policies
• PCI
• HIPAA
• SOC 2
• NIST CSF
• CIS Controls
• Audit Management