Senior GRC Security Analyst

About nesto

Our mission is to provide a positive, transparent, and simplified mortgage financing experience from start to finish. Our team consists of skilled technology experts, caring mortgage specialists, and a diverse marketing team, all working together to drive change in the mortgage industry.

At nesto, we are proud of:

• Our clients appreciate our positive, transparent, and simplified mortgage financing experience. Our 4.5-star Google reviews speak for themselves!
• We won the CLA Mortgage Lender of the Year award in 2023 and 2024, recognizing our excellence in lending services.
• We are a certified B Corp organization, highlighting our commitment to making a positive impact on our society and planet.
• Our highly skilled, diverse, and collaborative team, which makes everything possible.
• Our Mortgage Cloud platform, which offers financial institutions full access to nesto's proprietary technology, enhancing the customer experience from start to finish.

About the Role

We are looking for a Senior GRC Security Analyst, reporting to the GRC Manager. This role is ideal for someone who loves operational excellence, audit leadership, and implementing modern compliance practices in a cloud environment.

What you'll do

• Ensure the daily operational and strategic management of the compliance automation platform (Vanta), including integrations, control mapping, evidence hygiene, and continuous monitoring.
• Automate evidence collection and integration via scripts/APIs.
• Organize and lead end-to-end external audits (SOC 2, SOC 1, ISO 27001), and support future certifications (ISO 27017, ISO 27018).
• Coordinate audit timelines, control workshops, evidence requests, and stakeholder follow-ups.
• Ensure that policies, standards, and processes are clear, applicable, audit-ready, and aligned with best practices.
• Implement and operate an internal audit and control self-assessment program (testing methodology, sampling, reporting, corrective actions).
• Track audit findings and remediation plans, ensuring prompt closure and clear accountability.
• Improve audit efficiency and reduce operational burden through reproducible frameworks and automation.

Who we're looking for

• 5 to 8 years of experience in technical GRC security, IT audit, internal audit, security compliance, or risk assurance.
• Solid experience in managing audits and certifications (SOC 2, SOC 1, ISO 27001); ISO 27017 / ISO 27018 experience is a strong asset.
• Demonstrated experience in establishing or evolving an internal audit / internal controls capability.
• Experience with compliance automation tools (Vanta, Drata, Anecdotes, Tugboat Logic).
• Excellent ability to write and maintain policies, standards, and processes that teams can actually apply.
• Excellent organizational skills and attention to detail.
• Ability to collaborate and ensure remediation closure with multiple teams.
• Experience in scripting/automation (Python, PowerShell, Bash, APIs, SQL) is a significant asset.
• English is required for writing and documentation. Spoken and read French is a significant asset.

What we offer

• Employee mortgage program: exclusive preferential rates.
• Comprehensive health coverage: premium extended coverage (health, dental, vision) with 100% drug coverage.
• Access to a group RRSP/DPSP retirement savings plan with competitive company matching contributions.
• Telemedicine and family support (maternity/parental leave top-up programs).
• Flexible workplace: fully remote or in one of our offices (Montreal, Quebec City, Toronto, etc.).

Why join us

• Contribute to modernizing the Canadian mortgage industry.
• Certified B Corp company, highlighting our social and environmental commitment.
• We won the CLA Mortgage Lender of the Year award in 2023, 2024, and 2025, recognizing our excellence in lending services.

Diversity and Inclusion

At nesto, we believe that creativity and collaboration result from a diverse team. We are committed to fostering a culture of diversity, equity, inclusion, and belonging, and we strongly encourage women, people of color, members of the LGBTQIA+ community, and people with disabilities to apply. We are committed to creating an inclusive and welcoming work environment for all. This position is open to all candidates and can be filled remotely from anywhere in Canada.

Key skills/competency

• GRC
• Security Audit
• Compliance Automation
• SOC 2 Certification
• ISO 27001
• Internal Audit
• Risk Assurance
• Policy Management
• Scripting (Python, APIs)
• Cloud Security