Senior Security GRC Analyst

Senior Security GRC Analyst at nesto

Join nesto — proudly named Canadian Rocketship 2025*. A Deloitte Fast 50 company evolving alongside Canada’s top tech innovators and disrupting a 2.1 Trillion-dollar mortgage industry at light speed by building the mortgage ecosystem of the future.

BUILD lending technology with the best developers, AI engineers, and mortgage experts in the country. Work on a modern tech stack and a development framework designed to unlock your full potential and accelerate your career.

Why join us

• Hypergrowth: Deloitte Fast 50 — 3 years in a row
• Tech community credibility: TechTO Canadian Rocketship 2025*
• Industry leadership: CLA Lending Company of the Year — 4 consecutive years
• Talent magnet: CMP Top Mortgage Employer 2025
• Trusted technology: powering major financial institutions across Canada
• An entrepreneurial culture built on trust, speed, uncomfortable ambition, being stronger together, and a relentless obsession with our clients.

About The Team

We’re looking for a driven and passionate Senior Security GRC Analyst, reporting to the GRC manager. This role will focus on security risk management, third-party risk assurance, and resilience practices, ensuring risks are actively managed and mitigated in a cloud-first environment.

What You'll Be Doing

• Own and operate the security risk management lifecycle: identification, assessment, treatment, acceptance, tracking, and closure
• Maintain and continuously improve risk registers, issues tracking, control gaps, audit findings, and remediation plans with strong governance
• Partner with Engineering, Product, IT, Legal, Risk, Security and Operations teams to define realistic risk treatments that support business delivery
• Propose and drive cloud-native mitigation strategies (preventive, detective, corrective, compensating controls) aligned with best practices and business context
• Build and mature Business Continuity and Disaster Recovery (BCP/DR) capabilities:
  • define recovery objectives (RTO/RPO) with stakeholders
  • support DR planning and documentation
  • coordinate DR testing and tabletop exercises
  • track improvements and lessons learned
• Develop and operate a structured Third-Party Risk Management (TPRM) program:
  • security questionnaires for RFPs and tier-1 strategic partners
  • vendor risk tiering and ongoing monitoring
  • risk-based security requirements and follow-ups
• Conduct deep-dive third-party security reviews (architecture, data flows, access models, maturity, incident history, compliance posture)
• Clearly assess and communicate third-party risk (inherent risk, residual risk, key gaps, recommended mitigations) to enable business decisions
• Recommend and drive technical and procedural controls to reduce third-party risks (security requirements, contractual safeguards, monitoring expectations, access constraints, encryption/logging requirements)
• Produce clear reporting for leadership on risk posture, remediation progress, and key risk indicators

Who We Are Looking For

• 5–10 years of experience in Security GRC, risk management, IT audit, internal audit, compliance, or risk assurance
• Strong experience operating a risk register and driving remediation across multiple teams
• Strong experience with Third-Party Risk Management (TPRM), including deep vendor reviews and RFP security questionnaires
• Ability to evaluate risk in context (business criticality, data sensitivity, integration scope) and propose pragmatic mitigation strategies
• Experience supporting or leading Business Continuity / Disaster Recovery planning and testing is a strong plus
• Strong understanding of cloud security and cloud-first controls (GCP)
• Strong stakeholder management skills and ability to influence in a collaborative way
• Strong ability to write clear, structured, and practical documentation and risk assessments
• Strong organization skills and attention to detail
• Scripting or automation experience (Python, PowerShell, Bash, APIs, SQL) is a strong plus
• English is required for writing and documentation. French speaking and reading is a strong plus.

The Reward

• The A-Team: Work alongside high-performing talent in the industry.
• Accelerated Growth: The slope of your learning curve here will be vertical. You will touch more production systems in one year than you would in five years at a bank.
• Top-Tier Coverage: Premium benefits plan fully paid by nesto, including comprehensive insurance and unlimited access to telemedicine and mental health services for you and your family.
• Rest & Recharge: 4 weeks of vacation to ensure you stay at peak performance.
• Best-in-Class Tools: Access to the resources and tech you need to execute without friction.
• Working framework: The environment that makes you productive and enables teamwork (Hybrid model).

Diversity and Inclusion

At nesto, we believe that creativity and collaboration are the result of a diverse team. We are committed to fostering a culture of diversity, equity, inclusion, and belonging, and we strongly encourage women, people of color, LGBTQIA+ individuals, and individuals with disabilities to apply. We are committed to creating a workplace that is inclusive and welcoming to all.

Key skills/competency

• Security GRC
• Risk Management
• Third-Party Risk Management (TPRM)
• Business Continuity Planning (BCP)
• Disaster Recovery (DR)
• Cloud Security (GCP)
• IT Audit/Compliance
• Stakeholder Management
• Risk Assessment
• Scripting/Automation