Technology Governance, Risk & Compliance (GRC) - Sr. Analyst
The Peloton Enterprise Technology Team is expanding and transforming its risk management, compliance and security capabilities and resources. We are investing in these areas to address an ever increasing cybersecurity threat landscape, as well as regulatory compliance requirements as the company continues to grow.
The Enterprise Technology Governance, Risk & Compliance (GRC) Senior Analyst is a critical position within the team, and has GRC responsibilities from a technology and security perspective across the organization globally. Working closely with the Director of GRC, Enterprise Technology team and stakeholders across the organization, this position will be responsible for building and enhancing the GRC portfolio of efforts to raise the overall security and compliance posture for Peloton. This individual will be directly responsible for implementing, maintaining and improving technology risk management and third party risk management frameworks, controls and tools. The Senior Analyst brings experience of well-known best practices around risk management, understands how to adhere to complex compliance requirements and can combine these factors into an implementation strategy that is right-sized for the business.
The role will work across multiple risk/security frameworks and regulatory standards including, but not limited to NIST CSF, NIST 800-37, ISO 27001 and COSO. This individual will partner with Engineering, Finance, General Counsel, Audit and other stakeholders globally to implement new solutions and processes as well as remediate outstanding issues.
JOB DUTIES:
- Under direction of the GRC Director, the role is responsible for managing the strategy, projects and operations of the technology risk management and third party risk management programs.
- Responsible for partnering with the Enterprise Risk Management function to further build out the risk methodology and framework, and placing it into action in an agile manner.
- Leads risk analysis sessions in order to technically understand current and future state technology risks associated with software engineering development, usage and customization of third party tools as well as the risks surrounding the creation, storage or transfer of sensitive data.
- Needs to embed with technology focused teams and business stakeholders to understand risks to critical infrastructure and data by defining the potential business impact and is responsible for defining and partnering to craft effective mitigation strategies.
- Works closely with the Information Security product and enterprise engineering teams to identify and review potential security control weaknesses and vulnerabilities found in scans in order to document and track the risks, and develop structured processes to reduce the risk to an acceptable level of residual risk.
- Mature and expand the third party risk management program and manage day-to-day operational activities around reviewing vendors in order to streamline due diligence and automate processes with tools.
- Understanding of qualitative vs. quantitative risk management and inherent vs. residual risk in order to properly determine and report on technology risk levels.
- Maintains updated knowledge in the field of risk management and compliance to efficiently work on frameworks including NIST CSF, NIST 800-37, ISO 27001 and COSO.
- Must stay current with industry, regulatory, and legal requirements relevant to security and compliance.
REQUIREMENTS:
- 7+ years of experience working in a similar technology focused industry or within a consulting firm
- Strong technical knowledge of all aspects of technology and third party risk management
- Experience internally managing projects or advising programs to effectively establish risk management frameworks and practices in a highly technical organization
- Experience aligning an organization to NIST 800-37, ISO 27001 and/or COSO
- Strong degree of comfort working alongside an agile software engineering team to advise on risk mitigation strategies
- Knowledge of cloud infrastructure platforms (e.g. AWS) and major SaaS applications (e.g. SAP) in order to identify key risk areas and treat them appropriately is a plus
- Ability to manage third party risk operations on a daily basis with hands-on experience performing security and privacy due diligence reviews of vendors
- Experience designing and operating a business continuity / disaster recovery program from a technology perspective is a plus.
- Knowledge of JIRA and Confluence preferred
- Experience working on a Scrum team
- One or more of the following certifications is preferred: CISA, CISM, CISSP
ABOUT PELOTON:
Peloton uses technology + design to connect the world through fitness, empowering people to be the best version of themselves anywhere, anytime. We have reinvented the fitness industry by developing a first-of-its-kind subscription platform. Seamlessly combining hardware, software, and streaming technology, we create digital fitness and wellness content and products that Members love. In 2020 Peloton committed to becoming an antiracist organization with the launch of the Peloton Pledge. Learn more, here.
“Together We Go Far” means that we are greater than the sum of our parts, stronger collectively when each one of us is at our best. In order to be the best version of Peloton, we are deeply committed to building a diverse workforce and inclusive culture where all of our team members can be the best version of themselves. This work has no endpoint; it is the constant work of running an organization that strives to reach its full potential. As a first step in our commitment, we announced the Peloton Pledge to invest $100 million over the next four years to fight racial injustice and inequity in our world, and to promote health and wellbeing for all, from the inside out.
Peloton is an equal opportunity employer and committed to creating an inclusive environment for all of our applicants. We do not discriminate based upon race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics. If you would like to request any accommodations from application through to interview, please email: [email protected]
Please be aware that fictitious job openings, consulting engagements, solicitations, or employment offers may be circulated on the Internet in an attempt to obtain privileged information, or to induce you to pay a fee for services related to recruitment or training. Peloton does NOT charge any application, processing, or training fee at any stage of the recruitment or hiring process. All genuine job openings will be posted here on our careers page and all communications from the Peloton recruiting team and/or hiring managers will be from an @onepeloton.com email address.
If you have any doubts about the authenticity of an email, letter or telephone communication purportedly from, for, or on behalf of Peloton, please email [email protected] before taking any further action in relation to the correspondence.
Peloton does not accept unsolicited agency resumes. Agencies should not forward resumes to our jobs alias, Peloton employees or any other organization location. Peloton is not responsible for any agency fees related to unsolicited resumes.