Security and Privacy Analyst [Remote-US]

The role

We’re seeking a motivated Security and Privacy Analyst concentrating in GRC, to join our growing Security and Privacy team. The role is responsible for supporting security and privacy compliance initiatives, conducting risk assessments, managing security policies, and assisting in the development and operation of our security and privacy compliance program. The GRC Analyst will play a key role in ensuring Quanata’s operations, products and services comply with applicable legal and regulatory requirements, and industry best practices.

The ideal candidate will also support technical compliance readiness across cloud and engineering environments, ensure regulatory alignment with national cybersecurity and privacy laws, and coordinate directly with internal and external auditors for security and privacy attestations and certifications (e.g., SOC 2, ISO 27001).

Your day-to-day

1. Support Security and Privacy Compliance: Assist in the development, implementation, and maintenance of security and privacy policies, procedures, and controls to ensure compliance with legal and regulatory requirements (e.g., GLBA, CCPA/CPRA, NAIC).
2. Conduct Risk Assessments: Perform security and privacy risk assessments on systems, applications, and processes, identifying potential risks and recommending mitigation strategies.
3. Policy Development and Management: Collaborate with cross-functional teams to develop and update security and privacy policies, ensuring they are aligned with industry standards and best practices, and manage policy exceptions.
4. Incident Response Support: Assist in the management of security and privacy incidents, including compliance issues, conducting investigations, analyzing the impact, and coordinating response efforts.
5. Privacy Program Support: Contribute to the ongoing development, implementation, and operation of the company's privacy program, including managing data privacy requests and ensuring compliance with privacy laws.
6. Regulatory Audit Coordination: Act as a point of contact for external audits and attestations involving technical security or privacy controls (e.g., SOC 2, ISO 27001, CCPA/CPRA), coordinating across product, infrastructure, and legal teams.
7. Collaboration and Reporting: Work closely with development, engineering, operations, legal, and other teams to ensure that security and privacy are integrated into all aspects of the company’s operations. Prepare reports and presentations on compliance and risk management activities for senior management.
8. Continuous Learning: Stay current with the latest developments in security and privacy regulations, technologies, and best practices, and share this knowledge with the team.

About you

• Bachelor’s degree in Information Security, Law, Business, or a related field, or equivalent relevant experience and;
• 3-5 years of experience in security, privacy, compliance, or risk management roles, with a focus on governance, risk, and compliance (GRC).
• Knowledge of security technologies, privacy regulations, and industry standards (e.g., ISO 27001, NIST CSF, SOC 2, CCPA/CPRA). Familiarity with cloud-native platforms (e.g., AWS, GCP) and infrastructure as code is a plus.
• Strong ability to conduct risk assessments, analyze security and privacy controls, and identify potential compliance issues.
• Excellent written and verbal communication skills, with the ability to produce clear and concise documentation and reports.
• Ability to work effectively with cross-functional teams and manage multiple tasks in a fast-paced environment.

Bonus points

• Relevant certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Privacy Professional (CIPP), Certified Information Systems Auditor (CISA), or Certified in Risk and Information Systems Control (CRISC), ISO 27001 Lead Implementer/Auditor.
• Experience leading technical control assessments or regulatory audits across engineering and DevOps environments.
• Experience in Regulated Industries: Familiarity with working in highly regulated industries such as insurance, finance, or healthcare.
• Experience using GRC automation tools for evidence collection, risk monitoring, and policy tracking.
• Technical Aptitude: Experience with security and privacy tools or services, cloud services, and automating compliance tasks is a plus.

Salary: $150,000 to $200,000*

*Please note that the final salary offered will be determined based on the selected candidate's skills, and experience, as well as the internal salary structure at Quanata. Our aim is to offer a competitive and equitable compensation package that reflects the candidate's expertise and contributions to our organization.

Additional Details:

• Benefits: We provide a wide variety of health, wellness and other benefits.These include medical, dental, vision, life insurance and supplemental income plans for you and your dependents, a Headspace app subscription, monthly wellness allowance and a 401(k) Plan with a company match.
• Work from Home Equipment: Given our virtual environment— in order to set you up for success at home, a one-time payment of $2K will be provided to cover the purchase of in-home office equipment and furniture at your discretion. Also, our teams work with MacBook Pros, which we will deliver to you fully provisioned prior to your first day.
• Paid Time Off: All employees accrue four weeks of PTO in their first year of employment. New parents receive twelve weeks of fully paid parental leave which may be taken within one year after the birth and/or adoption of a child. The twelve weeks is applicable to both birthing and non-birthing parent.
• Personal and Professional Development: We’re committed to investing in and helping our people grow personally and professionally. All employees receive up to $5000 each year for professional learning, continuing education and career development. All team members also receive LinkedIn Learning subscriptions and access to multiple different coaching opportunities through BetterUp.
• Location: We are a remote-first company for most positions so you may work from anywhere you like in the U.S, excluding U.S. territories. For most positions, occasional travel may be requested or encouraged but is not required. Some positions might require travel per the job description provided to the employee. Employees based in the San Francisco Bay Area or in Providence, Rhode Island may commute to one of our local offices as desired.
• Hours: We maintain core meeting hours from 9AM - 2PM Pacific time for collaborating with team members across all time zones.