Security Engineer, GRC

State of Location:

New York

Position Summary:

The Security Engineer will manage, scale, and automate our Governance, Risk, and Compliance (GRC) program supporting an organization of 7,500+ teammates across 750+ locations. This role focuses on building security policies, automating compliance workflows, and conducting third-party vendor risk assessments. Additionally, you will provide secondary engineering and analytical support to optimize our MSSP relationship, triage alerts, and refine SOC use cases.
This role is primarily remote, with occasional travel required for projects, collaboration, and team building.

Join Ivy Rehab’s dedicated team where you’re not just an employee, but a valued teammate! Together, we provide world-class care in physical therapy, occupational therapy, speech therapy, and applied behavior analysis (ABA) services. Our culture promotes authenticity, inclusion, growth, community, and a passion for exceptional care for every patient.

Job Description:

Responsibilities:

• Lead the design, rollout, and continuous improvement of the internal GRC framework and security architecture.
• Author, maintain, and help enforce information security policies, procedures, and control frameworks across the business.
• Identify opportunities to automate compliance tracking, evidence collection, and risk reporting workflows to eliminate manual processes.
• Ensure organizational alignment with industry standards (e.g., NIST CSF, HIPAA, HITRUST) and facilitate internal or external security assessments.
• Own the end-to-end third-party risk assessment process; evaluate vendor security postures, SOC 2 reports, and risk profiles prior to onboarding.
• Partner with legal, procurement, and business stakeholders to communicate vendor risks and negotiate necessary security safeguards.
• Manage and monitor the Data Loss Prevention (DLP) solution; triage data exfiltration alerts and partner with business units to implement, enforce, and refine data classification schemas
• Drive the security awareness training strategy; oversee automated phishing campaigns, measure program effectiveness, and deliver tailored education to mitigate human risk.
• Provide secondary support to SOC operations by validating alert triage and improving detection logic
• Collaborate to improve SIEM/SOC use cases, detection logic, and incident response workflows.

Qualifications:

• Minimum 3-5 years of experience in Cybersecurity, with a focus on GRC or third-party risk management.
• Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, or a related field.
• Excellent communication, collaboration, and problem-solving skills
• Relevant security certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM).
  • GIAC certifications, Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) are a plus.
• Former NOC/SOC experience is highly desired.
• Deep understanding of security frameworks and standards such as NIST CSF, HIPAA, HITRUST.
• Proven ability to analyze vendor security documentation (SOC 2 Type II, SIG questionnaires, penetration test reports).
• Experience utilizing GRC platforms (e.g., SmartSuite, Archer, ServiceNow GRC, or similar), low-code/no-code platforms, or scripting to automate security processes and compliance mapping.
• Excellent communication and collaboration abilities – able to explain complex risk concepts to non-technical stakeholders and work cross-functionally to drive security initiatives.

We are an equal opportunity employer, committed to diversity and inclusion in all aspects of the recruiting and employment process. Actual salaries depend on a variety of factors, including experience, specialty, education, and organizational need. Any listed salary range or contractual rate does not include bonuses/incentive, differential pay, or other forms of compensation or benefits.

ivyrehab.com