• Monitor, investigate, and respond to security alerts and incidents across systems, networks, and cloud environments. • Perform regular vulnerability assessments, patch verification, and risk remediation tracking. • Support security awareness programs and ensure employees adhere to company security policies, procedures and standards. • Assist in managing endpoint security tools (EDR, DLP, MDM, etc.) and identity/access management systems. • Collaborate with IT, DevOps, and engineering teams to implement secure configurations, code reviews, and cloud security best practices. • Conduct periodic access reviews and support audit and compliance efforts (SOC 2, ISO 27001, etc.). • Document incident response actions and recommend process improvements. • Contribute to risk assessments and control testing for new vendors, applications, and systems. • Stay current on emerging threats, vulnerabilities, and regulatory requirements impacting the business. • Demonstrate a business-first mindset.

• Administer and enhance the user access review process to identify and address access control issues effectively. • Draft, refine, and socialize policies/standards (access control, change management, vendor security, incident response, data privacy); maintain clear SOPs and RACI. • Prepare high‑quality evidence, narratives, and diagrams; coordinate with auditors/assessors; manage requests and deadlines. • Participate in Incident response efforts by conducting log analysis, gathering evidence, and executing remediation tasks. • Build dashboards for control health, User Access Reviews completion, vendor coverage, GDPR compliance metrics, and audit findings; present insights to InfoSec leadership and stakeholders. • Automate evidence collection and access reviews where possible; propose control enhancements that improve security and reduce operational toil. • Deliver security awareness presentations for both technical and non-technical users. Actively contribute to ongoing information security education through diverse methods such as phishing simulations, annual training sessions, on-demand courses, and workshops. • Support Governance, Risk, and Compliance (GRC) initiatives by implementing controls and gathering necessary evidence, and control testing. • Support InfoSec Risk Issue Intake process to assess and risk rank new issues, identify and document mitigation plans/timelines with risk owners and SMEs, and track to resolution. • Support quarterly user access review process (UARs) for SOX systems and ensure tickets are tracked to resolution and actioned within audit requirements. Complete lookback analysis where necessary • Support Data Loss Prevention process by triaging and investigating alerts in the Mimecast/Code42 solution. • Lead and coordinate GDPR compliance activities including Data Protection Impact Assessments (DPIAs), Records of Processing Activities (RoPA), data subject rights requests, and privacy audits. • Manage the Third Party Risk Management (TPRM) program including vendor security assessments, ongoing risk monitoring, review of vendor attestations (SOC 2, ISO 27001), and maintenance of the vendor risk register. • Conduct comprehensive security assessments of third-party vendors using standardized questionnaires and frameworks; work with vendors on remediation of identified gaps. • Participate in an on-call rotation to address security incidents and escalations promptly.

• Own the end-to-end process for all client and prospect security questionnaires, acting as the central project manager from the initial JIRA ticket to final delivery. • Review, triage, and assign all questions to the appropriate cross-functional teams (e.g., Engineering, IT, Legal), eliminating ambiguity and coordination burdens from the Client Success Managers (CSMs). • Collaborate with and track progress from all internal stakeholders, actively managing timelines to ensure responses are accurate and completed within established SLAs. • Perform final quality assurance (QA) reviews on all completed questionnaires to ensure the document is cohesive, professional, and all questions are answered before client delivery. • Partner with GRC leadership to develop, document, and refine standardized workflows, creating clear success metrics (e.g., reduced turnaround time). • Act as the primary point of contact for the Sales and Client Success teams on all security-related inquiries, including escalations for new sales and upsell deals. • Represent the cybersecurity team on calls with clients and prospects, acting as the expert to address security concerns and build trust. • Develop, maintain, and promote a "Trust Center" (e.g., using Whistic) by centralizing existing "Go-To-Market Packet" and other documentation to proactively address common security questions. • Manage the intake process for security reviews of non-standard client agreements, collaborating with Legal to formalize the review of data security and AI clauses. • Support the Third-Party Risk Management (TPRM) program by helping to manage automated workflows that flag high-risk vendors for GRC review. • Assist in communicating and enforcing the required Third-Party Security Addendum (TPSA) for new vendors.

• Create, modify, and maintain Epic user records and assign appropriate security based on IS best-practice standards • Review, update, and manage role-based access requirements to ensure least-privilege access • Troubleshoot and resolve complex user access and security issues in a timely, customer-focused manner • Communicate clearly and professionally with peers, leadership, and end users regarding access requests, issues, and resolutions • Support small and large-scale Epic Security and provider file projects • Develop, maintain, and update knowledgebase articles and process documentation • Participate in security audits, reviews, and ongoing process improvement initiatives • Perform additional duties as needed to support the success of the IS Security team