Job Closed
This listing is no longer active.
Banking for startups: mercury.com
Information Security, Governance Risk, and Compliance Analyst
Location
United States + 1 moreAll locations: United States | Canada
Posted
1 day ago
Salary
$138.1K - $191.8K / year
Seniority
Mid Level
Job Description
Information Security, Governance Risk, and Compliance Analyst
Mercury
Role Description Security failures are rarely caused by a single technical mistake. More often, they stem from gaps in governance, risk management, operational discipline, and accountability. Strong GRC programs help prevent those failures by making security a business priority, not just a technical concern. Mercury is growing rapidly, and as we scale, we need to continue building resilience, strengthening governance, and improving the way we manage risk across the company. We have a strong foundation today, but the next phase of growth will require scalable programs, thoughtful controls, and cross functional partnerships that allow Mercury to move quickly without sacrificing security. We are looking for an Information Security GRC Analyst to help mature Mercury’s security, risk, and compliance programs. This is not a traditional compliance role focused only on audits and evidence collection. You will help build the systems, processes, and guardrails that support business continuity, customer trust, and long term resilience. In this role, you will: - Lead and support security risk assessments across products, systems, vendors, and business initiatives. - Partner with Engineering, Product, IT, Legal, Operations, and other teams to identify, evaluate, and mitigate risk. - Drive audit readiness and compliance initiatives across frameworks such as SOC 2, PCI DSS, NIST, CIS, and ISO 27001. - Conduct gap assessments against security and compliance frameworks, then build practical plans to close those gaps. - Design, implement, and mature scalable governance processes and security controls. - Help improve Mercury’s business continuity, resilience, and third party risk management programs. - Translate compliance and risk requirements into clear, actionable guidance for technical and non-technical stakeholders. - Identify opportunities to automate controls, evidence collection, and recurring GRC workflows. - Help ensure Mercury’s security program remains strong, efficient, and aligned with the speed of the business. Qualifications - Have experience scaling security, risk, compliance, or governance programs in a high growth SaaS, fintech, or cloud native environment. - Understand security frameworks such as SOC 2, PCI DSS, NIST, CIS, and ISO 27001, and can translate them into practical controls. - Bring strong ownership and project management skills, with a track record of driving cross functional initiatives from concept to completion. - Are comfortable creating structure from ambiguity and building programs or processes from scratch. - Take a risk based approach to decision making and can distinguish between theoretical risk and material business risk. - Communicate clearly with technical and non-technical stakeholders. - Have enough technical depth to partner effectively with engineers and evaluate security controls in cloud native environments. - Care about building security programs that enable the business rather than slow it down. Requirements - Tools and technologies you may work with: - AWS Config and AWS Audit Manager - GitHub - Vanta - GRC platforms and workflow tools - Cloud native security and compliance tooling Benefits - The total rewards package at Mercury includes base salary, equity, and benefits. - Our salary and equity ranges are highly competitive within the SaaS and fintech industry and are updated regularly using reliable compensation survey data. - New hire offers are made based on a candidate’s experience, expertise, geographic location, and internal pay equity relative to peers. - Our target new hire base salary ranges for this role are: - US employees in New York City, Los Angeles, Seattle, or the San Francisco Bay Area: $153,400 to $191,800 - US employees outside of New York City, Los Angeles, Seattle, or the San Francisco Bay Area: $138,100 to $172,600 - Canadian employees, any location: CAD 145,000 to CAD 181,300 Company Description Mercury is a fintech company, not an FDIC-insured bank. Banking services provided through Choice Financial Group and Column N.A., Members FDIC. Mercury values diversity & belonging and is proud to be an Equal Employment Opportunity employer. All individuals seeking employment at Mercury are considered without regard to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, sexual orientation, or any other legally protected characteristic. We are committed to providing reasonable accommodations throughout the recruitment process for applicants with disabilities or special needs. If you need assistance, or an accommodation, please let your recruiter know once you are contacted about a role.
Related Guides
Related Categories
Related Job Pages
More Security Analyst Jobs
• Manage and track infrastructure, security, and product certification projects, ensuring full lifecycle execution across Risk Management Framework (RMF), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry (PCI), Health Information Trust Alliance (HITRUST), International Organization for Standardization (ISO), and National Institute of Standards and Technology (NIST) frameworks • Develop, maintain, and deliver project documentation for Customer Service, DevOps, Information Assurance, and Executive leadership teams • Prepare and present monthly reports covering system compliance, security KPIs, audit readiness, and project status • Serve as a liaison between internal teams and customers, ensuring clear communication and alignment throughout complex security and compliance initiatives • Coordinate project schedules, facilitate cross-departmental tasks, and ensure all project phases are properly documented and completed • Support security programs aligned to Risk Management Framework (RMF) Step 1-6, Security Technical Implementation Guide (STIG) compliance, Assured Compliance Assessment Solution (ACAS)/Security Content Automation Protocol (SCAP) scanning, and NIST 800-53/171 control implementation • Contribute to FedRAMP Moderate/High authorization packages, System Security Plan (SSP) development, Plan of Action and Milestones (POA&M) management, and continuous monitoring activities • Assist with multi-framework compliance efforts including PCI DSS v4.0, HITRUST CSF, ISO 27001, Open Worldwide Application Security Project (OWASP) Top 10, and International Electrotechnical Commission (IEC) 62443 • Represent Information Assurance in internal and external meetings, proactively resolving conflicts and guiding teams through ambiguity • Perform other duties as assigned
• You will work inside our 24/7 Cyber Fusion Center, handling escalated security alerts, leading complex investigations for our managed customers across Google Security Operations (Chronicle) and our SOAR platform, and serving as a subject matter expert for the broader team. • Act as the primary point of escalation for our Tier 1 Analysts. • Investigate incidents end-to-end: Review complex alert context, gather evidence from Chronicle UDM and supporting tools, reach a final disposition, and either close the ticket with a documented rationale or escalate to Tier 3/Incident Response with a clear handoff. • Optimize investigation playbooks: Follow established playbooks for the detection stack, but actively identify gaps, propose workflow improvements. • Communicate clearly in tickets: Ensure all tickets are understandable by the next analyst, the customer, or an auditor reading it six months from now. • Lead communications through the ticketing system on routine and complex investigations, requests for information, and exclusion/suppression requests.
• Security Operations : Support the cybersecurity program, operate security tools, and create, execute, and manage security processes • Monitoring & Detection : Monitor security-related events, detect and respond to alerts and incidents, and analyze logs to identify threats and anomalies • Incident Response : Coordinate cyber incident response, work with external IR partners, conduct investigations, and perform high-level forensic analysis • Vulnerability Management : Manage the full vulnerability management process—assessments, analysis, reporting, prioritization, and coordination of remediation activities • Cloud Security : Ensure security of data and systems on-premises and in the cloud; implement and support cloud-aware security architecture • Exposure Assessment : Assess cybersecurity exposures of IT systems, conduct investigations, and prepare detailed reports • Reporting & KPIs : Assist in developing cyber-related reports and KPIs, collecting and analyzing system-generated data for designated audiences • Security Awareness : Support delivery of awareness programs develop training, build campaigns, report results, and provide recommendations • Policy Development : Support development, documentation, testing, and enforcement of cybersecurity policies, standards, and operations playbooks • Threat Intelligence : Stay current with cybersecurity landscape, analyze industry trends, and identify potential impact to technology systems and operations
• Collaborate with internal departments on Client related matters and provide detailed feedback from Clients back to BCD Information Security and the business • Be the point of contact for complaints and escalate issues as appropriate • Coordinate and champion Security Request for Proposal(RFP) database repository • Lead the development of RFP responses and evaluate responses for accuracy • Create and facilitate responses to customer inquiries originating from RFP and assessments • Keep up to date Information security databases/repositories using Ombud, Archer, OneTouch or other tools and collect and maintain necessary audit evidence • Lead internal and external security communication efforts within BCD Travel, provide formal responses to customer security inquiries, complete and participate in Client security assessments and handle information security audits, risk remediation and mitigation efforts • Be knowledgeable on Artificial Intelligence (AI) and possess skills to sift through data using analytical tools and techniques • Collaborate with stakeholders to ensure AI aligns with organizational values and expectations • Ensure AI controls are aligned, validating output results to ensure accuracy and integrity of information • Identify and report on AI-related risks and concerns associated with internal AI use to support clients and business related assessments • Work with the development, business, sales and legal teams and advise on design and maintenance of effective information security controls compliant with ISO 27001, NIST 800-53, PCI, SOC, GDPR • Support the Information Security goals and challenges of our organization by providing a bridge from the centralized security function to the business, and assist with creation of applicable standard operating procedures



