GRC / TrustOps Analyst

Shift is the leading AI platform for insurance.  Shift combines generative, agentic, and predictive AI to transform underwriting, claims, and fraud and risk - driving operational efficiency, exceptional customer experiences and measurable business impact.  Trusted by the world's leading insurers, Shift delivers AI when and where it matters most, at scale and with proven results.

Our culture is built on innovation, trust, and a drive to transform the insurance industry through our SaaS platform. We come from more than 50 different countries and cultures and together we are creating the future of insurance.

The security team is a critical component of Shift Technology as no organization is immune to cyber-crime. The team is responsible for protecting information throughout the security infrastructure, edge devices, networks, and data. We strive to stay up to date with the latest tactics hackers are employing in the field in order to prevent data breaches by monitoring and reacting to attacks but the first step is finding the most qualified professionals to lead the way.

DESCRIPTION

As a GRC/TrustOps Analyst, you will be a key member of Shift's security program, focused on executing and supporting our security governance framework. You will assist with security and privacy compliance activities, help conduct risk assessments, and operate our third-party security assurance program. This role is essential for the day-to-day operations that ensure Shift meets its regulatory obligations and proactively demonstrates security to maintain customer trust. As part of the Information Security department, this role reports to the CISO.

RESPONSIBILITIES

Customer Trust & External Assurance

• Manage the end-to-end intake, completion, and quality assurance of customer-facing security questionnaires (e.g., SIG, CAIQ, custom client forms).
• Maintain and expand standardized, reusable security response libraries and knowledge bases to improve response time and consistency.
• Curate, update, and proactively deliver audit-ready evidence packages for clients and prospects.
• Pull, validate, and aggregate data from internal systems to produce reports, decks, and support external security reporting.
• Maintain dashboards and manage recurring metric updates for the security program.
• Track and report on key risk indicators (KRIs) and key performance indicators (KPIs) for internal and external stakeholders.

Governance & Policy Management

• Promote a mind-set of security and compliance by assisting with knowledge sharing and acting as a resource for other teams.
• Support the development and execution of the security awareness plan and related activities.

Risk Management & Security Assurance

• Contribute to the maintenance of the ISMS and security assurance plan by executing assigned tasks and providing feedback.
• Execute security control evaluations and testing based on established procedures to validate their effectiveness.
• Support routine GRC Ops and Risk Management activities

Compliance & Audits

• Support internal and external audits (e.g., ISO 27001, SOC 2) by gathering evidence, coordinating with internal teams, and tracking requests.
• Perform analysis and compile documentation and evidence to demonstrate the compliance level of systems, services, and controls.
• Assist in tracking the remediation of audit findings to ensure they are addressed in a timely manner.

Third-Party Risk Management

• Execute the third-party information security assurance process, including sending assessments, reviewing responses, and documenting results.
• Contribute to the improvement of the Third-Party Risk Management (TPRM) process based on operational feedback.

SKILLS & BACKGROUND

Experience & Education

• 2+ years of proven experience in a GRC, IT Audit, Security Assurance, or a similar role in a SaaS or Financial Services company - apprenticeship experience is acceptable
• Bachelor's Degree in a relevant field or equivalent work experience.
• Professional certifications (e.g., CIPP/E, CIPP/US, CIPT, CISA, CISM, CRISC) are a plus, or the candidate should be actively working towards one.
• Direct experience with GRC management software, (e.g. Drata, Vanta).

Knowledge & Frameworks

• Strong familiarity with security and privacy frameworks is required (e.g., ISO 27001/ISO27701, SOC 2, NIST CSF, HIPAA, GDPR).
• Direct experience supporting formal audit and certification processes.
• Direct experience responding to customer security questionnaires and managing a security response library.
• Experience executing tasks within a Third-Party Risk Management (TPRM) program.

Core Competencies

• Strong communication skills, with the ability to clearly explain security and compliance concepts to others.
• Highly organized with great attention to detail, capable of managing multiple tasks and requests simultaneously.
• A collaborative team player who can work effectively with a variety of stakeholders.
• An analytical mindset with the ability to pull, analyze, and visualize data, track metrics (KPIs/KRIs), and identify areas for improvement.

Recruitment Process

• TA Interview
• Security team interview
• Technical / Team interview

To support our permanent, full time employees at every stage of their careers and lives, we provide a competitive total rewards and benefits package. Here are the global benefits we'd like to highlight:

• Flexible remote and hybrid working options
• Competitive Salary and a variable component tied to personal and company performance
• Company equity
• Multiple Learning and Development opportunities, including Focus Fridays, a half-day each month to focus on learning and personal growth
• Generous PTO and paid holidays
• Mental health benefits
• 2 MAD Days per year (Make A Difference Days for paid volunteering)

Additional benefits may be offered by country - ask your recruiter for more information. Intern and Apprentice position are eligible for some of these benefits - ask your recruiter for more details.

At Shift we strive to be a diverse and inclusive workforce.
We welcome applications from and hire people who will contribute to the diversity of our company,
without regard to race, color, religion, marital status, age, national or ethnic origin, physical or mental disability, medical condition, pregnancy, genetic information, gender identity or expression, sexual orientation, or other non-merit criteria.

Shift Technology is committed to providing reasonable accommodations for qualified individuals with disabilities in our application and employment process. Should you require accommodation, please email - and we will work with you to meet your accessibility needs.

Please be aware of scammers and only trust correspondence that comes from emails ending in "shift-". We will never do initial outreach to you via Whatsapp/Text/SMS, never ask for banking information or personal identification numbers (ex. Social Security Number) as part of our recruitment process.

Shift Technology does not accept unsolicited CVs from recruiters or employment agencies in response to the Shift Technology Careers page or a Shift Technology social media post. Any unsolicited CVs, including those submitted directly to hiring managers, are deemed to be the property of Shift Technology.