Cybersecurity GRC Analyst

Are you looking to join one of Greater Toronto’s Top 2026 Employers ?

The Ontario Medical Association (OMA) advocates for and supports doctors, seeking to strengthen their leadership role in caring for patients.

We continually seek to be the trusted voice in transforming Ontario’s health-care system by courageously pursuing best practices, new ideas, solutions, and opportunities to improve.

Job summary This position is responsible for strengthening the Ontario Medical Association’s (OMA) information security governance, risk, and compliance program by operating within the second line of defense to provide oversight, independent validation, and risk-based advisory.

Working within the Technology department and in close collaboration with the Information Security team, enterprise risk management, service providers, and business stakeholders, the role ensures cybersecurity risks are effectively identified, assessed, and managed across the organization.

It supports audit and regulatory readiness while embedding strong security practices and enabling the secure adoption of technology, including emerging areas such as artificial intelligence (AI).

The Cybersecurity GRC Analyst advances the OMA’s strategic vision by fostering cross-functional collaboration, promoting business agility, and influencing stakeholders to safeguard sensitive information.

How you will make a difference Governance, Risk, Compliance (GRC): Maintaining and continuously improving cybersecurity policies, standards, and controls, ensuring alignment with recognized frameworks such as CIS, NIST, and ISO 27001.

Serving as the primary point of contact for cybersecurity-related audits, coordinating activities including evidence collection and remediation tracking.

Overseeing security exception and risk acceptance processes.

Integrating governance for artificial intelligence (AI) and emerging technologies into existing frameworks, including assessing associated organizational risks and providing guidance on regulatory and ethical considerations.

Cyber Risk Governance & Reporting: Maintaining the enterprise cybersecurity risk register, including risk ratings, remediation expectations, and escalation thresholds.

Assessing and documenting risks arising from vulnerabilities, incidents, third-party findings, and control gaps.

Developing and maintaining cybersecurity dashboards, key risk indicators (KRIs), and key performance indicators (KPIs).

Providing regular reporting to senior leadership on emerging cybersecurity risks and overall security posture.

Vulnerability and Application Risk Oversight: Maintaining visibility of vulnerabilities across infrastructure, cloud, and applications, assessing business impact, particularly related to sensitive data exposure.

Tracking remediation progress, escalate overdue critical items, and document residual risk and risk acceptance where remediation is deferred.

Application and data security oversight: Overseeing controls protecting sensitive data, including personal and health information (PII/PHI).

Collaborating on data governance initiatives, including data classification and data loss prevention (DLP), and report on application and data-related risks.

Work closely with the Senior Security Architect to conduct threat modeling for new and existing applications and validate secure coding practices, SAST/DAST scanning, and remediation effectiveness.

Reviewing and reporting on application risks related to identity and access management, API security, data protection, and third-party dependencies.

Identity, Incident & Operational Control Oversight: Overseeing quarterly privileged access and identity certification reviews.

Reviewing major incident reports, validating root cause analysis and corrective actions.

Monitoring recurring control failures and systemic weaknesses across infrastructure, applications, and AI systems. Third-Party Risk & Security Awareness: Conducting third-party cybersecurity risk assessments, including vendors providing AI-enabled services.

Monitoring remediation commitments and risk acceptance documentation.

Facilitating periodic technical and management tabletop exercises.

Supporting phishing simulations and broader cybersecurity awareness initiatives.

Requirements that are important to us University degree in Information Technology, Computer Science, Computer Engineering, or an equivalent Six to nine years of relevant experience in information security and IT, including experience in a GRC-focused role supporting enterprise environments (endpoint and identity security).

Maintains one or more active, industry-recognized certifications (e.g., CISSP, CRISC, CISA, Certified Ethical Hacker, or equivalent) Additional certifications considered an asset include CISM, ISACA Advanced in AI Security Management (AAISM), ITIL, PMP, or an MBA (or equivalent) Experience working with Microsoft Security and Compliance solutions Strong experience in identity governance and conditional access (e.g., Entra ID) Hands-on experience with XDR tools and familiarity with SIEM/SOAR platforms, including automated workflows/playbooks Solid understanding of Zero Trust security principles and modern security architectures Knowledge of MITRE ATT&CK and experience with threat modeling methodologies Exposure to or experience with AI-driven security tools and controls is an asset Experience with API-based integrations and automation (e.g., REST, Microsoft Graph API).

Strong knowledge of cyber risk management, cybersecurity frameworks, and business continuity practices, including BCP and Disaster Recovery (DR) Demonstrated business acumen with strong analytical, problem-solving, and decision-making skills Excellent communication and presentation skills, with the ability to effectively influence and collaborate with both technical and non-technical stakeholders The OMA has moved to a permanent hybrid work environment.

As such, the individual in this position will be required to work a minimum number of days in our Toronto office.

What do we have to offer you?

A work environment whose values are to be respectful, bold, responsive, and transparent in our work and our behaviours A fantastic opportunity to grow with the team and help shape the strategic direction of the OMA, its members and the health-care system An organization that is committed to the equity, diversity and inclusion principles of humility, accountability, collaboration, courage and integrity A commitment to growth and development through paid professional development and continuous in-house learning A friendly and flexible hybrid work environment Competitive total rewards package including a hiring salary range of $92,835 - $98,640 plus pension plan and a bonus program Exceptional group benefits package, including a spending account and a robust wellness program An organization that has been recognized as a Greater Toronto’s Top Employers for six consecutive years.

As a condition of employment, OMA conducts background checks and reference checks for all open positions.

• Facebook | Twitter | Instagram | YouTube | LinkedIn ­­ We're excited to share this opportunity, which is for a newly created position on our team.

Kindly be advised that our recruitment process does not involve the use of Artificial Intelligence.

The Ontario Medical Association is strongly committed to diversity within its community and welcomes applications from racialized persons/persons of colour, women, Indigenous People of North America, persons with disabilities, LGBTQ2S+ persons, and others who may contribute to the further diversification of ideas.

In accordance with the AODA Act, accommodation will be provided throughout the recruitment process to applicants with disabilities.

• Powered by JazzHR