Information Risk Analyst - GRC

MongoDB’s mission is to empower innovators to create, transform, and disrupt industries by unleashing the power of software and data. We enable organizations of all sizes to easily build, scale, and run modern applications by helping them modernize legacy workloads, embrace innovation, and unleash AI. Our industry-leading developer data platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available in more than 115 regions across AWS, Google Cloud, and Microsoft Azure. Atlas allows customers to build anywhere—on the edge, on premises, or across cloud providers. With offices worldwide and over 175,000 developers joining MongoDB every month, it’s no wonder that leading organizations, like Samsung and Toyota, trust MongoDB to build next-generation, AI-powered applications.

Position Overview

The Information Risk Analyst plays a critical role in supporting the information risk management strategy within the Governance, Risk, and Compliance (GRC) function. This role is responsible for performing comprehensive risk assessments, supporting the design and implementation of risk management strategies, and driving continuous improvement in the organization’s risk posture.

You will partner cross-functionally with IT, security, legal, other business stakeholders across MongoDB, and senior leadership to identify, assess, and manage risks related to information security, technology, and business operations. The ideal candidate brings analytical expertise, strong business acumen, and a passion for building scalable risk frameworks in a dynamic environment.

Why should you consider MongoDB?

This is a critically important role and a great opportunity to help build out an internal GRC Program and help scale MongoDB Inc. to support our customer’s needs. This position has significant growth potential and we’re looking for someone who is excited to take initiative and help lead. 

Key Responsibilities/Position ExpectationsRisk Assessment & Analysis

• Perform qualitative and quantitative risk analysis for systems, applications, business processes, vendors, and organizational changes.
• Lead risk assessments across various sources, including but not limited to:
• Information security
• Third-party/vendor risk
• Regulatory and compliance driven audit gap assessments and findings (eg: ISO27001, NIST CSF, SOC 2, ISO9001, HDS, PCI, etc)
• Findings from internal assessments, security incidents, vulnerability scans, penetration tests, business continuity and disaster recovery (BC/DR) findings, and other sources 
• Apply standardized methodologies and frameworks (e.g., FAIR, NIST, ISO) to determine risk severity and potential impact

Risk Management & Mitigation

• Collaborate with stakeholders to develop and document risk treatment plans, mitigation strategies, and timelines
• Track and monitor remediation progress, escalate overdue or high-risk items, and validate closure of risk items
• Continuous and effective maintenance and enhancement of the risk register and GRC tools with accurate, timely, and complete risk data.
• Provide consultation on control effectiveness and risk mitigation best practices

Program Development & Enablement

• Support the maturation of the Information Risk Management program by contributing to
• The development & maintenance of policies, procedures, standards, and templates
• Supporting automation and improvement of assessment and reporting strategy
• Design and launch of continuous risk assessment processes
• Assist in onboarding and educating stakeholders on risk processes and responsibilities
• Contribute to the development and delivery of risk reporting and dashboards for senior leadership and governance bodies

Stakeholder Engagement & Communication

• Become an effective part of the trusted advisory team,  to technical and non-technical stakeholders by providing risk guidance that is aligned to business objectives
• Facilitate risk discussions and presentations for across various levels of leadership, stakeholders, and executive reporting groups
• Support awareness and training initiatives that strengthen the organization's risk culture

Position is expected to be remote, with an opportunity to go into the office if needed, and based on the candidate’s geographical location.

Candidate ProfileRequired qualifications for the right candidate:

• Bachelor’s or Master’s degree in Information Security, Information Systems, Risk Management, or a related field
• 3–5 years of hands-on experience in information risk, security assessment, compliance, or related functions
• Strong understanding of risk frameworks (NIST RMF, ISO 27005, FAIR, etc.) and control standards (ISO 27001, NIST 800-53, CIS, etc.)
• Experience with GRC platforms (e.g. ServiceNow, JIRA, Auditboard, etc)
• Excellent analytical, writing, and communication skills, with the ability to synthesize technical details into executive-level summaries
• Demonstrated ability to communicate complex risk and security concepts clearly and effectively to senior leadership and non-technical stakeholders
• Proven ability to work independently and manage multiple priorities in a fast-paced environment
• Experience in reviewing and understanding of cloud environments (AWS, Azure, GCP) and associated risk considerations

Preferred (Not mandatory):

• Professional certifications such as Security Plus, CRISC, CISSP, CISA, or CISM
• Experienced in implementing the FAIR (Factor Analysis of Information Risk) model, including risk quantification, data calibration, and integration with technical risk assessment processes and tools or a similar methodology
• Experience supporting internal or external audits
• Familiarity with regulatory requirements (e.g., GDPR, DORA, HIPAA, SOX, PCI, ISO27001, ISO9001, FedRAMP)

Success Measures

The Information Risk Analyst  will be successful in this role when they can execute the following strategic tasks: 

• People: 
• Collaborate with leads to understand our customer's risk requests and necessary issues/gaps to address
• Proposes and implements improvements regularly that streamline risk intake, assessment, or reporting functions of the program once onboarded successfully
• Organization: 
• Ability to support multiple parallel efforts and prioritize tasks based upon understanding of team needs
• Produce clear, complete, and actionable risk reports with minimal revisions required from reviewers or management
• Risk statements consistently meet internal standards (ex: well-scoped, impact/loss scenarios defined, likelihood assessed)
• Demonstrates consistent application of organization's risk scoring methodology with minimal deviation upon peer or leadership review
• Tracks and follows up on risk remediation plans to ensure items have an upto date status, appropriate ownership identified, and justification documented and verified
• Supports timely risk management decisions, which can be tracked to measurable reduction in residual risk over time
• Communication: 
• Successfully communicate recommendations and rationale to both technical and non-technical stakeholders
• Maintains strong working relationships across technical and non-technical stakeholders; receives positive feedback in stakeholder surveys or project retrospectives
• Facilitates risk discussions with cross-functional teams effectively
• Prepares evidence and documentation for internal/external audits with no major findings attributable to risk assessment processes
• Research: 
• Gather and analyze feedback from internal stakeholders and develop pragmatic recommendations with respect to information risk initiatives
• Customer Service: 
• Ensure MongoDB’s GRC Program operates efficiently with minimal interruption to MongoDB teams. Provide great risk related services (ex: risk assessments, remediation discussions, reporting, data collection and analysis) when interfacing with other MongoDB Teams
• Delivers or supports internal training, effective knowledge transfer sessions or onboarding as required to support program growth, risk awareness, and GRC maturity

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB, Inc. provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type and makes all hiring decisions without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

Req ID: 1263130290