Description

Analysis Group

However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities.
Please view Equal Employment Opportunity Posters provided by OFCCP here.
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant.
Manager, Information Security Compliance & Risk

US-MA-Boston

Job ID: 2026-2834
Type: Regular or Sign on
Category: IT Security
Boston

Overview

Analysis Group is one of the largest international economics consulting firms, with more than 1,500 professionals across 15 offices in North America, Europe, and Asia. Since 1981, we have provided expertise in economics, finance, health care analytics, and strategy to top law firms, Fortune Global 500 companies, and government agencies worldwide. Our internal experts, together with our network of affiliated experts from academia, industry, and government, offer our clients exceptional breadth and depth of expertise.

The Manager, Information Security Compliance and Risk is responsible for leading the firm's Governance, Risk, and Compliance (GRC) program, including regulatory compliance, enterprise risk management, and assurance activities that support client requirements and regulatory obligations.

This role also serves as the primary owner of Information Security AI governance, ensuring that the firm's use of AI and machine learning technologies aligns with security, privacy, regulatory, and client expectations.

The role manages a team of three Information Security Analysts and owns SOC 2 and ISO 27001 certification programs, while partnering closely with Legal, Compliance, Privacy, IT, and Security Engineering and Operations to ensure effective control design, evidence collection, risk management, and continuous improvement.

Responsibilities:

Governance and Compliance Leadership

• Own and maintain the firm's information security governance framework, including policies, standards, and procedures.
• Lead annual SOC 2 and ISO 27001 audit cycles, including audit readiness, evidence coordination, and remediation tracking.
• Ensure ongoing compliance with client, regulatory, and contractual information security requirements.
• Manage policy exceptions, risk acceptances, and documentation of compensating controls.

Regulatory Authorization and Assurance

• Lead the renewal and ongoing maintenance of government and client security authorizations, attestations, and approvals required for regulated engagements.
• Coordinate cross-functional evidence collection and control validation to support authorization renewals and periodic reassessments.
• Track authorization requirements, renewal timelines, and control changes to ensure continuous eligibility for regulated work.

AI Security Governance

• Lead the Information Security AI governance program, ensuring secure, responsible, and compliant use of AI technologies across the firm.
• Partner with Legal, Privacy, Compliance, and business stakeholders to define and maintain AI security requirements, risk assessments, and usage standards.
• Establish and maintain security controls for AI-enabled tools, including data handling, access controls, model usage restrictions, and third-party AI risk.
• Support client and regulatory inquiries related to AI security posture and governance practices.
• Track emerging AI-related regulatory and security requirements and assess their impact on firm policies and controls.

Risk Management

• Maintain and mature the enterprise information security risk register.
• Facilitate periodic risk assessments, including risks associated with AI usage, data processing, and third-party technologies.
• Develop and report meaningful risk metrics and dashboards for leadership review.
• Translate technical and operational risks into clear business-impact language.

Third-Party and Emerging Risk Governance

• Oversee third-party security risk management in partnership with Legal.
• Lead structured reviews of vendor security posture, including AI and SaaS providers.
• Track remediation plans and ongoing monitoring of third-party and AI-related risks.

Audit and Assurance Coordination

• Serve as the primary liaison for internal and external audits related to information security.
• Coordinate evidence collection across IT, Security Engineering, Privacy, and business stakeholders.
• Track findings, corrective actions, and continuous improvement initiatives.

Team Leadership

• Directly manage three Information Security Analysts.
• Set priorities, provide mentorship, and support professional development.
• Establish consistent processes, documentation standards, and performance expectations across the GRC function.

Cross-Functional Collaboration

• Partner closely with Security Engineering and Operations to align governance requirements with technical controls.
• Work with Legal, Compliance, Privacy, and Data Science teams on regulatory interpretation and AI governance requirements.
• Support client security inquiries, assessments, and due diligence requests.

Expected Outcomes

• Sustained audit readiness for SOC 2 and ISO 27001 with minimal disruption.
• Clear, measurable visibility into information security and AI-related risk posture.
• Consistent, scalable governance processes supporting firm growth and responsible AI adoption.
• Strong alignment between governance requirements and operational security controls.

Qualifications & Skills

• Bachelor's degree required; degree in information security, risk management, or a related field preferred.
• 7 to 10 years of experience in information security, GRC, audit, or risk management required.
• Prior experience managing SOC 2 and or ISO 27001 programs required.
• Demonstrated people management or team leadership experience.
• Professional certifications such as CISSP, CISM, CRISC, CGRC, or ISO 27001 Lead Implementer or Auditor.
• Experience with GRC platforms and risk management tooling.
• Experience supporting AI governance, data governance, or emerging technology risk programs.
• Experience supporting client-driven security assessments in a professional services environment.
• An inclusive and growth-oriented mindset, strong interpersonal skills, and an ability to work across differences.
• To the extent permitted by applicable law, eligible candidates must be authorized to work in the United States without sponsorship or restriction, now and in the future.

Analysis Group embraces equal opportunity. We are committed to building teams that bring a variety of backgrounds, perspectives, and skills, as we believe that a strong and inclusive workforce directly supports our goal of providing the highest-quality work. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other class protected under applicable federal, state, or local law, and we encourage candidates of all backgrounds to apply.

Analysis Group offers competitive compensation and a comprehensive benefits package. The estimated salary range for this position is $175,000$200,000. Compensation offered will be based on a number of factors including work experience, education, and skill level. This role is eligible for a discretionary annual bonus that is determined in large part by individual performance. To learn more about our benefit offerings, click here.

#LI-Hybrid

Responsibilities

For information about Analysis Group's privacy practices, please refer to the applicable Analysis Group privacy policy.

PI281797327