Cybersecurity GRC Analyst, Training & Awareness, FCH - IT - SECURITY

About the position Froedtert ThedaCare Health, Inc., a leading healthcare system located in Eastern Wisconsin, is seeking a Cybersecurity GRC Analyst, Training & Awareness professional to join the Cybersecurity Governance, Risk Management, and Compliance (GRC) team. This role is critical in promoting a robust security culture across the organization by designing, managing, and improving cybersecurity training and awareness programs. The successful candidate will focus on cybersecurity awareness, phishing program operations, cybersecurity training, and GRC concepts while fostering cultural engagement and workforce behavioral change through creative and innovative initiatives. You will partner with cross-functional teams to address cybersecurity risks in clinical and non-clinical environments, ensure regulatory compliance, and contribute to the harmonization of cybersecurity programs across the Froedtert ThedaCare ecosystem.

Responsibilities

• Develop, implement, enhance, and manage a comprehensive Cybersecurity Training and Awareness framework tailored to healthcare's unique risks and regulatory landscape (e.g., HIPAA, PCI DSS, and Joint Commission requirements).
• Design role-based training for diverse audiences, including clinicians, administrative staff, IT teams, and executives.
• Continuously refine training materials to incorporate emerging threats, organizational changes, and stakeholder feedback.
• Build, enhance, and execute a dynamic, reality-based phishing simulation program, addressing sector-specific threats such as ransomware and patient data phishing schemes.
• Analyze simulation metrics and provide actionable insights to improve employee awareness and reduce risks.
• Develop and maintain educational material to support cybersecurity initiatives and training activities.
• Deliver targeted follow-up training for individuals or teams with repeated simulation failures.
• Develop multimedia content, including videos, infographics, and gamified training, to drive engagement and retention.
• Design and execute large-scale security awareness campaigns, ensuring alignment with cultural transformation goals.
• Partner with leadership to create impactful security messaging and content tailored to high-risk roles.
• Ensure training programs align with healthcare-specific regulations and standards, including HIPAA, PCI DSS, and Joint Commission requirements.
• Collaborate with Compliance and Legal teams to embed security awareness into broader compliance initiatives.
• Provide support for audits and regulatory reviews by showcasing training program effectiveness.
• Develop and maintain KPIs and dashboards to measure the success of training programs and awareness initiatives.
• Conduct quarterly and annual program reviews to identify opportunities for innovation and enhancement.
• Prepare reports and presentations for leadership to highlight program impact and align with organizational goals.
• Partner with IT, Risk Management, and Clinical Operations teams to ensure training initiatives integrate seamlessly across the organization.
• Lead security awareness efforts during organizational transitions, such as the Froedtert-ThedaCare merger, ensuring program consistency and harmonization.
• Act as a trusted advisor to business units, translating complex cybersecurity topics into actionable guidance.
• Assist with routine GRC activities, such as monitoring risk registers, supporting audit preparation, and reviewing policy exception requests.
• Collaborate with the Risk Management team to align training efforts with identified risk scenarios, ensuring targeted mitigation strategies.
• Support the documentation and dissemination of cybersecurity policies, standards, and procedures.
• Assist in the lifecycle management of GRC documentation, ensuring alignment with training content and awareness initiatives.

Requirements

• 1 - 3 years of experience in a related field.
• BA in Computer Science or related field is required or equivalent acquired through combination of education and experience.
• In-depth knowledge of healthcare regulations and cybersecurity frameworks, including HIPAA, HITECH, NIST CSF, and HITRUST.
• Proficiency with phishing simulation platforms (e.g., KnowBe4) and LMS tools.
• Familiarity with behavioral analytics and metrics for tracking training effectiveness.
• Exceptional written and verbal communication skills, with the ability to craft messaging for technical and non-technical audiences.
• Experience creating multimedia content (e.g., video editing, graphic design) for awareness campaigns.
• Public speaking skills and confidence in presenting to diverse audiences.
• Strong problem-solving and critical-thinking skills for addressing complex training needs.
• Experience developing data-driven strategies to improve training program impact and employee behavior.
• Demonstrated ability to collaborate across diverse teams and levels of leadership.
• Self-starter with the ability to work indep