Security Governance Analyst

Navan is looking for a Security Governance & Awareness Analyst to join our team and execute the day-to-day operations of our security awareness programs and policy management lifecycle. You will own the operational delivery of phishing simulations, targeted training campaigns, and policy review cycles—focusing on defending against modern threats like AI-generated social engineering while maintaining our regulatory and compliance posture.

Sitting at the intersection of Security Culture and Compliance, you will be responsible for operational execution while collaborating closely with your manager on program strategy. This is a role for someone with strong program management skills, excellent communication abilities, and an eye for detail—with increasing emphasis on leveraging AI tools to amplify impact and efficiency.

Security Awareness Operations: Lead the day-to-day execution of phishing simulations and mandatory training, focusing on modern threats like AI-generated social engineering, deepfake audio/video, and sophisticated LLM-based phishing.

Targeted Training Programs: Develop and deliver specialized training for high-risk employee groups (e.g., Helpdesk, Sales, Call Centers) to defend against account takeover, identity verification bypass, and customer data targeting.

Policy Lifecycle Management: Own the operational cycle for all security policies, standards, and procedures—ensuring documents are reviewed, updated, and published on schedule with proper version control and stakeholder feedback.

Compliance Documentation: Maintain the centralized policy repository and ensure policies align with SOC 2, ISO 27001, PCI-DSS, and evolving AI governance standards for audit readiness.

Security Communications: Design and distribute internal security alerts, manage the security and compliance newsletter, and create engaging content about emerging threats for diverse stakeholders.

Metrics & Reporting: Compile and analyze data on simulation success rates, training completion, and policy compliance for executive-level reporting and program optimization.

Cross-Functional Collaboration: Partner with Legal, HR, and Engineering to collect policy feedback and coordinate awareness initiatives across the organization.

Experience: 2–4 years in Security Awareness, Corporate Training, or GRC, with a track record of executing awareness programs and managing policy lifecycles.

Communication Excellence: Strong written and verbal skills to create clear policies, design engaging training content, and effectively communicate with stakeholders at all levels.

Modern Threat Knowledge: Strong understanding of contemporary social engineering tactics, including deepfakes, AI-driven phishing, vishing, and identity verification attacks.

Platform Experience: Hands-on experience with Security Awareness platforms (e.g., Adaptive, KnowBe4, Proofpoint) and Policy Management software for training delivery and document control.

Program Management: Proven ability to manage multiple concurrent initiatives in a fast-paced environment, from phishing campaigns to policy review cycles, with high attention to detail.

AI Tool Awareness: Growing familiarity with AI tools (Claude, Gemini, etc.) to assist with content creation, communications drafting, and operational efficiency.

Regulatory Frameworks: Working knowledge of SOC 2, ISO 27001, PCI-DSS, and NIST CSF requirements as they relate to security awareness and policy documentation.

Preferred: Relevant industry certifications (e.g., CompTIA Security+, SANS SSAP) demonstrating commitment to the security awareness field.