GRC Leader

Description
This position should take ownership of the following key responsibilities:

Policy & Governance Management

• Maintain and update the full security policy library (ISO 27001, SOC 2, GDPR, etc.).
• Ensure version control, approval workflows, and cross-departmental adoption.
• Lead annual policy reviews and align with new business or regulatory needs.

Security Risk Management

• Own the corporate Risk Register (e.g., in ) and drive risk assessments across domains.
• Track mitigation progress and report key risks to leadership.

Compliance & Certification Programs

• Manage and maintain compliance frameworks (ISO 27001, GDPR, customer-driven requirements).
• Prepare evidence and documentation for internal and external audits.

Vendor & Third-Party Risk Management

• Oversee the Vendor Security Review process — reviewing new suppliers, SaaS tools, and renewals.
• Monitor vendor security posture via SecurityScorecard or similar tools.
• Ensure data processing agreements (DPAs) are aligned with legal.

Customer & Partner Assurance

• Manage all RFI / RFP / security questionnaire responses.
• Provide standardized documentation (e.g., SOC 2 reports, penetration testing summaries).
• Support Sales / Customer Success during security discussions.

Security Process Governance

• Define and enforce structured approval workflows for new tools, tokens, and architecture changes.
• Integrate approvals into Jira or ServiceNow for traceability.
• Collaborate with IT / AppSec / Legal for end-to-end governance.

Awareness & Training

• Drive company-wide security awareness campaigns.
• Onboard new hires with security and compliance training.
• Ensure developers and business teams understand their compliance obligations.

Metrics & Reporting

• Define KPIs for compliance maturity, audit readiness, and risk reduction.
• Deliver quarterly GRC posture updates to the CISO / Security Steering Committee.

Requirements

• 5–8 years of experience in Governance, Risk, and Compliance (GRC) or Information Security management, preferably within a technology or SaaS organization.
• Proven track record of developing, implementing, and maintaining security policies and frameworks (e.g., ISO 27001, SOC 2, GDPR, NIST).
• Hands-on experience owning and managing a corporate risk register, driving risk assessments, and ensuring timely mitigation across multiple business domains.
• Strong background in compliance management, including preparing evidence and documentation for both internal and external audits.
• Demonstrated ability to lead vendor and third-party security assessments, evaluate supplier risks, and align data processing agreements (DPAs) with legal and privacy teams.
• Experience managing customer assurance programs, responding to RFIs/RFPs, and supporting sales teams with security documentation and due diligence.
• Skilled in security process governance — establishing approval workflows for new tools, integrations, and architectural changes, and embedding controls into systems like Jira or ServiceNow.
• Proven ability to drive security awareness initiatives, design training programs, and communicate compliance responsibilities effectively across departments.
• Experience defining and reporting KPIs and metrics related to compliance maturity, audit readiness, and overall risk posture.
• Strong collaboration skills — capable of partnering with cross-functional stakeholders (Engineering, IT, Legal, AppSec, and Product) to strengthen the organization's security and compliance posture.