GRC Leader

This position should take ownership of the following key responsibilities:

Policy & Governance Management

Maintain and update the full security policy library (ISO 27001, SOC 2, GDPR, etc.).
Ensure version control, approval workflows, and cross-departmental adoption.
Lead annual policy reviews and align with new business or regulatory needs.

Security Risk Management

Own the corporate Risk Register (e.g., in Monday.com) and drive risk assessments across domains.
Track mitigation progress and report key risks to leadership.

Compliance & Certification Programs

Manage and maintain compliance frameworks (ISO 27001, GDPR, customer-driven requirements).
Prepare evidence and documentation for internal and external audits.

Vendor & Third-Party Risk Management

Oversee the Vendor Security Review process — reviewing new suppliers, SaaS tools, and renewals.
Monitor vendor security posture via SecurityScorecard or similar tools.
Ensure data processing agreements (DPAs) are aligned with legal.

Customer & Partner Assurance

Manage all RFI / RFP / security questionnaire responses.
Provide standardized documentation (e.g., SOC 2 reports, penetration testing summaries).
Support Sales / Customer Success during security discussions.

Security Process Governance

Define and enforce structured approval workflows for new tools, tokens, and architecture changes.
Integrate approvals into Jira or ServiceNow for traceability.
Collaborate with IT / AppSec / Legal for end-to-end governance.

Awareness & Training

Drive company-wide security awareness campaigns.
Onboard new hires with security and compliance training.
Ensure developers and business teams understand their compliance obligations.

Metrics & Reporting

Define KPIs for compliance maturity, audit readiness, and risk reduction.
Deliver quarterly GRC posture updates to the CISO / Security Steering Committee.

Requirements:

5–8 years of experience in Governance, Risk, and Compliance (GRC) or Information Security management, preferably within a technology or SaaS organization.
Proven track record of developing, implementing, and maintaining security policies and frameworks (e.g., ISO 27001, SOC 2, GDPR, NIST).
Hands-on experience owning and managing a corporate risk register, driving risk assessments, and ensuring timely mitigation across multiple business domains.
Strong background in compliance management, including preparing evidence and documentation for both internal and external audits.
Demonstrated ability to lead vendor and third-party security assessments, evaluate supplier risks, and align data processing agreements (DPAs) with legal and privacy teams.
Experience managing customer assurance programs, responding to RFIs/RFPs, and supporting sales teams with security documentation and due diligence.
Skilled in security process governance — establishing approval workflows for new tools, integrations, and architectural changes, and embedding controls into systems like Jira or ServiceNow.
Proven ability to drive security awareness initiatives, design training programs, and communicate compliance responsibilities effectively across departments.
Experience defining and reporting KPIs and metrics related to compliance maturity, audit readiness, and overall risk posture.
Strong collaboration skills — capable of partnering with cross-functional stakeholders (Engineering, IT, Legal, AppSec, and Product) to strengthen the organization’s security and compliance posture.