Director of Governance, Risk, and Compliance (GRC)

The Mission

As the Director of GRC, you are a revenue enabler and a cornerstone of our enterprise growth strategy. Reporting to the SVP of Operations, you will transform compliance from a reactive exercise into a Continuous Assurance engine. You will be responsible for building a gold-standard compliance program that not only meets the highest regulatory bars but also serves as a primary driver of customer trust.

This role offers rare visibility across the full spectrum of enterprise security and compliance, from direct engagement with 3PAOs to front-line conversations with Fortune 500 security teams during the sales cycle. You will build and own programs from the ground up, establishing the institutional foundations that will scale with the company. For a security leader looking to move beyond maintaining inherited programs, this is a high-ownership, high-impact seat at a company where GRC is treated as a core business function. Your work will be visible to the board, referenced by customers, and directly tied to revenue outcomes.

Framework Mastery, Expansion & Product Advocacy

• Audit Ownership: Lead the end-to-end strategy and lifecycle for SOC 2 Type II and FedRAMP Moderate authorizations. You will act as the primary liaison for 3PAOs and agency sponsors, ensuring our continuous monitoring (ConMon) remains flawless.

• Strategic Roadmap: Architect the expansion of our compliance program into new frameworks as we scale, including ISO 27001, NIST AI RMF, and other emerging global standards.

• The "Showcase User": Serve as the internal owner of our own platform implementation. You will ensure we are the industry's premier "gold standard" user of our GRC tools, providing a referenceable model for our customers and partnering with Product to drive innovation.

• Security Awareness & Training: Own and mature the company-wide security awareness and role-based training program, satisfying NIST 800-53 AT control family requirements and FedRAMP ConMon obligations. Ensure training content is current, measurable, and tied directly to threat trends and audit findings.

External Trust & Third-Party Governance

• Sales Enablement & Trust Center: Act as the technical authority representing our security posture to prospective and current enterprise customers. You will establish and manage a scalable process for responding to security questionnaires and proactively managing our Trust Center to accelerate sales cycles.

• Vendor Risk Management: Direct the assessment of all current and prospective third-party providers. You will ensure our vendor ecosystem adheres to our strict security and compliance standards, managing risk throughout the supply chain.

• Penetration Testing & External Validation: Govern the annual penetration testing program and any third-party security assessments, ensuring scope, methodology, and findings are managed to closure and available as evidence for customer due diligence and audit purposes.

• Cross-Functional Partnership: Partner deeply with DevOps, IT, and Engineering to automate evidence collection. You will move the company toward a model where compliance is a natural byproduct of our engineering excellence.

Incident Response & Operational Resilience

• IR Leadership: Serve as the designated Primary Lead for all security events and incident response activities. You will define and maintain the response playbooks used to identify, contain, and remediate security events.

• Continuous Readiness: Institutionalize and lead Annual Tabletop Exercises (minimum 1x per year) to stress-test our response processes and uncover gaps in our cross-functional communication.