Security GRC Manager

About the role

Hex is looking for our first Security GRC Manager to build, scale, and own our security and privacy compliance programs. This role is pivotal in setting the foundation for how Hex meets regulatory, customer, and industry obligations across frameworks including SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and emerging requirements that matter to our customers.

As the inaugural GRC hire, you will architect the systems, processes, and culture that ensure Hex operates with integrity, earns customer trust, and maintains continuous audit readiness. You’ll partner closely with engineering, business operations, and our go-to-market teams to develop a world-class GRC function empowered by automation, thoughtful risk management, and clear communication.

This role is both strategic and hands-on: you’ll define long-term program roadmaps while also rolling up your sleeves to run audits, perform risk assessments, and answer customer security questionnaires. You must be technical enough to understand how Hex’s product works under the hood and translate that understanding into defensible compliance, clear documentation, and trust-building narratives for customers.

What you will do

Security, Privacy & Compliance Program Ownership

• Own and mature Hex’s security and privacy compliance program across SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and other frameworks relevant to our business.
• Ensure continuous audit readiness: maintain controls, gather evidence, manage auditors, and implement improvements.
• Track regulatory and industry changes, advising Hex leadership on impact and recommended responses.
• Maintain and develop core security policies, standards, and procedures, tailoring them to Hex’s real operating environment.

Risk Assessment & Governance

• Own Hex’s risk management lifecycle: identify, assess, track, and drive mitigation of security, privacy, operational, and regulatory risks.
• Build lightweight but effective governance processes, ensuring clear ownership, documentation, and accountability.
• Partner with Engineering and Security to ensure technical controls map appropriately to compliance requirements.

Customer Trust & Sales Enablement

• Serve as the primary owner of customer and prospect security questionnaires, risk assessments, and contractual security provisions.
• Manage and improve Hex’s Trust Center / trust portal, ensuring accurate and compelling communication of Hex’s security posture.
• Collaborate with Sales, Customer Success, and Legal on security-related deal support, including negotiating security terms.
• Build defensible, scalable processes for handling increasing customer scrutiny.

Audit & Evidence Management

• Lead internal and external audits from planning through remediation.
• Establish automated or repeatable evidence collection processes, reducing manual toil and ensuring consistency.
• Coordinate cross-functional contributors to meet audit timelines and quality requirements.

Third-Party Risk Management

• Own Hex’s third-party risk management program, including vendor assessments, reviews, and ongoing monitoring.
• Build a lightweight but rigorous process aligned with Hex’s scale and risk profile.
• Partner with Procurement, Security, and IT to ensure defensible vendor decisions.

Security Culture, Enablement & Awareness

• Define and run security awareness training tailored to Hex’s environment.
• Evangelize GRC internally—driving a culture of risk-aware decision-making and operational excellence.
• Document processes, playbooks, and FAQs to make compliance and risk management accessible across the organization.

Program Automation & Tooling

• Evaluate, implement, and administer GRC tools (evidence auto