Cybersecurity Manager - GRC

Playlist

4h•$130,000 - $175,000

About The Position

Playlist’s GRC team owns governance, risk, third-party risk, and compliance across a complex, multi-brand environment including Mindbody, ClassPass, Booker, Kite and EGYM and the businesses we continue to acquire and integrate. We sit at the intersection of Security, Legal, Engineering, and Finance, and we operate as builders: standing up programs, harmonizing controls across entities, and turning audit-readiness into something the business can scale with rather than scramble through. We’re hands-on, comfortable without a playbook, and biased toward decisions that unblock partners rather than slow them down. If you want to lead a team doing meaningful GRC work at real scale, we’d love to hear from you. The GRC Manager is a player-coach role responsible for two of the most important threads running through our function: the third-party risk management workflow and Playlist’s compliance program portfolio. You’ll lead a team of GRC Analysts and Program Managers, set the operating standards for how we assess vendors and run audits, and serve as the GRC team’s day-to-day operating leader across the broader function. You’ll own the driving of our compliance programs across SOC 1 Type II, ISO 27001, HITRUST, NIST CSF/800-53, and IT SOX. You’ll partner closely with Legal, Security Engineering, Product, and Finance to make sure these programs reflect how the business operates, and that compliance requirements arrive as guidance rather than friction. You’ll support the TPRM workflow end-to-end; intake, risk tiering, diligence, and ongoing monitoring across our multi-brand vendor footprint. You’ll be the person who turns strategy into execution, building the team, the cadence, and the tooling that make our compliance posture durable as the portfolio continues to grow. You’ll pursue continuous improvement to help Playlist achieve its mission: Powering the world’s fitness and wellness businesses and connecting them with more consumers, more effectively, than anyone else.

Requirements

7+ years of progressive Information Security GRC, Compliance, or Audit experience, including at least 2 years of direct people management
Hands-on program ownership across multiple compliance frameworks: SOC 1 Type II is required, plus working depth in at least two of ISO 27001, HITRUST, NIST CSF/800-53, or IT SOX, with the ability to map and rationalize controls across frameworks.
Demonstrated ownership of a third-party risk management workflow at scale, vendor intake, risk tiering, diligence, and ongoing monitoring including the operating standards and SLAs that hold the program together
Hands-on experience with a compliance automation platform (Drata, Vanta, Hyperproof, Secureframe, Optro or similar) and a clear point of view on how tooling should scale with program growth
Strong project management skills, can run multiple audits and integration workstreams in parallel without dropping deadlines
Direct experience managing external auditors and assessors, including comfort challenging scope and interpretation
Excellent written and verbal communication, with the ability to translate compliance and risk findings into clear executive and partner-team updates

Nice To Haves

Experience integrating acquired companies into an existing compliance program, including control harmonization and audit scope decisions
Background working in a multi-brand or SaaS / consumer-marketplace environment
CISA, CIPP/US or CIPP/E, ISO 27001 Lead Implementer / Lead Auditor, or PCI ISA certification
Detection or security engineering literacy strong enough to partner technically with Security Engineering on control design

Responsibilities

Manage and develop a team of 3–5 GRC team members, set quarterly OKRs, run 1:1s, hire to fill gaps, and coach on technical depth, stakeholder management, and audit discipline.
Own the third-party risk management workflow end-to-end across Playlist’s multi-brand vendor footprint, vendor intake, risk tiering, due diligence, contract risk review, and ongoing monitoring and continuously tune the program as vendor volume scales with acquisitions.
Lead Playlist’s compliance program portfolio across SOC 1 Type II, ISO 27001, HITRUST, NIST CSF/800-53, and IT SOX scope, control design, evidence collection, and external audit coordination across the brand footprint.
Serve as primary point of contact for external auditors and assessors, manage audit timelines and finding remediation, and challenge scope and interpretation when it matters.
Own the GRC team’s operating cadence, planning rhythms, staff meetings, intake queues, and how the team interfaces with Security Engineering, Legal, Privacy, and Procurement.
Drive Playlist’s compliance automation platform forward, design how controls and evidence flow through the tool, automate high-volume evidence collection, and evolve the tooling strategy as the program scales.
Partner with Legal, Security Engineering, Product, and Finance to surface compliance and third-party risk early in product and infrastructure decisions, with clear accept, mitigate, reject recommendations for partner teams.