Director, Governance, Risk and Compliance (GRC)

Confluent

About The Position

We’re not just building better tech. We’re rewriting how data moves and what the world can do with it. With Confluent, data doesn’t sit still. Our platform puts information in motion, streaming in near real-time so companies can react faster, build smarter, and deliver experiences as dynamic as the world around them. It takes a certain kind of person to join this team. Those who ask hard questions, give honest feedback, and show up for each other. No egos, no solo acts. Just smart, curious humans pushing toward something bigger, together. One Confluent. One Team. One Data Streaming Platform. About the Role: Trust is the currency of the cloud. As Confluent continues to mobilize data for the world's leading organizations, ensuring the security, privacy, and integrity of that data is paramount. We are seeking a Director of Governance, Risk, and Compliance (GRC) to continue the evolution of our GRC program from a control-based mandate to a strategic business enabler. In this role, you will not just manage compliance and risk. You will architect the framework that allows Confluent to meet the needs of our customers, underpin trust relationship by providing attestations and evidence of controls, develop frameworks and tools to help management understand and manage risk, and operate our Technical Program Management (TPM) reducing risk by driving the execution of horizontal engineering programs. You will provide the vision and north star to guide Confluent to a proactive risk management culture. You will lead the strategy for internal governance, enterprise wide risk management, and external compliance obligations, serving as the bridge between technical engineering realities and executive risk appetite.

Requirements

10+ years of progressive experience in Information Security, Risk Management, or IT Audit.
5+ years of leadership experience building and managing high-performing GRC teams in a high-growth SaaS or cloud-native environment. Experience managing teams of managers and teams of individual contributors.
Cloud Native Fluency: Deep understanding of modern cloud infrastructure (AWS, GCP, Azure, Kubernetes) and how traditional controls apply to ephemeral, containerized environments.
AI Fluency: Hands-on experience or a strong vision for leveraging AI tools to scale internal GRC programs and operations.
Mastery of Standards: Expert-level knowledge of SOC 2 Type II, ISO 27001/27701, NIST 800-53, and PCI-DSS.
Technical Program Management: Proven ability to manage complex cross-functional programs and utilize tools like Jira/Confluence and risk management tools. You know how to speak the language of engineering to get things done.
Business Acumen: The ability to translate complex technical risks into business terms (ROI, Brand Risk, Velocity) for the C-Suite and Board of Directors.
Diplomacy & Empathy: A track record of building consensus with Engineering and Product teams. You approach GRC as a partner who helps teams build securely, help engineering leaders manage risk and drives changes in policies for the entire company to operate pragmatically.
Executive Presence: Confidence in presenting to customers, auditors, and internal executive leadership.
Education: BS/MS in Computer Science, Information Systems, Business Administration, or equivalent practical experience.

Nice To Haves

FedRAMP Expertise: Strong familiarity with FedRAMP High/Moderate authorization processes and continuous monitoring requirements is highly preferred.
Privacy Intersection: Working knowledge of global privacy laws (GDPR, CPRA) and how they intersect with security controls.
Certifications: CISSP, CISM, CISA, or CRISC is a strong plus.

Responsibilities

Own the Framework: Design, implement, and maintain a common control framework (CCF) that maps to multiple standards (SOC 2, ISO 27001, FedRAMP, NIST CSF, PCI-DSS) to ensure "test once, comply many" efficiency.
Risk Quantification: Evolve our risk management program towards quantitative risk analysis (e.g. leveraging FAIR, OCTAVE methodologies), utilizing AI to continuously process & analyze complex data sets, and providing executive leadership with data-driven insights on security posture and residual risk and an updated view of Top Risks impacting Confluent.
Program Modernization: Develop and maintain security policies that are agile, easily discoverable, and practical for an AI-native engineering culture, enforceable through automation.
Remediation Strategy & Engineering Partnership: Interface directly with Information Security Engineering (InfoSec Eng) to co-develop technical remediation strategies that are secure by design and operationally feasible. You will ensure that top risk concerns, audit findings and compliance gaps are translated into actionable engineering programs and drive them to closure.
Risk Reporting: Develop and maintain a visual presentation layer (e.g., dynamic dashboards, executive scorecards, and trend analysis) that simplifies complex risk data. This layer will be the primary tool to assist Confluent's management staff in understanding the landscape, understanding severity, and prioritizing risk items effectively.
Risk Treatment: Evolve current risk management programs to ensure risks are properly tracked, treated, and communicated.
Program Execution: Apply technical program management best practices to complex security initiatives. Via your TPM team, lead cross-functional projects, such as identity management improvements, AI governance controls, or secret management overhauls, ensuring they are delivered on time and with minimal friction to developer velocity.
Communication & Accountability: Regularly report to the Trust and Security staff, eStaff and prepare occasion Board level content via weekly, monthly and quarterly execution reviews.
OCISO Partnership: Collaborate closely with the Office of the CISO (OCISO) to proactively forecast and prioritize security certifications and product features. You will translate the "voice of the customer" and sales pipeline data gathered by OCISO into a concrete GRC roadmap that removes friction from future deals by providing efficient means to evidence data for our customers and auditors.
Sales Acceleration: Act as a subject matter expert during high-stakes customer engagements, partnering with Sales and OCISO to build confidence with Fortune 500 CISOs and external auditors.
Continuous Compliance and Scale: Partner with Engineering to drive the automation of evidence collection and control monitoring. You will transition traditional audit operations into an AI-assisted continuous compliance model, significantly reducing manual overhead.
Audit Management: Orchestrate all external audits and certifications, serving as the primary liaison with external auditors and regulators.
TPRM: Oversee the Third-Party Risk Management program, ensuring that vendors, partners, and AI sub-processors meet Confluent’s security standards throughout the vendor lifecycle.