Director, GRC & Privacy Security

About The Position

Requirements

• 8+ years of experience in GRC, information security compliance, or a related field, with 3+ years in a management or program leadership role
• Deep, hands-on experience with SOC 2 Type II — you have managed or led multiple audit cycles and understand the TSCs, evidence requirements, and auditor dynamics from the inside
• Strong working knowledge of PCI-DSS v4.0 and experience implementing or managing PCI compliance programs
• Demonstrated experience managing compliance across multiple legal entities or subsidiaries with overlapping and distinct regulatory obligations
• Experience building or significantly maturing a GRC program — not just maintaining one someone else built
• Working knowledge of GDPR and CCPA and the operational requirements they impose on a data-handling business
• Ability to communicate risk and compliance requirements clearly to technical teams, business stakeholders, and executive leadership
• Experience managing external auditor relationships and serving as the primary organizational point of contact during audit engagements

Nice To Haves

• Experience in fintech, payments, cryptocurrency, or financial services — familiarity with money transmitter licensing or FinCEN obligations is a meaningful plus
• Professional certifications: CISM, CRISC, CISSP, CIPP/E, CIPP/US, or equivalent
• Exposure to ISO 27001, CIS, or NIST CSF as additional compliance frameworks
• Experience with GRC platforms (Vanta, Drata, Tugboat Logic, ServiceNow GRC, or equivalent)
• Familiarity with AWS cloud environments and how cloud-native architectures affect control design and evidence collection
• Prior experience standing up a GRC function in a high-growth, previously unstructured environment

Responsibilities

• Build and own the enterprise security risk management program — risk register, risk appetite framework, risk scoring methodology, and regular reporting to the CISO and executive leadership
• Establish and maintain the security control framework, mapping controls to applicable standards (SOC 2 TSCs, PCI-DSS, CIS Controls) across all entities and subsidiaries
• Drive security policy development and lifecycle management — authoring, reviewing, approving, and enforcing policies across the organization
• Lead the company's security committee and governance forums, ensuring risk decisions are documented, escalated appropriately, and tracked to resolution
• Own the end-to-end compliance program for SOC 2 Type II and PCI-DSS — scoping, control design, evidence collection, auditor management, and remediation tracking
• Build continuous audit readiness rather than a point-in-time posture; automate compliance evidence collection where possible
• Manage relationships with external auditors, certification bodies, and regulators; serve as the primary point of contact for audit engagements across all entities
• Own the third-party risk management program — vendor security assessments, contractual security requirements, ongoing monitoring, and escalation of high-risk findings
• Oversee the data privacy program in partnership with Legal, ensuring compliance with GDPR, CCPA, and applicable regulations across all jurisdictions where the company operates
• Ensure privacy-by-design is embedded in the product development process and that data processing activities are documented, lawful, and consistent with stated privacy notices
• Manage data subject rights obligations and privacy incident response, including breach notification requirements under applicable law

Benefits

• Competitive salary & equity
• Unlimited PTO
• Full Health, Vision, & Dental coverage
• 401k match
• Hardware setup: new MacBook Pro, big display, & accessories