Director, Head of Governance, Risk & Compliance (GRC)

Dremio•Austin, TX

20h•Remote

About The Position

Dremio is the unified lakehouse platform for self-service analytics and AI, serving hundreds of global enterprises, including Maersk, Amazon, Regeneron, NetApp, and S&P Global. Customers rely on Dremio for cloud, hybrid, and on-prem lakehouses to power their data mesh, data warehouse migration, data virtualization, and unified data access use cases. Based on open source technologies, including Apache Iceberg and Apache Arrow, Dremio provides an open lakehouse architecture enabling the fastest time to insight and platform flexibility at a fraction of the cost. Learn more at www.dremio.com. About the role We are seeking a Director, Head of InfoSec & Governance, Risk & Compliance (GRC) to lead the company’s efforts to build a secure, compliant, and resilient operating foundation across our software and cloud platforms. This leader will oversee Governance, Risk & Compliance, as well as the IT and Security functions — bringing together risk management, compliance, and security architecture under one cohesive strategy. You will partner closely with Engineering, Product, and Security Architecture teams to embed compliance and security by design, develop scalable governance models, and ensure our technology and operations meet the standards of trust expected by our customers and regulators. This is a hands-on leadership role for a seasoned operator who can bridge strategic risk management and technical depth — shaping enterprise-wide frameworks while staying engaged in the design and validation of real-world security and compliance solutions.

Requirements

Bachelor’s or Master’s degree in Computer Science, Information Security, or related field.
8-10 years of progressive experience in GRC, IT Security, or compliance, with at least 3+ years in a leadership role within a software, SaaS, or cloud-based company.
Strong understanding of cloud architectures and modern DevSecOps practices, including secure software development and CI/CD pipeline controls.
Deep knowledge of compliance frameworks including SOC 2, ISO 27001, NIST, GDPR, CCPA, PCI, and related security standards.
Proven ability to collaborate with Engineering and Product teams to translate compliance requirements into practical, sustainable controls.
Strong risk assessment, audit management, and project management skills.
Excellent communicator capable of simplifying complex technical and regulatory topics for executive and cross-functional audiences.

Nice To Haves

Professional certifications such as CISA, CISSP, CRISC, CISM, or CCEP.
Experience implementing or managing GRC tools, control automation, or compliance monitoring systems.
Customer-facing experience supporting security and compliance reviews.

Responsibilities

Build and oversee the company’s enterprise-wide GRC framework, integrating risk, compliance, IT, and security disciplines.
Partner with Finance, Legal, and Product teams to align governance and control frameworks with business objectives and growth strategy.
Maintain a comprehensive enterprise risk register, performing ongoing assessments and scenario planning to inform leadership and board discussions.
Ensure consistent documentation, evidence gathering, and audit readiness for key frameworks (SOC 2, ISO 27001, GDPR, CCPA, PCI, FedRAMP, etc.).
Lead the IT and Security teams, driving a unified approach to infrastructure resilience, data protection, and compliance control implementation.
Define and manage the Security Incident Management process, ensuring timely response, root cause analysis, and corrective actions.
Oversee the design and implementation of key security capabilities such as key management, encryption, data masking, and access control.
Stay current on emerging security threats and evolving cloud risks, applying insights to improve company posture and preparedness.
Serve as a key business partner to Engineering, Product, and Security Architecture, ensuring compliance and risk management are built into software development lifecycles.
Define, review, and refine compliance-related epics, user stories, and acceptance criteria in partnership with Product teams.
Develop and communicate a multi-period security and compliance roadmap, aligned with company product releases and customer expectations.
Collaborate with engineers to create repeatable, auditable compliance artifacts and automated control testing processes.
Participate in architecture design discussions to identify and mitigate security and compliance risks in new solutions.
Oversee external and internal audit cycles, including SOC 2 Type 2, ISO 27001, and HIPAA readiness and remediation.
Partner with external auditors and assessors to coordinate documentation, testing, and corrective actions.
Ensure GRC tools and processes are streamlined, automated, and well-documented for efficiency and scalability.
Lead company-wide compliance and ethics programs, including Code of Conduct, training, and reporting mechanisms as it relates to information security.
Build a culture of proactive risk awareness, transparency, and continuous improvement across all departments.
Provide regular briefings to the executive team and Audit Committee on key risks, compliance status, and mitigation efforts.

Benefits

Medical, dental and vision insurance
401(k) Plan
Short term / long term disability and life insurance
Pre-IPO stock options
Flexible PTO
16 hours of volunteer time off
12 company paid holidays, including Juneteenth
Remote work options
Paid parental leave
Employee Assistance Program (EAP)
Biannual swag surprise
Certain benefits are only allowed to full-time Dremio employees and may not be the same across all locations