Director of Security Risk & Trust

About The Position

Requirements

• 10+ years of experience in security, governance, risk, and compliance, with at least 5 years in a leadership role building and scaling programs at high-growth technology or SaaS companies.
• Strong engineering and technical foundation—you've written code (Python, Go, or similar), built automation, worked in cloud-native environments, and can engage deeply with engineering teams on technical design and implementation.
• Deep expertise across multiple compliance frameworks including ISO 27001, ISO 42001, ISO 27017, ISO 27018, SOC 2, HIPAA, GDPR, and SOX IT controls, with a demonstrated ability to rationalize and unify controls across overlapping frameworks.
• Demonstrated experience in AI/ML security and governance, including familiarity with AI-specific risk frameworks, responsible AI principles, and the unique security challenges of machine learning systems.
• Hands-on experience with cloud infrastructure and security (AWS strongly preferred), including understanding of IAM, networking, encryption, logging/monitoring, and infrastructure-as-code (Terraform, CloudFormation, etc.).
• Proven ability to build compliance-as-code and automated GRC capabilities, including evidence collection automation, continuous monitoring, and integration with engineering toolchains.
• Exceptional cross-functional leadership skills—you've successfully partnered with Engineering, Product, Legal, and executive stakeholders to drive security and compliance outcomes without relying on authority alone.
• Experience managing external audits and regulatory examinations end-to-end, with a track record of clean results and efficient audit processes.
• Strong communication skills with the ability to translate complex technical and regulatory concepts for diverse audiences—from engineers to board members.

Responsibilities

• Define and execute a forward-looking strategy for the Risk and Trust program that scales with Klaviyo's growth, product evolution, and expansion into new markets and regulated industries.
• Develop a risk management program that quantifies and communicates risk in business-actionable terms, using data-driven models for decision-making.
• Own the compliance roadmap across frameworks including ISO 27001, ISO 42001, ISO 27017, ISO 27018, SOC 2 Type II, HIPAA, GDPR, CCPA/CPRA, and emerging AI governance regulations, engineering unified control sets.
• Translate regulatory and compliance requirements into clear, actionable engineering requirements for development teams.
• Build and maintain compliance-as-code infrastructure, including automated evidence collection, continuous control monitoring, and policy-as-code implementations.
• Design and implement tooling and integrations to connect GRC workflows with engineering systems (CI/CD pipelines, cloud infrastructure, identity platforms).
• Partner with Engineering and Platform teams to embed security and compliance controls into the software development lifecycle, infrastructure provisioning, and deployment pipelines.
• Evaluate, select, and optimize platforms and technologies to automate compliance into a continuous, real-time capability.
• Develop and implement a comprehensive AI/ML governance framework aligned with ISO 42001, the EU AI Act, NIST AI RMF, and emerging global AI regulations.
• Partner with ML/AI and Data Science teams to establish security and compliance guardrails for AI/ML systems.
• Conduct and oversee risk assessments specific to AI/ML systems.
• Stay ahead of the evolving AI regulatory landscape and proactively position Klaviyo's governance posture.
• Partner with Product and Engineering leadership to ensure security and compliance are built into product design.
• Collaborate with Legal and Privacy teams to operationalize regulatory requirements.
• Work with Sales, Customer Success, and Trust teams to support customer-facing security and compliance needs.
• Engage with executive leadership and the Board to communicate risk posture, compliance status, and strategic GRC investments.
• Conduct technical risk assessments, review architecture designs, write automation scripts, and troubleshoot control gaps.
• Personally lead critical compliance initiatives, audit responses, and incident-driven governance activities.
• Maintain deep technical currency by staying hands-on with cloud platforms (AWS, GCP, Azure), infrastructure-as-code tools, security tooling, and modern software development practices.

Benefits

• Annual cash bonus plan
• Equity
• Sign-on payments
• Comprehensive range of health, welfare, and wellbeing benefits