GRC Engineer

About The Position

Requirements

• 3–5+ years of experience in IT Audit, Governance, Risk & Compliance, and/or Information Security, ideally in a startup or growth-stage environment.
• Direct experience with SOC 2; PCI-DSS experience strongly preferred.
• Comfortable working directly with auditors, managing audit timelines, and driving evidence collection across teams.
• Strong understanding of cloud infrastructure (AWS), identity systems (Okta), and SaaS environments.
• Understand APIs and integration patterns conceptually: REST APIs, webhooks, authentication flows, polling vs. push architectures, and can evaluate systems based on how well they expose data and support automation, even if you're not writing the integration code yourself.
• A systems thinker first. You understand how complex environments work: how data flows between systems, where integration points exist, what breaks when systems don't talk to each other. Your strength is designing the right architecture and environment for security monitoring, not necessarily implementing it yourself.
• Experience with GRC platforms, security questionnaire tools, or compliance automation tooling is a plus.
• Highly organized and process-oriented, with strong written communication skills.
• Low ego, collaborative, and pragmatic — someone teammates genuinely want to work with.

Nice To Haves

• Hands-on coding or scripting experience (e.g., automation, tooling, or security-related development).
• Experience building or scaling a GRC program from the ground up.
• Security industry qualification (CISSP, CISM, CISA, or similar).
• Cloud-specific certifications (CCSP, AWS Certified Security Specialty, CCSK, etc.).

Responsibilities

• Partner cross-functionally to design, implement, and maintain compliance programs, including SOC 2, PCI-DSS, and others as needed.
• Own and maintain the compliance platform (Drata), including control mapping, evidence collection, continuous monitoring, and audit workflows.
• Oversee audits, certifications, third-party assessments, and vulnerability management to maintain compliance and operational credibility.
• Manage control documentation, policies, procedures, and supporting artifacts across multiple compliance frameworks.
• Perform risk assessments, vendor security reviews, and control gap analyses, and track remediation through to completion.
• Build and maintain vendor risk management processes, including onboarding evaluations, annual reviews, risk scoring, and data sensitivity assessments.
• Partner with Finance and Legal to implement structured vendor and customer risk profiling programs.
• Partner with Security, IT, and Engineering teams to ensure technical and administrative controls align with documented policies and compliance requirements, including hands-on testing.
• Support Go-To-Market teams with customer security questionnaires, audits, and compliance packaging for sales cycles.
• Conduct periodic user access reviews and assist with access governance and RBAC validation.
• Develop and maintain compliance reporting, metrics, and executive-ready summaries.
• Identify process gaps and implement scalable governance improvements, including automation and tooling to scale with the business.
• Oversee security awareness training and compliance education initiatives.
• Participate in incident response activities, providing risk analysis and remediation support as needed.