GRC Engineer

About The Position

Requirements

• 5+ years of experience in Governance, Risk & Compliance (GRC), security compliance, auditing, or related roles.
• Demonstrated experience applying SOC 2, ISO 27001, and/or CMMC requirements to cloud environments.
• Experience leading audit readiness activities and working directly with auditors.
• Strong collaboration experience with engineering and cloud operations teams.
• Bachelor’s degree in Information Security, Computer Science, Engineering, or equivalent professional experience.
• Ability to understand and write code, preferably Python, to automate evidence collection and validate cloud controls.
• Strong knowledge of cloud architectures, IAM, logging, monitoring, and cloud security best practices.
• Hands-on experience using Vanta for compliance automation and integrations.
• Familiarity with SOC 2, ISO 27001, CMMC, NIST 800-53, and CIS Benchmarks.
• Strong written and verbal communication skills.
• Ability to work independently and manage multiple priorities.
• Strong analytical, problem-solving, and collaboration skills.

Nice To Haves

• Certifications such as CISA, CISSP, CCSK, CCAK, or ISO 27001 Lead Auditor/Implementer.
• Experience with CI/CD pipelines, secure development practices, or cloud security engineering.
• Experience conducting integration audits or third-party cloud risk assessments.

Responsibilities

• Lead and support compliance programs including SOC 2, ISO 27001, and CMMC, with a strong focus on cloud-native environments.
• Coordinate internal and external audits, ensuring accurate evidence collection and alignment with technical stakeholders.
• Support customer security reviews and questionnaires by clearly articulating SpyCloud’s cloud security controls and compliance posture.
• Own continuous audit readiness across cloud platforms such as AWS, GCP, and Azure.
• Design and execute continuous control testing using automation and scripting (preferably Python).
• Partner with Engineering and Security teams to ensure compliance is embedded into system design and change management processes.
• Build, maintain, and enhance automated evidence collection workflows using Vanta.
• Integrate Vanta with cloud environments, identity systems, and CI/CD pipelines to support continuous compliance.
• Collaborate with Engineering to implement automated compliance checks within cloud deployments.
• Develop and maintain security and compliance policies, standards, and procedures aligned with cloud architecture and operational practices.
• Ensure governance documentation supports SOC 2, ISO 27001, and CMMC requirements while remaining practical for technical teams.
• Translate complex technical requirements into clear, actionable controls.
• Lead risk assessments across cloud services, systems, and business processes.
• Identify, assess, and drive remediation of cloud security and compliance risks.
• Partner with stakeholders to ensure risks are understood, prioritized, and addressed.
• Enhance vendor risk management workflows through automation and integration, including integration audits of third-party cloud services.
• Work closely with Engineering, IT, Security, Product, and Legal teams to embed compliance into architecture and design decisions.
• Serve as a subject matter expert for cloud compliance, control validation, and compliance automation.

Benefits

• 401(k) with Employer Contribution
• Health, Vision, and Dental Insurance
• Health Savings Account (HSA) available with Employer Contribution
• Employer Paid Life, Short-term, and Long-term Disability Insurance
• Generous PTO Plan and 16 paid holidays per year
• Retirement Savings Plan with Employer Contribution
• Employer Provided Private Health Insurance and Healthcare Cashplan
• Employer Paid Life Insurance and Income Replacement
• Generous Holiday Plan and 14 paid holidays per year