GRC Manager (Automation)

AlayaCare•Montreal, QC

23h•Hybrid

About The Position

We are seeking a GRC Manager to join our Security team. Reporting to the Director, Information Security and Privacy, you will be responsible for leading and evolving AlayaCare’s security governance, risk management, privacy, and regulatory compliance programs within a modern B2B SaaS environment. This role combines subject-matter expertise with practical experience operating GRC programs at scale, ensuring that security and compliance practices effectively support business objectives. As a key member of the team, you will have the chance to collaborate closely with colleagues across Engineering, IT, Legal, Privacy, and other internal stakeholders to strengthen the company’s governance, risk, and compliance capabilities. Key areas of focus include supporting security certifications and audits, improving risk visibility, enhancing vendor assurance practices, and building scalable control processes that enable the organization to grow confidently while meeting customer and regulatory requirements. What makes the role interesting is that it sits at the intersection of engineering and governance. This position will influence how security, privacy, and compliance enable the company’s continued growth and innovation in the healthcare technology space.

Requirements

Bachelor's or advanced degree in cybersecurity, computer science, or related fields.
8-10+ years of hands-on experience leading and scaling GRC or compliance programs in a SaaS or cloud-first environment
Experience owning external audits and certifications end-to-end (e.g., SOC 1, SOC 2, ISO 27001, HITRUST, HIPAA).
Solid understanding of modern cloud and DevOps environments (AWS preferred) and how security and compliance controls apply to SaaS architectures.
Experience implementing and optimizing GRC or evidence automation platforms (e.g., Vanta, Drata, or similar).
Strong knowledge of risk management methodologies and the ability to translate technical risk into business impact.
Experience with GRC engineering practices, automation, or AI-assisted compliance workflows.
Demonstrated ability to influence cross-functional stakeholders and drive alignment without direct authority.
Strong program management skills with the ability to manage multiple initiatives in parallel.
Excellent written and verbal communication skills, with the ability to simplify complex security and compliance topics.
Hands-on mindset, comfortable operating across both strategy and execution.
Familiarity with emerging governance areas such as AI governance, data governance, or modern regulatory frameworks.
Comfortable participating in customer-facing security and compliance discussions, including audits, due diligence calls, and trust reviews.
Interest in evolving traditional compliance practices toward a more automated, engineering-driven approach.
Bilingual in French and English

Nice To Haves

Experience working in healthcare or other highly regulated industries.
Experience with HITRUST (i1 or r2) or similar healthcare-focused compliance frameworks.
Experience integrating privacy regulations (e.g., PHIPA, HIPAA, PIPEDA, GDPR) into technical and operational controls.
Experience building or operating Trust Centers or customer-facing security assurance programs.
Background working in fast-growing SaaS startups or scale-ups.

Responsibilities

Lead the ongoing maturity of the company’s compliance programs and certifications (e.g., SOC 1/2, HITRUST, HIPAA, ISO 27001/27701), ensuring continuous readiness rather than point-in-time audit preparation.
Contribute to defining and executing the multi-year strategy and roadmap for Governance, Risk, and Compliance across the organization.
Serve as the primary point of coordination for external auditors, assessors, and customer security due diligence activities.
Partner with Engineering and IT leadership to embed controls directly into cloud and DevOps workflows, reducing manual compliance overhead through automation.
Design scalable control frameworks that align security, privacy, and engineering practices with regulatory and contractual requirements.
Establish and maintain a company-wide risk management program, including risk assessments, risk registers, prioritization frameworks, and executive reporting.
Lead third-party and vendor risk management activities, including security reviews, ongoing monitoring, and contractual safeguards.
Oversee policy governance to ensure policies and standards remain clear, actionable, and aligned with business realities.
Develop, write and maintain policies, procedures and documentation to support compliance initiatives.
Define and track KPIs and metrics to measure security posture, compliance health, and risk trends, and communicate insights to senior leadership.
Support Sales and Customer Success by enabling fast, accurate responses to RFPs, security questionnaires, and enterprise trust reviews.
Encourage a culture of shared ownership by supporting and guiding control owners and stakeholders across departments.
Continuously identify opportunities to simplify, automate, and improve the GRC operating model.