Head of Security & Governance Risk Compliance

About The Position

Requirements

• 8+ years in Cybersecurity or Security Engineering, with significant experience in cloud-native environments.
• Automation-First: You prefer a script, an API, or a Terraform provider over a manual checklist.
• Strategic Communication: Ability to collaborate with the CTO to prioritize security debt against product features, communicating trade-offs with clarity.

Responsibilities

• Integrated DevSecOps: Own the deep integration of Snyk directly into developer IDEs and CI/CD pipelines to catch vulnerabilities in code, not production.
• Automated Guardrails: Partner with Engineering to implement automated policy enforcement within GCP, ensuring insecure configurations are blocked at the PR stage.
• Compliance-as-Code: Leverage Drata APIs to automatically pull evidence from build logs and scan results.
• Automated Vendor Discovery: Use Drata to automatically identify new third-party sub-processors integrated into our stack and tier them based on data access and criticality.
• AI-Driven Security Reviews: Leverage the AI capabilities within Drata to ingest and analyze vendor SOC 2 reports and security certifications, instantly flagging gaps in their posture.
• Concentration Risk & Resilience: Map our dependency on critical infrastructure (SaaS, Cloud, API providers) and report to the CTO on systemic risks and contingency plans.
• Trust Center Management: Deploy the public-facing "Trust Center" to automate the sharing of our security posture with prospects, reducing the burden of manual security questionnaires on the sales and engineering teams.
• Living Policy Management: Use the Drata policy centers to maintain a unified set of security policies. You will ensure these policies are mapped directly to technical controls in GCP, Snyk.
• Automated Attestations: Streamline the employee acknowledgment process for security policies (AUP, Security Policy), ensuring 100% compliance through automated reminders and Slack/Teams integrations.
• Exception Lifecycle: Manage a transparent process for policy exceptions, ensuring they are time-bound, risk-rated, and visible to the CTO.
• Audit Readiness: Act as the primary technical lead for SOC 2 Type II and ISO 27001 audits, utilizing our GRC tools to provide auditors with real-time, "read-only" access to our control evidence.
• Endpoint & Cloud Security: Oversee SentinelOne for 100% coverage of all assets.
• Identity & Social Defense: Manage our Anti-Phishing tool suite to protect the "human endpoint" and mitigate social engineering risks.
• Data Lifecycle & Privacy Governance: Define and automate data retention and deletion policies across our GCP databases. Work with Engineering to ensure PII discovery and classification are mapped within Drata to satisfy state regulations and CCPA requirements.
• Business Continuity & Disaster Recovery (BCDR): Lead the technical design and testing of our recovery strategies. You will ensure that backup integrity and failover procedures are not just documented in a policy, but technically verified and auditable through automated evidence.
• Security Telemetry & Metrics: Build high-fidelity dashboards that aggregate data from, Snyk, and SentinelOne. You will provide the CTO with a real-time "Security Scorecard" that tracks MTTR (Mean Time to Remediate) and control health.

Benefits

• Compensation: $250k - $280k base
• Equity Options: Share in the value we’re creating—your work makes a real impact.
• Team-First Culture: Join a group of talented, supportive teammates who inspire each other to do their best work and celebrate every win.
• Learning & Development: Ongoing support for your growth through resources, coaching, and career development opportunities.
• Health Coverage: Comprehensive employee + dependent medical, dental, and vision insurance, as well as HSA/FSA options. Plus, enjoy additional health perks like access to Headspace Care+, gym membership discounts, and much more — because your well-being matters, inside and out.
• Plan for your future: Life, disability, and Simple IRA retirement plan with company match to support your future.
• Flexible Vacation Policy: We trust you to take the time you need to rest and recharge.
• Holidays: Enjoy 12 holidays throughout the year, as a part of our commitment to honoring culture, history, and time to recharge.
• Events: We make time to connect and celebrate through reimbursable weekly team lunches, game nights, events, and more, both in-person and remotely.
• Recognition Programs: Team members can recognize their peers with Sprees, which are redeemable for gift cards and/or donations to an organization of your choice, or nominate a colleague for a S.P.R.E.E. Award to spotlight above-and-beyond contributions, which may be rewarded with a spot bonus. Our Work Anniversary Program also honors employee milestones with personalized tokens of appreciation!
• Business Expense Allowance & Internet Reimbursement: Get the tools and support you need to do your best work.
• Parental Leave & Fertility Support: Inclusive benefits to support you and your family, wherever you are in life.
• Legal & tax benefits: We offer group legal benefits and tax support through RocketLawyer.
• Seattle HQ: If you’ll be working from our Seattle office, you’ll receive a company-sponsored Orca card to cover the cost of public transportation to and from the office!