Information Security Associate

Middesk•New York, NY

About The Position

Middesk makes it easier for businesses to work together. Since 2018, we’ve been transforming business identity verification, replacing slow, manual processes with seamless access to complete, up-to-date data. Our platform helps companies across industries confidently verify business identities, onboard customers faster, and reduce risk at every stage of the customer lifecycle. Middesk came out of Y Combinator, is backed by Sequoia Capital and Accel Partners, and was recently named to Forbes Fintech 50 List and cited as an industry leader in business verification by digital identity strategy firm, Liminal. We’re looking for a Governance, Risk & Compliance professional to own and scale Middesk’s security, privacy, and compliance programs. This person will act as the connective tissue between engineering, legal, security, operations, and go-to-market teams—ensuring we meet customer, regulatory, and internal expectations without slowing the business down. This is not a purely technical role, but it requires technical fluency and the ability to act as a liaison (and sometimes interpreter) between the technical and non-technical teams.

Requirements

Experience owning or materially contributing to SOC 2 and/or ISO 27001 programs at a SaaS or data-driven company.
Hands-on experience with compliance automation tools such as Vanta, Drata, Delve, or similar.
Strong understanding of data protection concepts, vendor risk, and security controls, even if not an engineer by background.
Ability to manage multiple stakeholders, deadlines, and ambiguous requirements with good judgment.
Clear written and verbal communication skills, particularly with auditors, customers, and internal leadership.
Familiarity with privacy frameworks (e.g., GDPR, CCPA) as they intersect with security and vendor management.

Responsibilities

Own Middesk’s trust and compliance platform (currently Vanta), including continuous monitoring, evidence collection, and control maintenance.
Manage and maintain compliance with frameworks and assessments such as SOC 2, ISO 27001, and external penetration tests.
Coordinate with internal teams and external auditors to support audits and assessments end-to-end.
Maintain a current and accurate inventory of subprocessors and vendors, with particular focus on access to customer data and PII.
Partner with Legal, Ops, and Engineering to assess vendor risk and ensure appropriate controls and contractual safeguards are in place.
Own and respond to due diligence questionnaires (DDQs), security reviews, and trust-related inquiries from customers and partners.
Develop reusable artifacts and processes to streamline security and compliance reviews as Middesk scales.
Chair Middesk’s internal oversight or security committee, including agenda setting, documentation, and follow-ups.
Own the lifecycle of security and compliance policies: drafting, review, approval, rollout, and periodic refresh.
Ensure policies are aligned with actual practices and system behavior—not just “paper compliance.”
Develop and maintain a strong understanding of Middesk’s data flows, systems, and architecture at a conceptual level.
Act as a translator between technical teams (Engineering, Security, Data) and non-technical teams (Legal, Sales, Customer Success, Operations).
Identify gaps between how the business operates and how it is represented in compliance artifacts, and drive remediation.
Be the internal point of contact for our external IT vendor (or be the person that makes the case that this needs to be brought in-house).