Lead, Governance, Risk, Compliance & Privacy (GRC)

Beacon Software•San Francisco, CA

1d•Remote

About The Position

Beacon is acquiring and operating a portfolio of vertical SaaS companies. Most private equity firms scale by adding people. We are building Beacon to scale by adding software. The thesis is simple: portfolio operations, value creation, and deal sourcing are bottlenecked by human attention, and an agentic operating system can lift that ceiling by an order of magnitude. We are looking for a GRC leader to build and scale the governance, risk, compliance, and privacy function for a growing portfolio of software companies. This is a founding, high-ownership role for someone who has built before and treats automation and modern AI tooling as the default way to operate. Beacon has raised $550M+ from investors including General Catalyst, Lightspeed, D1 Capital, CPMG, and the family offices of the founders of Stripe, DoorDash, and Ramp. About the Role Our GRC function is at an early, formative stage. You would shape it from the foundations and scale it across the portfolio, working directly with our portfolio companies to take them through their own audits and certifications, and designing a program that grows with the business rather than one built for a single audit. The mandate spans security compliance, data privacy, risk, and AI governance. We expect it to be built AI-first: modern automation platforms and LLM-assisted workflows over manual process.

Requirements

Built or substantially matured a GRC program before and taken an organization through SOC 2 Type 2.
Typically several years (5+) in GRC, IT governance, or security compliance.
A builder with a bias for action; first instinct is to automate manual processes.
A strong systems thinker who designs scalable GRC architectures.
Fluent with a compliance automation platform (Vanta, Drata, Secureframe, or similar).
Current on AI tooling in practice.
Comfortable across both security compliance and data privacy, or able to ramp quickly on regimes not personally run.
An excellent cross-functional communicator who works through influence.
Able to translate compliance requirements into terms both technical and non-technical teams can act on.
A clear writer.

Nice To Haves

Privacy or audit certifications (CIPP, CIPM, CISA, CISSP, or ISO 27001 Lead Auditor or Implementer).
Experience with regimes beyond SOC 2 (ISO 27001, PCI DSS, HIPAA, FedRAMP, StateRAMP) and accessibility conformance (WCAG, VPAT).
Enough technical fluency to scope what the program needs and partner closely with engineering, even without building the tooling yourself.
Multi-entity, private-equity, or holding-company experience.
M&A security and privacy diligence experience.

Responsibilities

Build and scale the governance, risk, compliance, and privacy function for a growing portfolio of software companies.
Shape the GRC function from its foundations and scale it across the portfolio.
Work directly with portfolio companies to guide them through their own audits and certifications.
Design a program that grows with the business rather than one built for a single audit.
Manage the mandate spanning security compliance, data privacy, risk, and AI governance.
Build the GRC function with an AI-first approach, utilizing modern automation platforms and LLM-assisted workflows.
Manage the holdco's enterprise governance program, including security policy, AI governance, data governance and privacy, enterprise and third-party risk, and posture reporting.
Lead governance initiatives, including any frameworks Beacon itself elects to pursue.
Take portfolio companies through their own audits and certifications (SOC 2, ISO 27001, accessibility conformance, and others as their customers require), delivered hands-on as a repeatable service that scales across the portfolio.
Underpin both Beacon and portfolio company efforts with a common control architecture that maps a control once to satisfy many standards, AI-first automation, and clear program reporting.