Lead, Governance, Risk, Compliance & Privacy (GRC)

Beacon Software•Toronto, ON

About The Position

Beacon is acquiring and operating a portfolio of vertical SaaS companies. Most private equity firms scale by adding people. We are building Beacon to scale by adding software. The thesis is simple: portfolio operations, value creation, and deal sourcing are bottlenecked by human attention, and an agentic operating system can lift that ceiling by an order of magnitude. We are looking for a GRC leader to build and scale the governance, risk, compliance, and privacy function for a growing portfolio of software companies. This is a founding, high-ownership role for someone who has built before and treats automation and modern AI tooling as the default way to operate. Our GRC function is at an early, formative stage. You would shape it from the foundations and scale it across the portfolio, working directly with our portfolio companies to take them through their own audits and certifications, and designing a program that grows with the business rather than one built for a single audit. The mandate spans security compliance, data privacy, risk, and AI governance. We expect it to be built AI-first: modern automation platforms and LLM-assisted workflows over manual process.

Requirements

Have built or substantially matured a GRC program before.
Have taken an organization through SOC 2 Type 2.
Typically several years (5+) in GRC, IT governance, or security compliance.
A builder with a bias for action; instinct to automate manual processes.
A strong systems thinker; designs scalable GRC architectures.
Fluent with a compliance automation platform (Vanta, Drata, Secureframe, or similar).
Current on AI tooling in practice.
Comfortable across both security compliance and data privacy, or able to ramp quickly.
An excellent cross-functional communicator who works through influence.
Able to translate compliance requirements into terms both technical and non-technical teams can act on.
A clear writer.

Nice To Haves

Privacy or audit certifications (CIPP, CIPM, CISA, CISSP, or ISO 27001 Lead Auditor or Implementer).
Experience with regimes beyond SOC 2 (ISO 27001, PCI DSS, HIPAA, FedRAMP, StateRAMP) and accessibility conformance (WCAG, VPAT).
Enough technical fluency to scope what the program needs and partner closely with engineering.
Multi-entity, private-equity, or holding-company experience.
M&A security and privacy diligence experience.

Responsibilities

Build and scale the governance, risk, compliance, and privacy function for a growing portfolio of software companies.
Shape the GRC function from its foundations and scale it across the portfolio.
Work directly with portfolio companies to guide them through their own audits and certifications.
Design a GRC program that grows with the business.
Manage security compliance, data privacy, risk, and AI governance mandates.
Build an AI-first GRC function utilizing modern automation platforms and LLM-assisted workflows.
Manage Beacon's enterprise governance program, including security policy, AI governance, data governance and privacy, enterprise and third-party risk, and posture reporting.
Lead governance initiatives, including any frameworks Beacon itself elects to pursue.
Take portfolio companies through their own audits and certifications (SOC 2, ISO 27001, accessibility conformance, and others as their customers require).
Deliver GRC services as a repeatable service that scales across the portfolio.
Establish a common control architecture that maps a control once to satisfy many standards.
Implement AI-first automation within the GRC function.
Ensure clear program reporting for both Beacon and portfolio companies.