Manager, Security GRC - Compliance Onboarding & Readiness

HubSpot

1d•$146,200 - $233,900•Remote

About The Position

HubSpot is seeking a Manager, Security GRC on our Compliance Onboarding & Readiness team. This role is a critical part of how HubSpot approaches trust, security, and governance. Instead of focusing on reactive audit defense, our team acts as a proactive design and engineering partner. We shift compliance engineering "left" to ensure our rapidly expanding product surface, including usage-based billing systems, advanced AI capabilities, and scaling infrastructure, is fundamentally secure by design and audit-ready. This is a hands-on, "player-coach" role. Reporting directly to the Senior Manager, you will lead and mentor a dedicated team of GRC professionals, while also acting as a high-impact individual contributor (IC). You are someone who loves to get into the weeds: executing proactive control designs, performing technical walkthroughs, mapping controls to complex cloud environments, and directly authoring robust control documentation alongside your team. You will drive the day-to-day operationalization of our High-Risk Control Testing and Compliance Onboarding charters, moving HubSpot away from point-in-time evidence gathering and toward continuous compliance automated by telemetry.

Requirements

Demonstrated experience in Security GRC, IT Compliance, or IT Audit, ideally within a fast-paced, public SaaS environment.
Hands-On Player-Coach Leadership: Experience managing, mentoring, or leading GRC professionals, combined with a strong desire and demonstrated ability to execute as an individual contributor. You must love rolling up your sleeves to build.
Deep Control Expertise: Strong understanding of SOX 404 control design, risk-based scoping, testing, and proactive issue management within modern engineering environments (AWS, microservices, CI/CD pipelines).
First-Principles Architect Mindset: You look at compliance as a systems-engineering challenge, not a checklist. You have experience implementing controls that are automated, scalable, and lightweight for developers.
Exceptional Communication & HubSpot Culture Fit: You are empathetic, remarkably clear, and direct. You can explain complex regulatory "whys" to engineering leaders.

Nice To Haves

Familiarity with emerging technology frameworks, specifically AI governance structures (such as ISO 42001) alongside traditional frameworks (SOC 1/2, ISO 27001, NIST).
Experience supporting product transitions to usage-based billing or microservices-based financial data pipelines.
Professional certifications such as CISA, CRISC, CISSP, or equivalent experience.

Responsibilities

Direct People Management: Lead, develop, and mentor a talented sub-team of GRC professionals. Evolve their capabilities in risk-based judgment and technical engineering partnership.
Hands-on Execution (IC Work): Actively lead by example. You will personally conduct high-impact control walkthroughs, draft complex process narratives, design baseline control mappings for new architectures, and directly test our most critical systems.
Stabilization & Backlog Burnout: Guide and support the team through its immediate operational maturity phases, and partnering cross-functionally to systematically burn down the legacy issues backlog.
Shift Compliance Left: Manage and scale our centralized compliance onboarding intake process. Partner early with Product, Engineering, and FinOps during the design and architecture stages (pre-coding) to embed security and compliance controls before production release.
Minimize Friction: Maintain predictable, frictionless compliance paths for engineering stakeholders so compliance acts as an operational accelerator rather than a bottleneck.
Execute Deep-Dive Testing: Personally lead and oversee rigorous internal testing of HubSpot’s highest-risk controls, prioritizing Identity and Access Management (IAM), privileged access, data protection, change management, and AI governance.
Continuous Monitoring Telemetry: Partner to design and build automated dashboards, transitioning the team’s evidence collection from manual spreadsheets to continuous data streams.
Define Early-Warning Signals: Build out and monitor key control health indicators (OKIs/PKIs) to identify and remediate control degradation long before audit windows open.
Proactive Pre-Audit Alignment: Lead proactive reviews to validate control design, helping system owners address gaps collaboratively before audit cycles begin.
Frictionless Partner Handoffs: Partner deeply with our Compliance Audit Execution team to transition ready, thoroughly vetted control packages for external testing, replacing traditional siloed boundaries with smooth, cooperative handoffs.
Shared Posture Insights: Actively feed readiness metrics and testing signals into the broader Security Governance and Risk ecosystem to build a unified, transparent view of security health across HubSpot.