Principal, GRC Automation and Cyber Risk

About The Position

Requirements

• Bachelor's degree in Cybersecurity, Information Systems, Computer Science, Engineering, Risk Management, or related field.
• 10+ years of experience across cybersecurity, risk management, GRC, or security architecture roles — with at least 3–5 years in a hands-on engineering or software development capacity.
• Demonstrated Python programming proficiency applied to automation, data processing, tooling, or security use cases.
• Proven API development and integration experience, including designing, building, and consuming APIs in enterprise environments.
• Demonstrated systems integration experience, connecting GRC, security, cloud, or enterprise systems at scale.
• Demonstrated experience automating or scaling GRC, risk, or compliance programs using enterprise platforms.
• Strong experience partnering with cross-functional technical and business teams.
• Deep understanding of cyber risk management and GRC frameworks (NIST CSF, NIST 800-53/171, ISO 27001, SOC 2, SOX).
• Strong grasp of enterprise risk management (ERM) concepts and alignment.
• Working knowledge of quantitative cyber risk analysis (FAIR or similar approaches).
• Familiarity with audit, regulatory, and certification processes.
• Understanding of software engineering principles, API design patterns, and systems integration methodologies.
• Knowledge of Agentic AI frameworks and multi-agent system design principles.
• Expertise designing and automating workflows within ServiceNow IRM or comparable GRC platforms.
• Proficient Python developer — able to write clean, maintainable, production-ready code for automation scripts, data pipelines, API clients, and Agentic workflows.
• Experienced in API development and integration — designing and consuming REST APIs, managing authentication (OAuth, API keys), and building integration layers.
• Demonstrated systems integration experience — connecting heterogeneous enterprise systems through APIs, webhooks, message queues, or ETL frameworks.
• Hands-on experience with Agentic development — building autonomous AI agents using frameworks.
• Ability to translate abstract frameworks into practical, automated, and scalable implementations.
• Strong systems thinking, connecting people, process, technology, and data.
• Excellent written and verbal communication skills, including executive-level storytelling.
• Operate comfortably at both strategic and hands-on engineering levels.
• Influence without authority in a highly matrixed environment.
• Drive change from legacy/manual processes to modern, code-driven automated execution.
• Independently scope, build, and ship engineering solutions with minimal oversight.

Nice To Haves

• Master's degree in a related field.
• Experience with FAIR or quantitative risk methods.
• Hands-on experience with Agentic AI development — building and deploying autonomous agents for task automation, decision support, or workflow orchestration.
• Familiarity with LLM orchestration frameworks (LangChain, LangGraph, AutoGen, CrewAI, or similar).
• Experience with Python data and automation libraries (pandas, NumPy, FastAPI, Celery, Airflow, etc.).
• Experience with API gateway tooling, integration platforms (e.g., MuleSoft, Boomi, Workato), or message broker systems (Kafka, RabbitMQ).
• Hands-on experience with AI, data analytics, or workflow automation applied to GRC use cases.
• Professional certifications (CISSP, CISM, CRISC, Open FAIR).

Responsibilities

• Design, build, and evolve end-to-end GRC automation across risk, compliance, policy, and issue management domains — including writing and maintaining Python-based automation scripts, services, and tools.
• Integrate GRC workflows with source systems (cloud platforms, vulnerability tools, IAM, SDLC, third-party systems) via RESTful APIs, webhooks, and event-driven integration patterns to reduce manual effort and improve data quality.
• Architect and maintain a systems integration layer connecting GRC platforms to enterprise data sources, enabling real-time risk signal ingestion and automated control validation.
• Partner with Cyber Risk leadership to operationalize quantitative and scenario-based risk analysis (e.g., FAIR-aligned methods).
• Engineer automated pipelines for ingesting threat, vulnerability, asset, and business context data to support risk-based prioritization, leveraging Python data processing libraries (e.g., pandas, NumPy) integration APIs, and Agentic work flows.
• Enable financially grounded cyber risk outputs that inform: Risk acceptance and investment decisions, Executive and board-level reporting, Program prioritization and roadmap planning.
• Translate regulatory and framework requirements into automated, testable, and traceable controls, implementing these as code-driven workflows and API-integrated monitoring checks.
• Implement continuous control monitoring and evidence refresh to support ISO, SOX, SOC, and regulatory audits, using automated evidence collection scripts and scheduled integrations.
• Reduce audit fatigue by standardizing artifacts, workflows, and control narratives across compliance programs.
• Partner with Internal Audit and external auditors to improve transparency, timeliness, and defensibility of GRC outputs.
• Design, build, and deploy Agentic automation solutions — autonomous AI-driven agents capable of reasoning across GRC data, identifying risks, triggering workflows, and recommending actions with minimal human intervention.
• Identify and pilot AI-assisted capabilities to accelerate GRC outcomes, such as: Control mapping and gap analysis, Risk scenario generation and prioritization, Policy-to-control alignment and impact analysis, Agentic issue triage, intelligent remediation recommendations, and autonomous evidence collection.
• Develop and integrate LLM-based or agent-framework tooling (e.g., LangChain, AutoGen, or comparable frameworks) into GRC workflows.
• Ensure all AI-enabled and Agentic GRC use cases align with internal security, privacy, and governance standards.
• Design, develop, and maintain RESTful and GraphQL APIs that expose GRC data and capabilities to downstream consumers including dashboards, reporting tools, and integrated enterprise systems.
• Own the end-to-end systems integration architecture connecting GRC platforms to security tools, cloud environments, HR systems, asset management, and third-party risk platforms.
• Establish and enforce API governance standards, including versioning, authentication, documentation (OpenAPI/Swagger), and rate management.
• Build and maintain integration middleware, ETL pipelines, and event-driven connectors to ensure consistent, reliable data flows across GRC systems.
• Serve as a trusted advisor to security, IT, engineering, and business leaders on risk-based automation, control design, and engineering best practices for GRC tooling.
• Influence teams to embed GRC requirements directly into SDLC, cloud, procurement, and third-party workflows.
• Translate technical implementations — including architecture diagrams, API designs, and automation logic — into clear, executive-ready narratives for leadership consumption.

Benefits

• incentive compensation
• bonus
• restricted stock units
• benefits