Product GRC SME

Vanta-posted 3 months ago
Full-time • Mid Level
501-1,000 employees
Resume
Match Score
Upload and Match ResumeTrack Jobs with Teal

At Vanta, our mission is to help businesses earn and prove trust. We believe that security should be monitored and verified continuously, and we empower companies to practice better security and prove it with ease. Vanta has a kind and talented team, and while some have prior security experience, many have been successful at Vanta without it. As Vanta rapidly grows and moves upmarket, we’re working with increasingly sophisticated customers who have complex security and compliance needs across a wide range of industries and geographies. The GRC Subject Matter Experts play a critical role in delivering high-quality, scalable content and product guidance to help these companies effectively manage their GRC programs. As Vanta’s newest GRC Subject Matter Expert, you’ll be responsible for developing and maintaining multi-framework GRC solutions used by thousands of customers. Acting as a bridge between Product Management, Engineering, Design, Sales, and Customer Success, you’ll ensure our solutions align with key security, privacy, and risk frameworks and real-world customer needs. You’ll play a pivotal role in designing, validating, and improving compliance-related content and capabilities while providing strategic input to shape Vanta’s GRC product roadmap.

  • Build and maintain compliance frameworks - Lead the creation, enhancement, and lifecycle management of controls, evidence requirements, and implementation guidance for standards such as SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, and regional regulations (e.g., GDPR/CCPA). Author clear control rationales, acceptance criteria, and customer-facing guidance.
  • Design crosswalks and mappings (framework‑agnostic) - Create and steward an internal common‑control approach informed by industry catalogs (e.g., SCF, UCF, or similar). Maintain bidirectional crosswalks across industry leading security and privacy regulatory frameworks. Define canonical control IDs, mapping confidence, and evidence data dictionaries; version crosswalks with changelogs and traceability to source authority. Partner with Engineering to operationalize mappings in‑product (integrations, automated tests, exceptions/exemptions, continuous monitoring workflows).
  • Elevate content quality and usability - Define standards for control wording, evidence specificity, testing method, and reviewer guidance. Establish content QA processes, audits, and metrics (e.g., adoption, time-to-evidence, completion rates) to continually improve outcomes.
  • Drive end‑to‑end GRC product enablement - Build modular content, guidance, and templates for risk management (methodologies, scoring, KRIs), issue & corrective action management (POA&M), policy management (lifecycle, attestations), access reviews (SoD, recertification flows), customer trust / Trust Center artifacts, and third‑party risk management (TPRM) (due diligence, monitoring, contract clauses).
  • Act as a product advisor across discovery & design - Partner with PM/Design to support feature discovery (customer interviews, JTBD, task analysis), review UI/UX for control, evidence, and review workflows, run usability tests, and author PRDs/acceptance criteria grounded in auditor and customer needs.
  • Author automated tests & continuous monitoring - Translate controls/compliance knowledge and infrastructure contexts (cloud services, SaaS apps, on‑prem, endpoints, networks, CI/CD) into spec‑level automated tests and detectors in Vanta. Define test logic, data sources/integrations (APIs, logs, configs), edge cases, and acceptance criteria; pair with Engineering to implement, validate, and maintain detectors with versioned mappings to frameworks for continuous monitoring.
  • Partner with Product to drive roadmap - Translate customer and market needs into GRC requirements, propose experiments, and validate solutions through discovery with Design/UX Research. Influence prioritization using data and field insights; own a backlog for framework/content improvements.
  • Enable AI‑assisted compliance - Partner with Engineering/ML to design and ship LLM‑powered guidance and automation. Translate SME knowledge into machine‑readable specs (schemas, ontologies, prompts), define gold‑standard evaluation sets and acceptance criteria, and implement quality/safety guardrails (red‑teaming, refusal policy, privacy controls). Instrument features to monitor accuracy and drift in production.
  • Synthesize feedback loops - Analyze input from customers, auditors/assessors, partners, and internal teams to identify gaps, resolve issues, and deliver iterative updates quickly and safely.
  • 5-7+ years in GRC and/or Information Security with hands‑on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800‑53).
  • Experience with cloud environments and SaaS is strongly preferred.
  • Federal experience (e.g., FedRAMP) is a plus but not required.
  • Bachelor’s degree in Computer Science; advanced degree a plus.
  • Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring).
  • Ability to translate requirements into productizable capabilities; comfort with experimentation and data‑driven prioritization.
  • Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets (lookups, pivots).
  • Excellent written and verbal skills; able to partner effectively with engineers, designers, GTM teams, auditors, and customers.
  • Able to work autonomously while contributing to team success.
  • Willing & excited to support cross-functional teams and improve compliance content.
  • Skilled at managing change, solving problems proactively, and taking initiative.
  • Experience with privacy regulations (GDPR/CCPA), risk quantification (e.g., FAIR), audit/assessor background, or B2B SaaS content/enablement.
  • One or more of: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI‑ISA/QSA.
  • Industry-competitive compensation
  • 100% covered medical, dental, and vision benefits with dependents coverage
  • 16 weeks fully-paid parental Leave for all new parents
  • Health & wellness and remote workplace stipends
  • Family planning benefits through Carrot Fertility
  • 401(k) matching
  • Flexible work hours and location
  • Open PTO policy
  • 11 paid holidays in the US
  • Offices in SF, NYC, London, Dublin, and Sydney
Track Jobs with Teal

Job Search Resources

Resume Builder
Resume Examples
Cover Letter Examples

Tools

Career Hubs

Guides

Company

© 2024 Teal Labs, Inc
Privacy PolicyTerms of Service