Security Compliance Manager

About The Position

Requirements

• 6+ years of experience in security compliance, IT audit, or IT risk management.
• Hands-on ownership of ITGC, SOX, SOC 2, and policy frameworks such as ISO 27001.
• Strong expertise in risk assessments, control testing, assurance practices, and audit methodologies.
• Practical knowledge of enterprise and cloud control domains, including IAM, SDLC/change management, vulnerability management, logging and monitoring, incident response, and BC/DR.
• Experience interpreting and applying regulatory requirements such as NYCRR 500 or similar industry regulations.
• Proven ability to lead cross-functional initiatives with Security, IT, Finance, Legal, and Audit teams.
• Excellent written and verbal communication skills, with experience delivering executive-level reporting.

Nice To Haves

• Security or audit certifications (CISA, CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CIA, CPA).
• Experience with GRC and compliance tooling (e.g., OneTrust, Drata, Vanta, Secureframe, Jira, Confluence).
• Financial services or insurance industry experience, including GLBA, NAIC, and customer security questionnaires (SIG, CAIQ).

Responsibilities

• Own and mature the end-to-end GRC program, including ITGC, SOX, SOC 2, ISO 27001 alignment, and NYCRR 500 compliance.
• Design, execute, and test IT general controls across access management, change management, operations, backup and disaster recovery, and vendor/SaaS environments.
• Lead SOX activities including scoping, walkthroughs, design and operating effectiveness testing, deficiency evaluation, and remediation tracking.
• Manage SOC 2 readiness and annual Type 1 and Type 2 audits, including control mapping, evidence collection, and exception management.
• Align security policies, standards, and procedures with ISO 27001 Annex A, NIST CSF, COBIT, and CIS Controls, ensuring regulatory applicability.
• Conduct enterprise and IT risk assessments, document risk treatment plans, and track remediation through closure.
• Establish continuous control testing and assurance practices, including testing scripts, sampling methodologies, and evidence standards.
• Develop and report on key risk and performance indicators (KRIs/KPIs) such as control pass rates, audit findings, evidence SLAs, and vendor risk trends.
• Serve as the primary point of contact for Internal Audit and external auditors, producing executive- and board-ready compliance reporting.
• Lead third-party and vendor risk assessments, including SIG/CAIQ reviews, contract control requirements, and ongoing monitoring.
• Map and validate cloud controls (AWS, Azure, GCP) against SOX, SOC 2, ISO 27001, and NYCRR 500 expectations.
• Maintain security policies, control catalogs, control narratives, and RACI documentation.
• Drive security awareness, control owner training, and process maturity, including identifying opportunities for automation and continuous monitoring.

Benefits

• Healthy Hippos Benefits - Multiple medical plans to choose from and 100% employer covered dental & vision plans for our team members and their families. We also offer a 401(k)-retirement plan, short & long-term disability, employer-paid life insurance, Flexible Spending Accounts (FSA) for health and dependent care, and an Employee Assistance Program (EAP)
• Equity - This position is eligible for equity compensation
• Training and Career Growth - Training and internal career growth opportunities
• Flexible Time Off - You know when and how you should recharge
• Little Hippos Program - We offer 12 weeks of parental leave for primary and secondary caregivers
• Hippo Habitat - Snacks and drinks available and catered lunches for onsite employees