Security GRC Manager

Hex Technologies•San Francisco, CA

17h•$221,000 - $295,000

About The Position

Hex is looking for our first Security GRC Manager to build, scale, and own our security and privacy compliance programs. This role is pivotal in setting the foundation for how Hex meets regulatory, customer, and industry obligations across frameworks including SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and emerging requirements that matter to our customers. As the inaugural GRC hire, you will architect the systems, processes, and culture that ensure Hex operates with integrity, earns customer trust, and maintains continuous audit readiness. You’ll partner closely with engineering, business operations, and our go-to-market teams to develop a world-class GRC function empowered by automation, thoughtful risk management, and clear communication. This role is both strategic and hands-on: you’ll define long-term program roadmaps while also rolling up your sleeves to run audits, perform risk assessments, and answer customer security questionnaires. You must be technical enough to understand how Hex’s product works under the hood and translate that understanding into defensible compliance, clear documentation, and trust-building narratives for customers.

Requirements

5–8+ years in GRC, compliance, security engineering, privacy, audit, or a related field.
Deep familiarity with frameworks such as SOC 2, ISO 27001, ISO 27701, PCI DSS, HIPAA, GDPR, and associated security controls.
Experience running or contributing significantly to audit cycles and certification processes.
Technical literacy in cloud-native environments (AWS preferred), SaaS architectures, and modern security tooling.
Ability to understand and explain product architecture, data flows, and control implementations to auditors and customers.
Experience building or maturing GRC programs at a high-growth company.
Strong project/program management skills: you can set roadmaps, drive timelines, and deliver on deadlines.
Comfort creating order out of ambiguity—you design the playbook, not just follow one.
Exceptional communicator with the ability to translate complex topics into clear, concise, customer-ready language.
Strong stakeholder management skills—you can collaborate with engineering, sales, legal, executives, and prospects with equal effectiveness.
Empathic, diplomatic, and able to balance customer expectations with business realities.
Highly organized and detail-oriented; rigorous in execution.
Naturally curious with a continuous-improvement mindset.
Thrives in distributed, fast-paced environments.
Comfortable making risk-based decisions and presenting tradeoffs to leadership.

Nice To Haves

Certifications such as CISA, CISM, CISSP, CRISC, ISO 27001 Lead Implementer/Auditor.
Experience with GRC automation platforms (e.g., Vanta, Drata, Tugboat, SecureFrame) and Trust Center tools (e.g., Conveyor, SafeBase).
Familiarity with data protection operations, privacy programs, DPIAs, or AI/ML compliance contexts.

Responsibilities

Own and mature Hex’s security and privacy compliance program across SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and other frameworks relevant to our business.
Ensure continuous audit readiness: maintain controls, gather evidence, manage auditors, and implement improvements.
Track regulatory and industry changes, advising Hex leadership on impact and recommended responses.
Maintain and develop core security policies, standards, and procedures, tailoring them to Hex’s real operating environment.
Own Hex’s risk management lifecycle: identify, assess, track, and drive mitigation of security, privacy, operational, and regulatory risks.
Build lightweight but effective governance processes, ensuring clear ownership, documentation, and accountability.
Partner with Engineering and Security to ensure technical controls map appropriately to compliance requirements.
Serve as the primary owner of customer and prospect security questionnaires, risk assessments, and contractual security provisions.
Manage and improve Hex’s Trust Center / trust portal, ensuring accurate and compelling communication of Hex’s security posture.
Collaborate with Sales, Customer Success, and Legal on security-related deal support, including negotiating security terms.
Build defensible, scalable processes for handling increasing customer scrutiny.
Lead internal and external audits from planning through remediation.
Establish automated or repeatable evidence collection processes, reducing manual toil and ensuring consistency.
Coordinate cross-functional contributors to meet audit timelines and quality requirements.
Own Hex’s third-party risk management program, including vendor assessments, reviews, and ongoing monitoring.
Build a lightweight but rigorous process aligned with Hex’s scale and risk profile.
Partner with Procurement, Security, and IT to ensure defensible vendor decisions.
Define and run security awareness training tailored to Hex’s environment.
Evangelize GRC internally—driving a culture of risk-aware decision-making and operational excellence.
Document processes, playbooks, and FAQs to make compliance and risk management accessible across the organization.
Evaluate, implement, and administer GRC tools (evidence automation, Trust Center platforms, access review tooling, vendor management systems).
Build automation into compliance wherever possible—access reviews, evidence collection, user lifecycle processes, vendor workflows, and more.
Partner with engineering teams to understand Hex’s infrastructure and embed compliance requirements into CI/CD, logging, monitoring, and cloud security controls.