Senior GRC Engineer

About The Position

Requirements

• 5+ years in GRC, security engineering, or related roles
• Experience working in cloud-native environments, AWS is a must
• Experience supporting audits such as SOC 2, ISO 27001, or similar
• Experience integrating security and compliance into CI/CD pipelines
• Ability to work with APIs, automation tools, or scripting languages
• Experience implementing policy-as-code, compliance-as-code, or security-as-code frameworks
• Familiarity with tools such as Terraform, CloudFormation, or similar IaC frameworks
• Thinks in terms of systems and scale, not manual tasks—automating repetitive work wherever possible
• Curious about and experienced with applying AI to operational problems, especially in security or compliance
• Comfortable experimenting with emerging technologies and rapidly evolving tooling
• Focused on signal over noise, reducing manual overhead while increasing accuracy
• Strong understanding of frameworks such as SOC2 Type II, NIST 800-53, ISO 27001, and CJIS
• Experience with third-party risk management and vendor assessments
• Ability to translate regulatory requirements into technical controls
• Automation-first thinking
• Strong problem-solving skills and ownership mentality
• Ability to balance security, compliance, and business needs
• Ability to collaborate effectively with engineering, security, and business stakeholders

Nice To Haves

• Relevant certifications such as CISA, CRISC, FAIR, AWS Security Specialty, ISO 27001/42001 Lead Auditor certifications a plus

Responsibilities

• Design and implement policy-as-code and compliance-as-code frameworks
• Automate control testing and evidence collection using cloud and CI/CD telemetry
• Integrate GRC processes with engineering tools and workflows
• Develop reusable tooling and internal platforms for scalable, self-service compliance
• Build and deploy production-grade automation leveraging LLMs and AI tooling (e.g., for control mapping, evidence analysis, and anomaly detection)
• Own the design, development, and maintenance of core GRC automation systems and services
• Develop KPIs and KRIs using engineering and cloud data
• Support risk quantification efforts using frameworks such as FAIR
• Maintain and improve the security risk register
• Apply data modeling and AI techniques to identify emerging risks and reduce false positives
• Build automated risk scoring and prioritization models using real-time engineering and security data
• Lead and support audits including SOC 2, ISO 27001, ISO 27701, FedRAMP and CJIS
• Build automated audit readiness and continuous compliance processes
• Serve as a key point of contact for internal and external auditors
• Work with Product and Engineering teams on security and privacy requirements
• Support customer security reviews, RFIs, and trust center initiatives
• Collaborate with Legal and Privacy teams on regulatory alignment
• Automate vendor assessments using AI-assisted questionnaire analysis and response validation
• Build workflows to ingest, analyze, and score third-party risk data at scale

Benefits

• Flexible PTO
• 11 company holidays
• Fully-paid health benefits plan for employees: including Medical, Dental, and Vision
• HSA match
• 12 weeks of 100% paid parental leave
• Birthing parents are eligible for an additional 6-8 weeks of physical recovery time
• Fertility & Family Benefits through Maven with a $50,000-lifetime maximum benefit related to eligible adoption, surrogacy, or fertility expenses
• Mental health benefits through Spring Health, including therapy, coaching, medication management, and digital tools
• Caregiver support through Cariloop
• Carta Tax Advisor sessions with Equity Tax Advisors
• ERGs (Women of Flock, Flock Proud, LEOs and Melanin Motion)
• $150 per month WFH Stipend
• $300 per year Productivity Stipend
• One-time $750 Home Office Stipend
• Flock Stock Options