Sr. Director, Security Governance, Risk and Compliance

Docusign•San Francisco, CA

2d•Hybrid

About The Position

As the most trusted brand in our industry, Docusign recognizes the profound importance of maintaining and enhancing customer trust in our products. Docusign's security program is vital to that trust, and this role is a critical leadership position driving our success. The Senior Director, Security Governance, Risk, and Compliance (GRC) will be a technically proficient, business savvy leader who manages all aspects of the GRC program and multiple facets of product and enterprise security. Security GRC will embed within Product, Technology, Digital Technology, and Sales teams to proactively identify and reduce security risks - transforming legacy GRC practices into a more contemporary, productized capability and replacing document-centric compliance with scalable security controls built directly into engineering and business workflows. The Senior Director, GRC will tailor and implement Docusign's security controls framework to protect the platform, company, and customers through a risk-based approach to security. They will enhance engineering and development capabilities within the GRC team; implement contemporary, cost-effective tools and practices to automate historically manual activities; and leverage AI and ML where appropriate to optimize efficiencies while delivering at scale and with speed while managing emerging risk and supporting product and business innovation. This position will leverage leading security frameworks like NIST, ISO, and BSIMM as foundations for the overall security program while driving continuous improvement. The role will ensure that security governance mechanisms and documentation are implemented and effective. The Senior Director will also be responsible for driving revenue growth through direct support to Sales teams, managing customer security assurance, ensuring audit readiness in preparation for certification and global regulatory and customer requirements. Ultimately, the Senior Director will be responsible for managing GRC product innovation, development, engineering, and delivery. The role will deepen security within the platform and across the enterprise, while enhancing customer trust. They will be charged with optimizing the GRC user experience - serving as the product owner for the security controls framework and security risk mitigation; ensuring policies, standards, procedures, and controls are designed for adoption, automated by default, and measured through real-time data; and driving revenue growth through GRC support to the business. This position is a people manager role reporting to the Group Vice President, Chief Information Security Officer.

Requirements

15+ years' working experience in Security GRC, Product Security, Application Security, Engineering, Trust and Safety or closely related security and engineering disciplines, with 8+ years in technical leadership roles
Bachelor's degree in computer science, data science, artificial intelligence, machine learning, cybersecurity, risk management, or a related technical field
Experience designing and leading security programs, including but not limited to security risk management, governance (especially under NIST, ISO, and FedRAMP frameworks), compliance, engineering/secure development, customer security assurance, product security, enterprise security, and trust and safety
Experience with NIST CSF, NIST SDF, NIST AI RMF, ISO 27001, SOC, BSIMM, IL5, FedRAMP High, and other, more narrowly tailored or geographically focused security frameworks
Experience driving automation strategies, predictive analytics, and data-driven insights
Experience in implementing or improving security tools where they previously did not exist, did not perform to expectations, and/or better options emerged (e.g., workflow tools, case management systems, agents developed and trained to meet mission)
Experience designing and embedding security controls across the business, plus validating efficacy
Experience defining security KPIs, metrics pipelines, and executive reporting frameworks
Experience with cross-functional collaboration and stakeholder engagement across technical and business relationships, especially with Product, Technology, Digital Technology, Sales, Security, and executive teams

Nice To Haves

Master's degree or higher
Deeply technical with strong strategic vision, tactical acumen, excellence in execution
Forward looking and acting with the ability to understand and address current and future threats and business requirements exceedingly well and manage products and their team to suit
Growth and product mindset; oriented to action and delivery; professional teammate
Excellent leadership, communications, and presentation skills
Certifications: CISSP, CCISO, CISM, CRISC, CGRC, CCSP, CSSLP, GSLC, GSEC, or equivalent
Substantial experience in implementing best practices and compliance obligations for AI product security and AI enterprise security
Demonstrated experience with modern security frameworks applied to cloud-native environments and SaaS products
Experience embedding GRC requirements into CI/CD pipelines (shift-left security)
Extensive technical knowledge, including network infrastructure, automated workflows, secure coding practices, cryptography basics, threat modeling, and data systems architecture
Strong experience with project management that includes a track record of success

Responsibilities

Lead and manage the global GRC team and program, including core components: GRC engineering, governance, risk, compliance, and customer security assurance
Manage a high-performing, product-driven team focused on measurable outcomes and continuous improvement. Implement tailored program goals, objectives, milestones, key results, and key performance indicators to drive consistent progress and outcomes
Define and drive a multi-year product vision and roadmap for security governance, risk, and compliance (including GRC engineering and development) focused on adoption and measurable risk reduction
Establish the architectural blueprint that transforms GRC into a scalable product platform and service
Set vision, strategy, and leadership for how governance, risk, and compliance are engineered and automated across the company, translating requirements into a technology-driven automation strategy
Manage architecting of scalable platforms for GRC automation and evidence production, while growing the team's technical skills sets and ensuring engineering and development best practices
Manage delivery and prioritization while ensuring timely delivery of GRC product, engineering, and risk reduction capabilities
Maintain expertise in components and capabilities of the product ecosystem as well as company infrastructure, environments, data, and security controls
Maintain expertise in security threats, trends, technologies, and industry best practices (existing and emerging)
Serve as a trusted leader/advisor to the CISO, other executives, and teams – translating technical risk into business impact, providing clear updates, trade-offs, and advice
Manage collaboration and effective relationships with cross-functional teams to ensure frictionless security and paved path approaches with leadership across the business
Manage the GRC budget and resourcing
Ensure security practices and controls meet internal security policy and standards, industry frameworks, and regulatory and customer requirements
Implement contemporary tooling and automation to optimize insights, efficiency, and efficacy while enhancing technical security rigor
Contribute to technical requirements, architectural design and modification documents, and educational resources
Serve as a senior escalation point for complex or high risk security issues; drive architectural, process, and implementation improvements from lessons learned
Implement the GRC strategy for using AI across GRC teams and responsibilities; maintain a high level of individual proficiency in using AI to perform daily and longer term tasks
Manage and continuously improve the company-wide Docusign security controls framework, ensuring controls are appropriately tailored and effective across all domains
Manage compliance requirements relevant to modern software development, enterprise security, and trust and safety protections against platform abuse
Serve as Security's primary liaison between technical teams and regulatory/audit bodies
Work closely with third-parties on assessments, audits, attestations, and in shaping security programs, roadmaps, and deliverables

Benefits

Paid Time Off: earned time off, as well as paid company holidays based on region
Paid Parental Leave: take up to six months off with your child after birth, adoption or foster care placement
Full Health Benefits Plans: options for 100% employer paid and minimum employee contribution health plans from day one of employment
Retirement Plans: select retirement and pension programs with potential for employer contributions
Learning and Development: options for coaching, online courses and education reimbursements
Compassionate Care Leave: paid time off following the loss of a loved one and other life-changing events
Bonus: Sales personnel are eligible for variable incentive pay dependent on their achievement of pre-established sales goals. Non-Sales roles are eligible for a company bonus plan, which is calculated as a percentage of eligible wages and dependent on company performance.
Stock: This role is eligible to receive Restricted Stock Units (RSUs).

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume