Staff Trust & Assurance Engineer

About The Position

Requirements

• 7+ years of experience in security compliance, GRC, or technical audit, with a primary focus on cloud-native environments.
• Has owned at least one SOC 2 Type II cycle end-to-end, including design, evidence, walkthroughs, and auditor defense.
• Hands-on experience with PCI DSS, including SAQ environments and tokenization-driven scope reduction.
• Able to read and modify code, infrastructure-as-code, and IAM policies. Comfortable working in Git-based engineering workflows and shipping changes through CI/CD.
• Understanding of cloud infrastructure and modern AI-native technologies.
• Demonstrated experience managing external auditors and translating control requirements into engineering deliverables.
• Excellent written communication, with the ability to produce auditor-ready documentation and engineering-ready specifications.
• Comfortable operating across functional boundaries, including Engineering, Legal, and Finance.

Nice To Haves

• Prior experience as a control owner supporting SOX IT general controls audits in a pre-IPO or newly public company.
• Experience building or operating AI- or LLM-driven GRC automation, including custom agents, MCP servers, or evidence-collection pipelines.
• Background in IPO readiness or newly public company environments.
• Familiarity with ISO 27001, ISO 42001, FedRAMP, CMMC 2.x, or NIST 800-53.

Responsibilities

• Own Kikoff's SOC 2 Type II program end-to-end, including scoping, control design, evidence collection, walkthroughs, and external auditor management.
• Maintain Kikoff's PCI DSS self-attestation, including annual SAQ completion, scope analysis to ensure cardholder data remains with our payment processors, payment-vendor oversight, and monitoring product and engineering changes that could expand scope.
• Serve as the cybersecurity control owner for IT general controls supporting the SOX program, partnering with the SOX Manager on logical access, change management, and related areas.
• Operationalize the GLBA Safeguards Rule technical controls across the program elements.
• Source and steward the substantive cybersecurity content behind SEC Regulation S-K Item 106 disclosures, working with Legal on language and with the SOX Manager on disclosure controls.
• Own the customer and vendor security questionnaire pipeline, including reusable evidence libraries and a self-serve trust portal.
• Design and operate the internal cybersecurity control testing and continuous monitoring program in partnership with Security Engineering.
• Build policy-as-code, compliance-as-code, and AI-driven evidence automation that scales with the engineering organization.
• Serve as the primary cybersecurity audit contact for SOC 2, PCI, and customer-driven cyber assessments.

Benefits

• record revenue growth in 2025
• unicorn valuation
• build something meaningful
• help millions of people move forward financially
• serial entrepreneurs who have built strong consumer brands and innovative products
• extreme ownership
• clear communication
• strong sense of craftsmanship
• desire to create lasting work and work relationships
• build an exciting business
• real-life real-customer impact