Product GRC Subject Matter Expert
Job Description:
• Build and maintain compliance frameworks (controls, evidence requirements, implementation guidance for SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, GDPR/CCPA)
• Design crosswalks and mappings; maintain bidirectional crosswalks and operationalize mappings in-product
• Define content quality standards, establish QA processes and metrics
• Drive end-to-end GRC product enablement: modular content for risk management, POA&M, policy management, access reviews, Trust Center artifacts, third-party risk management
• Act as product advisor in discovery & design; author PRDs/acceptance criteria
• Author automated tests & continuous monitoring; translate controls into spec-level automated tests, pair with Engineering to implement detectors
• Partner with Product to drive roadmap and own backlog for framework/content improvements
• Enable AI-assisted compliance: translate SME knowledge into machine-readable specs, design LLM-powered guidance, define evaluation sets and safety guardrails
• Synthesize feedback from customers, auditors, partners, and internal teams to iterate and resolve issues
Requirements:
• 5-7+ years in GRC and/or Information Security with hands‑on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800‑53)
• Experience with cloud environments and SaaS is strongly preferred
• Federal experience (e.g., FedRAMP) is a plus
• Bachelor’s degree in Computer Science preferred; advanced degree a plus
• Deep understanding of controls, risks, testing approaches, evidence standards, and program operations
• Ability to translate requirements into productizable capabilities; comfort with experimentation and data‑driven prioritization
• Technical & automation skills: experience with AI tools, simple automations, integrations (Sheets/Airtable, APIs, webhooks), and designing AI-augmented workflows
• Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets
• Excellent written and verbal communication; ability to partner with engineers, designers, GTM teams, auditors, and customers
• Self-motivated, independent, adaptable in a fast-paced environment
• Nice-to-have: Experience with privacy regulations (GDPR/CCPA), risk quantification (e.g., FAIR), audit/assessor background, or B2B SaaS content/enablement
• Preferred certifications: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI‑ISA/QSA
Benefits:
• Industry-competitive compensation
• 100% covered medical, dental, and vision benefits with dependents coverage
• 16 weeks fully-paid parental Leave for all new parents
• Health & wellness and remote workplace stipends
• Family planning benefits through Carrot Fertility
• 401(k) matching
• Flexible work hours and location
• Open PTO policy
• 11 paid holidays in the US
• Offices in SF, NYC, London, Dublin, and Sydney
• Build and maintain compliance frameworks (controls, evidence requirements, implementation guidance for SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, GDPR/CCPA)
• Design crosswalks and mappings; maintain bidirectional crosswalks and operationalize mappings in-product
• Define content quality standards, establish QA processes and metrics
• Drive end-to-end GRC product enablement: modular content for risk management, POA&M, policy management, access reviews, Trust Center artifacts, third-party risk management
• Act as product advisor in discovery & design; author PRDs/acceptance criteria
• Author automated tests & continuous monitoring; translate controls into spec-level automated tests, pair with Engineering to implement detectors
• Partner with Product to drive roadmap and own backlog for framework/content improvements
• Enable AI-assisted compliance: translate SME knowledge into machine-readable specs, design LLM-powered guidance, define evaluation sets and safety guardrails
• Synthesize feedback from customers, auditors, partners, and internal teams to iterate and resolve issues
Requirements:
• 5-7+ years in GRC and/or Information Security with hands‑on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800‑53)
• Experience with cloud environments and SaaS is strongly preferred
• Federal experience (e.g., FedRAMP) is a plus
• Bachelor’s degree in Computer Science preferred; advanced degree a plus
• Deep understanding of controls, risks, testing approaches, evidence standards, and program operations
• Ability to translate requirements into productizable capabilities; comfort with experimentation and data‑driven prioritization
• Technical & automation skills: experience with AI tools, simple automations, integrations (Sheets/Airtable, APIs, webhooks), and designing AI-augmented workflows
• Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets
• Excellent written and verbal communication; ability to partner with engineers, designers, GTM teams, auditors, and customers
• Self-motivated, independent, adaptable in a fast-paced environment
• Nice-to-have: Experience with privacy regulations (GDPR/CCPA), risk quantification (e.g., FAIR), audit/assessor background, or B2B SaaS content/enablement
• Preferred certifications: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI‑ISA/QSA
Benefits:
• Industry-competitive compensation
• 100% covered medical, dental, and vision benefits with dependents coverage
• 16 weeks fully-paid parental Leave for all new parents
• Health & wellness and remote workplace stipends
• Family planning benefits through Carrot Fertility
• 401(k) matching
• Flexible work hours and location
• Open PTO policy
• 11 paid holidays in the US
• Offices in SF, NYC, London, Dublin, and Sydney