What You'll Do

Build and own the enterprise security risk management program — risk register, risk appetite framework, risk scoring methodology, and regular reporting to the CISO and executive leadership
Establish and maintain the security control framework, mapping controls to applicable standards (SOC 2 TSCs, PCI-DSS, CIS Controls) across all entities and subsidiaries
Drive security policy development and lifecycle management — authoring, reviewing, approving, and enforcing policies across the organization
Lead the company's security committee and governance forums, ensuring risk decisions are documented, escalated appropriately, and tracked to resolution
Own the end-to-end compliance program for SOC 2 Type II and PCI-DSS — scoping, control design, evidence collection, auditor management, and remediation tracking
Build continuous audit readiness rather than a point-in-time posture; automate compliance evidence collection where possible
Manage relationships with external auditors, certification bodies, and regulators; serve as the primary point of contact for audit engagements across all entities
Own the third-party risk management program — vendor security assessments, contractual security requirements, ongoing monitoring, and escalation of high-risk findings
Oversee the data privacy program in partnership with Legal, ensuring compliance with GDPR, CCPA, and applicable regulations across all jurisdictions where the company operates
Ensure privacy-by-design is embedded in the product development process and that data processing activities are documented, lawful, and consistent with stated privacy notices
Manage data subject rights obligations and privacy incident response, including breach notification requirements under applicable law

What We're Looking For

8+ years of experience in GRC, information security compliance, or a related field, with 3+ years in a management or program leadership role
Deep, hands-on experience with SOC 2 Type II — managed or led multiple audit cycles and understand the TSCs, evidence requirements, and auditor dynamics
Strong working knowledge of PCI-DSS v4.0 and experience implementing or managing PCI compliance programs
Demonstrated experience managing compliance across multiple legal entities or subsidiaries with overlapping and distinct regulatory obligations
Experience building or significantly maturing a GRC program
Working knowledge of GDPR and CCPA and the operational requirements they impose on a data-handling business
Ability to communicate risk and compliance requirements clearly to technical teams, business stakeholders, and executive leadership
Experience managing external auditor relationships and serving as the primary organizational point of contact during audit engagements

Nice to have:

Experience in fintech, payments, cryptocurrency, or financial services — familiarity with money transmitter licensing or FinCEN obligations
Professional certifications: CISM, CRISC, CISSP, CIPP/E, CIPP/US, or equivalent
Exposure to ISO 27001, CIS, or NIST CSF as additional compliance frameworks
Experience with GRC platforms (Vanta, Drata, Tugboat Logic, ServiceNow GRC, or equivalent)
Familiarity with AWS cloud environments and how cloud-native architectures affect control design and evidence collection
Prior experience standing up a GRC function in a high-growth, previously unstructured environment

Benefits

Competitive salary & equity
Unlimited PTO
Full Health, Vision, & Dental coverage
401k match
Hardware setup: new MacBook Pro, big display, & accessories