Senior GRC Engineer

Design, implement, and operate technical controls that satisfy SOC 2, ISO 27001, NIST, and GDPR requirements across our cloud (AWS), SaaS, and corporate environments.

Build and maintain integrations between our GRC platform (Drata) and source systems — IdP, cloud providers, ticketing, code repositories, HRIS, endpoint management — to automate evidence collection and continuous control monitoring.

Engineer "compliance-as-code" workflows: codify policies and controls, automate drift detection, and surface failing controls back to owning teams via Jira, Slack, or dashboards.

Support and progressively automate audit readiness: SOC 2 Type II, ISO 27001 (and any future certifications such as HIPAA, FedRAMP, PCI as the strategy evolves), preparing evidence, walking auditors through controls, and remediating findings.

Operate the enterprise risk register day-to-day: run risk assessments, track mitigations, and produce reporting that helps leadership make decisions.

Build and run the technical side of the vendor security program — questionnaire automation, tiering, evidence review, and ongoing monitoring of critical vendors.

Partner with IT, Product, and Engineering to embed security and compliance requirements into the SDLC, change management, access reviews, and infrastructure provisioning.

Contribute to incident response from the GRC side: maintain runbooks and policies, ensure regulatory and contractual notification timelines are met, and capture evidence and lessons learned.

Partner with Legal/Privacy on GDPR obligations, data residency, DPAs, and customer security commitments.

Help mature security awareness and training — measuring effectiveness, not just running it.

5+ years in security, with at least 2–3 years in a GRC engineering, security engineering, or compliance automation role at a SaaS or cloud-native company.

Strong working knowledge of SOC 2, ISO 27001, NIST CSF / 800-53, and GDPR, and what it takes to actually operate (not just pass) them.

Hands-on experience with a modern GRC platform (Ideally Drata) — including building or extending its integrations, not just clicking through the UI.

Comfortable using AI tools to accelerate delivery and scale impact.

Comfortable writing code (Python, Go, or similar) and working with cloud APIs (AWS), Terraform/IaC, and CI/CD pipelines.

Solid understanding of cloud security, identity and access management, and how engineering teams ship software.

Experience supporting external audits as a technical lead and remediating findings.

Working knowledge of risk management frameworks and vendor security assessment.

Strong written communication — you can turn a control requirement into a clear ticket, runbook, or policy that gets adopted.

Bonus: relevant certifications (CISA, CISSP, ISO 27001 LI/LA, AWS/GCP security), experience with privacy engineering, or prior work building a GRC function from early stage to audit-ready.