Senior GRC Analyst

Docker has been one of the most loved brands in developer tooling, trusted by more than 20 million monthly users and over 20 billion container image pulls. From solo founders to the world's largest companies, developers rely on Docker to build, share, and run their applications across our suite of products including Docker Desktop, Docker Hub, and Docker Scout.

We are a globally distributed, remote-first team building the tools that define how software gets built and delivered. As AI agents redefine software development, Docker is at the center of that shift, providing the sandboxed environments, verified images, and secure infrastructure that make autonomous workflows trustworthy by default.

As a Senior GRC Analyst, you will report to the Security Engineering Manager – GRC and own the buildout and operation of Docker's risk management program. You will design and implement enterprise risk management processes, including security risk assessments, third-party risk management, and the risk register. You will also lead Docker's AI governance initiative, developing the policies, assessments, and controls needed to ensure responsible AI use across the company. This role requires a builder's mindset: someone who can take ambiguous problem spaces, define what good looks like, and deliver operational programs that scale. You will collaborate cross-functionally with Engineering, Product, Legal, IT, and Security Engineering to embed risk awareness into Docker's decision-making processes.

• →

  Own and drive the compliance program roadmap, aligning framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) with business objectives and product strategy

• →

  Lead cross-functional compliance initiatives with Engineering, Product, Legal, and IT, serving as the authoritative voice on governance and risk matters

• →

  Design and maintain Docker’s unified control framework, including cross-mapping to NIST 800-53 and identifying control gaps across multiple standards

• →

  Plan and execute internal audits end-to-end: scoping, evidence collection, control testing, findings management, and external auditor coordination

• →

  Advise GRC Engineering on correct integrations to configure and controls that require automated monitoring

• →

  Perform and lead risk assessments across systems, processes, third-party tools, and cloud configurations, translating findings into actionable risk treatment plans

• →

  Own the vendor risk management program, evaluating third-party vendors against compliance and security standards and driving remediation of identified gaps

• →

  Draft, review, and maintain corporate security policies and map them to relevant control standards, ensuring alignment across frameworks

• →

  Establish and report on compliance metrics and KPIs, providing data-driven visibility into program maturity to leadership

• →

  Stay current with evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively assess their impact on Docker’s compliance posture

• 4 to 6 years of experience in Information Security, Governance, Risk, and Compliance

• Demonstrated experience building or operating an enterprise risk management program, including risk assessments, risk registers, and risk treatment planning

• Experience with third-party risk management, including vendor security assessments and due diligence

• Working knowledge of security frameworks and standards including ISO 27001, SOC 2, NIST 800-53, and GDPR

• Familiarity with AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a demonstrated ability to learn and apply new frameworks quickly

• Experience designing metrics and reporting for GRC programs, including dashboards and executive-level summaries

• Familiarity with cloud environments (AWS, GCP, Azure) and their risk and compliance implications

• Strong written and verbal communication skills with the ability to translate risk and compliance topics for both technical and non-technical audiences

• Track record of building and maturing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows

• Self-motivated with experience thriving in remote-first, fast-paced environments

• Nice to Have: Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK

• Nice to Have: Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar)

• Nice to Have: Experience with automation or scripting for risk management workflows

• Learn Docker's risk landscape, key business processes, and existing risk documentation

• Meet with key stakeholders across Security, Legal, IT, Engineering, and Product

• Gain access to GRC platforms, risk management tools, and relevant documentation

• Review the current risk register, vendor inventory, and third-party assessment process

• Understand Docker's compliance frameworks (ISO 27001, ISO 27701, SOC 2) and how risk management integrates with assurance activities

• Conduct a maturity assessment of the risk management program and identify priority gaps

• Begin operationalizing the risk register with consistent scoring, ownership assignment, and treatment tracking

• Take ownership of third-party risk management, including the vendor assessment queue

• Kick off the AI governance initiative: inventory existing AI use cases and draft an AI governance policy

• Design an initial GRC metrics framework and deliver the first iteration of risk reporting to leadership

• Support audit activities as needed, providing evidence and coordinating with control owners

• Own and mature Docker's enterprise risk management program with documented processes, regular risk reviews, and executive reporting

• Deliver a fully operational third-party risk management program with defined SLAs, assessment workflows, and remediation tracking

• Establish Docker's AI governance program, including policy, assessment process, and alignment toward ISO 42001 readiness

• Deliver recurring GRC metrics and dashboards that provide leadership visibility into risk posture and program health

• Contribute to audit readiness and evidence collection for SOC 2, ISO 27001, and ISO 27701 cycles

• Serve as a trusted advisor on risk matters across cross-functional teams

We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on April 13, 2024.

Please see the independent bias audit report covering our use of Covey here.