Director of Governance, Risk, and Compliance (GRC)

p strong The Mission /strong /p p As the Director of GRC, you are a strong revenue enabler /strong and a cornerstone of our enterprise growth strategy. Reporting to the strong SVP of Operations /strong , you will transform compliance from a reactive exercise into a strong Continuous Assurance /strong engine. You will be responsible for building a gold-standard compliance program that not only meets the highest regulatory bars but also serves as a primary driver of customer trust. /p p This role offers rare visibility across the full spectrum of enterprise security and compliance, from direct engagement with 3PAOs to front-line conversations with Fortune 500 security teams during the sales cycle. You will build and own programs from the ground up, establishing the institutional foundations that will scale with the company. For a security leader looking to move beyond maintaining inherited programs, this is a high-ownership, high-impact seat at a company where GRC is treated as a core business function. Your work will be visible to the board, referenced by customers, and directly tied to revenue outcomes. /p p strong Framework Mastery, Expansion amp; Product Advocacy /strong /p ul li p strong Audit Ownership: /strong Lead the end-to-end strategy and lifecycle for strong SOC 2 Type II /strong and strong FedRAMP Moderate /strong authorizations. You will act as the primary liaison for 3PAOs and agency sponsors, ensuring our continuous monitoring (ConMon) remains flawless. /p /li li p strong Strategic Roadmap: /strong Architect the expansion of our compliance program into new frameworks as we scale, including strong ISO 27001 /strong , strong NIST AI RMF /strong , and other emerging global standards. /p /li li p strong The Showcase User : /strong Serve as the internal owner of our own platform implementation. You will ensure we are the industry s premier gold standard user of our GRC tools, providing a referenceable model for our customers and partnering with Product to drive innovation. /p /li li p strong Security Awareness amp; Training: /strong Own and mature the company-wide security awareness and role-based training program, satisfying NIST 800-53 AT control family requirements and FedRAMP ConMon obligations. Ensure training content is current, measurable, and tied directly to threat trends and audit findings. /p /li /ul p strong External Trust amp; Third-Party Governance /strong /p ul li p strong Sales Enablement amp; Trust Center: /strong Act as the technical authority representing our security posture to prospective and current enterprise customers. You will establish and manage a scalable process for responding to security questionnaires and proactively managing our strong Trust Center /strong to accelerate sales cycles. /p /li li p strong Vendor Risk Management: /strong Direct the assessment of all current and prospective third-party providers. You will ensure our vendor ecosystem adheres to our strict security and compliance standards, managing risk throughout the supply chain. /p /li li p strong Penetration Testing amp; External Validation: /strong Govern the annual penetration testing program and any third-party security assessments, ensuring scope, methodology, and findings are managed to closure and available as evidence for customer due diligence and audit purposes. /p /li li p strong Cross-Functional Partnership: /strong Partner deeply with strong DevOps, IT, and Engineering /strong to automate evidence collection. You will move the company toward a model where compliance is a natural byproduct of our engineering excellence. /p /li /ul p strong Incident Response amp; Operational Resilience /strong /p ul li p strong IR Leadership: /strong Serve as the designated strong Primary Lead /strong for all security events and incident response activities. You will define and maintain the response playbooks used to identify, contain, and remediate security events. /p /li li p strong Continuous Readiness: /strong Institutionalize and lead strong Annual Tabletop Exercises /strong (minimum 1x per year) to stress-test our response processes and uncover gaps in our cross-functional communication. /p /li li p strong Operational Integration: /strong Ensure that lessons learned from security events are integrated back into our governance and technical controls to prevent recurrence. /p /li li p strong Business Continuity amp; Disaster Recovery Governance: /strong Oversee the governance of Business Continuity and Disaster Recovery plans, ensuring BCP/DRP documentation, RTOs/RPOs, and annual testing satisfy NIST 800-53 CP control family requirements and FedRAMP obligations. /p /li /ul p strong Data Privacy amp; Risk Strategy /strong /p ul li p strong Global Privacy: /strong Oversee our strong GDPR /strong and US privacy compliance efforts, ensuring Privacy by Design is integrated into our product development and data handling practices. /p /li li p strong Quantified Risk: /strong Maintain and evolve the corporate risk register. You will provide the SVP of Operations with data-driven, quantified risk insights to guide resource allocation and strategic business decisions. /p /li li p strong Security Metrics amp; KRI Reporting: /strong Define and maintain a security metrics program including Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). Report to leadership a consistent, board-ready view of security posture, program maturity, and trend data over time. /p /li /ul p strong Secure Software Development amp; Vulnerability Management /strong /p ul li p strong Secure SDLC Governance amp; Framework Alignment: /strong Embed security controls across the SDLC, from threat modeling and secure design through static/dynamic analysis and pre-production gates, ensuring demonstrable alignment to appropriate compliance frameworks. /p /li li p strong CVE Management amp; Vulnerability Lifecycle: /strong Coordinate vulnerability management program end-to-end working with SVP of engineering to enable SLA-driven remediation of CVEs across product and infrastructure, using a CVSS-informed risk-based approach with executive-level reporting on residual risk posture. /p /li li p strong Developer Security Enablement: /strong Collaborate with DevOps engineering to integrate security tooling into CI/CD pipelines, defining guardrails for container images, IaC, and dependency management that enforce secure defaults without impeding engineering velocity. /p /li li p strong Bug Intake amp; Coordinated Disclosure Program: /strong Maintain and improve the formalized security bug intake program and Coordinated Vulnerability Disclosure (CVD) policy. Ensure tracking and ownership process for routing for internally discovered and externally reported vulnerabilities, tracking all findings to closure. /p /li /ul p nbsp; /p p strong Requirements amp; Qualifications /strong /p ul li p strong Certification: /strong strong CISSP is strictly required. /strong /p /li li p strong Experience: /strong 8+ years in GRC or Information Security leadership within a strong high-growth SaaS environment /strong . /p /li li p strong Framework Expertise: /strong Direct experience achieving or maintaining a strong FedRAMP Moderate ATO /strong ; deep familiarity with strong NIST 800-53 /strong controls is essential. /p /li li p strong Incident Response: /strong Proven ability to lead through security events and design robust response frameworks. /p /li li p strong Technical Literacy: /strong Ability to discuss cloud architecture (AWS/Azure), IAM roles, and containerization with senior engineering and DevOps leads. /p /li /ul p strong Communication: /strong High-level executive presence for board and customer reporting, paired with a roll-up-your-sleeves attitude required in a small, agile team. /p div class= content-pay-transparency div class= pay-input div class= description Full compensation packages are based on candidate experience and certifications. /div div class= title WA pay input /div div class= pay-range span $146,000 /span span class= divider mdash; /span span $206,000 USD /span /div /div div class= pay-input div class= description Full compensation packages are based on candidate experience and certifications. /div div class= title CA pay input /div div class= pay-range span $146,000 /span span class= divider mdash; /span span $206,000 USD /span /div /div div class= pay-input div class= description Full compensation packages are based on candidate experience and certifications. /div div class= title NY pay input /div div class= pay-range span $146,000 /span span class= divider mdash; /span span $206,000 USD /span /div /div div class= pay-input div class= description Full compensation packages are based on candidate experience and certifications. /div div class= title USA pay input /div div class= pay-range span $146,000 /span span class= divider mdash; /span span $206,000 USD /span /div /div /div div class= content-conclusion p strong WHERE YOU’LL GO /strong /p ul li Hyperproof also loves to see an internal transfer. If a linear career path is not what you’re looking for, you can work with your manager and our people team to explore lateral moves to other parts of the organization as you continue to grow with us. /li /ul p strong WHAT WE OFFER TO OUR EMPLOYEES /strong /p p strong Please note: Benefits listed below are for employees in the United States; contractor roles or international positions may differ /strong /p ul li Annual compensation reviews + equity /li li Unlimited PTO: strongly encouraged to unplug and recharge /li li span style= font-weight: 400; Health: coverage for medical, dental, and vision - employee and dependents /span /li li 401K, which vests immediately, complete with a 4% company match /li li 12 weeks of Parental leave and 1 year free diapers and wipes with Honest /li li Annual company in-person events and quarterly in-person connects /li li $500 home office stipend - at the time of hire. Any additional home office needs are requested as needed. /li li $100 quarterly nbsp;paid wellness stipend /li li Pet insurance discount /li li Slack channel notifications turn off after 5 pm based on your time zone /li li Two Hypercharge weeks of rest where we close company-wide (July amp; Dec) nbsp; /li /ul p It’s an exciting time to be at Hyperproof — we recently nbsp; a href= https://hyperproof.io/resource/hyperproof-reaches-40m-growth-funding/ raised $40 million /a in our Series B financing, further cementing Hyperproof as the emerging leader in the risk and compliance management space. /p p At Hyperproof’s core are our passionate team members who focus on user experience, beautiful design, and evangelize a positive social impact of our cloud based platform. We help organizations streamline their risk and compliance workflows so our customers can spend more time strategically managing programs and less time wrangling spreadsheets. nbsp; /p p We are disrupting the governance, risk, and compliance software space with our innovative platform by helping traditionally unsung heroes (compliance professionals) strong do the right things so the wrong things don’t happen. /strong /p p Learn more about the a href= https://hyperproof.io/about-hyperproof/ @hyperproof culture /a and a href= https://hyperproof.io/resource/hyperproof-founding-story/ how it all started /a . /p p strong A NOTE ABOUT OUR INTERVIEW PROCESS /strong /p p We’re committed to creating a fair, respectful, and secure hiring experience for everyone. As part of that commitment, we use standard verification steps throughout our interview process. /p p span style= text-decoration: underline; Here’s what that means for you: /span /p ul li We may conduct routine verification checks during the hiring process. /li li You might be asked additional questions to better understand your experience and background. /li li For video interviews, we ask that candidates be on camera without filters or visual modifications. nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; /li /ul p These steps are applied consistently for all candidates and are designed to ensure an equitable experience for everyone. /p p strong EQUAL OPPORTUNITY EMPLOYER /strong /p p span style= font-weight: 400; Hyperproof is committed to a diverse and inclusive workplace nbsp; — /span a href= https://hyperproof.io/about-hyperproof/ span style= font-weight: 400; it’s one of our core values! /span /a span style= font-weight: 400; Hyperproof is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status. nbsp; /span /p p span style= font-weight: 400; Our company is dedicated to building a diverse, inclusive, and authentic workplace. If you re excited about this role, but your experience doesn t perfectly fit every qualification, we encourage you to apply anyway. You may be just the right person for this role or others. /span /p p data-start= 80 data-end= 384 To ensure a smooth interview process, all candidates will be required to provide a valid phone number that is em data-start= 239 data-end= 244 not /em a VOIP (Voice Over Internet Protocol) number. This helps us maintain clear and reliable communication throughout your interview experience. /p p data-start= 386 data-end= 419 nbsp; /p p br br /p /div