Sr. Manager, Governance Risk and Compliance

Role Description and Mission:

The Senior Manager, Governance, Risk, and Compliance (GRC) is a strategic leadership position accountable for the architectural integrity of the organization's cybersecurity policies, risk governance frameworks, and contractual compliance standards. Reporting directly to the Chief Information Security Officer (CISO), this role oversees the end-to-end audit lifecycle, external security certifications, and client trust assessments across the enterprise B2B2C platform. The Senior Manager partners across Security, Engineering, and Legal to engineer security exhibits, manage the third-party vendor risk ecosystem, and drive the modernization of GRC operations through automated compliance tooling and generative AI applications. This position ensures that the organization’s security and privacy controls scale alongside evolving regulatory environments while maintaining the rigorous security posture expected by major automotive, insurance, and fleet enterprise partners. 

Key Outcomes: 

• Audit Lifecycle & Client Trust Leadership: Command the end-to-end response strategy for annual client security assessments; direct the preparation and multi-day presentation of complex technical evidence to sophisticated enterprise partners.
• External Framework Certification: Own the successful execution, maintenance, and scope validation of core compliance frameworks, including PCI-DSS, ISO 27001, SOC2 Type II, and TISAX.
• Contractual Security Engineering: Partner with the Legal and Strategic Procurement teams to draft, review, and negotiate security exhibits within client and vendor contracts, ensuring committed promises align directly with technical capabilities.
• Policy Architecture & Governance: Develop, implement, and enforce a comprehensive library of corporate security policies that satisfy global standards while remaining functional and frictionless for a software-driven enterprise.
• Regulatory Compliance & Privacy Design: Monitor global regulatory environments (e.g., CCPA/CPRA, GDPR, and emerging automotive cybersecurity mandates); collaborate with Privacy Owners to design underlying cyber strategies, documentation, and procedures.
• GRC Automation & Technology Innovation: Direct the modernization of the GRC infrastructure by maximizing the ROI of continuous monitoring platforms and deploying/tuning Generative AI tools to automate high-volume compliance workflows.
• Cross-Functional Security Integration: Serve as a core member of the Cybersecurity leadership team, collaborating with Product and Engineering leads to ensure security and legal requirements are embedded natively into the product development lifecycle.
• Team Leadership & Development: Directly manage, mentor, and evaluate the performance of GRC team professionals, aligning resource allocation with the organization's audit pipeline and strategic deadlines.

Skills, Education and Experience:

Education: Bachelor's degree in Computer Science, Information Security, Information Technology, or a related technical field is required. Active CISSP or CISM certification is required. 

Experience: 8+ years of progressive experience in Cybersecurity, GRC, or IT Audit. A minimum of 2 years of direct people management or leadership experience. Proven track record managing complex frameworks (SOC2, PCI, ISO, TISAX), translating technical controls into contractual language, and implementing automated GRC workflows. Privacy, cloud-architecture, or specialized IT audit certifications are highly preferred. 

Knowledge, Skills & Abilities:  

• Audit Command & Framework Expertise: Capable of leading enterprise-level certification lifecycles (SOC2, PCI, ISO, TISAX) and orchestrating complex evidence presentations for sophisticated, tier-one client stakeholders.
• Contractual Literacy & Legal Alignment: Can collaborate with Legal Counsel to interpret, draft, and negotiate complex security exhibits, ensuring technical parameters are accurately reflected in commercial and vendor agreements.
• GRC Automation & Technical Innovation: Proficient in leveraging compliance automation platforms and utilizing Generative AI/LLM tools to scale evidence collection and automate security questionnaire responses.
• Regulatory Synthesis & Privacy Design: Capable of translating shifting global privacy laws and government cybersecurity mandates into actionable corporate strategies, operational procedures, and policy requirements.
• Executive & Adaptable Communication: Can shift communication style fluidly between a "deep dive" technical review with Software Engineers and an executive "risk briefing" with General Counsel or client C-suites.
• Policy Architecture & Systems Thinking: Capable of designing a comprehensive security policy framework that scales to satisfy rigorous enterprise auditing while supporting a developer-friendly, agile technology ecosystem.
• Strategic Problem Solving & Risk Remediation: Approaches control deficiencies and compliance gaps with a proactive mindset; capable of conducting root-cause analyses and designing scalable, risk-adjusted remediation strategies to protect the organization's security posture. 
• Strategic Relationship Management & Influencing: Capable of serving as a cybersecurity evangelist to cultivate deep, trust-based partnerships across enterprise leadership; utilizes strategic diplomacy to align cross-functional goals and successfully drive complex security initiatives without relying on direct authority. 

Hiring In:

• United States: Arizona, California, Florida, Georgia, Illinois, Massachusetts, Michigan, New Hampshire, New York State, New Mexico, North Carolina, Tennessee, Virginia

WORKING RELATIONSHIPS:  This position reports directly to the Chief Information Security Officer (CISO) and manages a direct report. The Senior Manager maintains deep collaborative partnerships with the Legal Team (including Privacy Owners), Engineering and Product Leadership, and the Strategic Procurement Team. Externally, this role interfaces with executive auditors, third-party vendor risk assessment teams, and security leaders at partner enterprise organizations. 

ADDITIONAL REQUIREMENTS: Position location and hybrid/remote status are determined by corporate policy. Periodic availability outside of standard working hours may be required to accommodate time-sensitive client audits, regulatory submission deadlines, or critical security reviews. 

THIS DESCRIPTION IS NOT INTENDED TO BE A COMPLETE STATEMENT OF JOB CONTENT, RATHER TO ACT AS A GUIDE TO THE ESSENTIAL FUNCTIONS PERFORMED.  MANAGEMENT RETAINS THE DISCRETION TO ADD TO OR CHANGE THE DUTIES OF THE POSITION AT ANY TIME.

The anticipated closing date to submit applications for this role is July 1st, 2026. Join our Greenhouse Candidate Portal to track your application status and receive instant alerts for future openings.