Drive the transformation of compliance into a Continuous Assurance engine that underpins enterprise growth and trust, while overseeing high-impact security strategies.
The Mission
As the Director of GRC, you are a revenue enabler and a cornerstone of our enterprise growth strategy. Reporting to the SVP of Operations, you will transform compliance from a reactive exercise into a Continuous Assurance engine. You will be responsible for building a gold-standard compliance program that not only meets the highest regulatory bars but also serves as a primary driver of customer trust.
This role offers rare visibility across the full spectrum of enterprise security and compliance, from direct engagement with 3PAOs to front-line conversations with Fortune 500 security teams during the sales cycle. You will build and own programs from the ground up, establishing the institutional foundations that will scale with the company. For a security leader looking to move beyond maintaining inherited programs, this is a high-ownership, high-impact seat at a company where GRC is treated as a core business function. Your work will be visible to the board, referenced by customers, and directly tied to revenue outcomes.
Framework Mastery, Expansion & Product Advocacy
Audit Ownership: Lead the end-to-end strategy and lifecycle for SOC 2 Type II and FedRAMP Moderate authorizations. You will act as the primary liaison for 3PAOs and agency sponsors, ensuring our continuous monitoring (ConMon) remains flawless.
Strategic Roadmap: Architect the expansion of our compliance program into new frameworks as we scale, including ISO 27001, NIST AI RMF, and other emerging global standards.
The "Showcase User": Serve as the internal owner of our own platform implementation. You will ensure we are the industry's premier "gold standard" user of our GRC tools, providing a referenceable model for our customers and partnering with Product to drive innovation.
Security Awareness & Training: Own and mature the company-wide security awareness and role-based training program, satisfying NIST 800-53 AT control family requirements and FedRAMP ConMon obligations. Ensure training content is current, measurable, and tied directly to threat trends and audit findings.
External Trust & Third-Party Governance
Sales Enablement & Trust Center: Act as the technical authority representing our security posture to prospective and current enterprise customers. You will establish and manage a scalable process for responding to security questionnaires and proactively managing our Trust Center to accelerate sales cycles.
Vendor Risk Management: Direct the assessment of all current and prospective third-party providers. You will ensure our vendor ecosystem adheres to our strict security and compliance standards, managing risk throughout the supply chain.
Penetration Testing & External Validation: Govern the annual penetration testing program and any third-party security assessments, ensuring scope, methodology, and findings are managed to closure and available as evidence for customer due diligence and audit purposes.
Cross-Functional Partnership: Partner deeply with DevOps, IT, and Engineering to automate evidence collection. You will move the company toward a model where compliance is a natural byproduct of our engineering excellence.
Incident Response & Operational Resilience
IR Leadership: Serve as the designated Primary Lead for all security events and incident response activities. You will define and maintain the response playbooks used to identify, contain, and remediate security events.
Continuous Readiness: Institutionalize and lead Annual Tabletop Exercises (minimum 1x per year) to stress-test our response processes and uncover gaps in our cross-functional communication.
Operational Integration: Ensure that lessons learned from security events are integrated back into our governance and technical controls to prevent recurrence.
Business Continuity & Disaster Recovery Governance: Oversee the governance of Business Continuity and Disaster Recovery plans, ensuring BCP/DRP documentation, RTOs/RPOs, and annual testing satisfy NIST 800-53 CP control family requirements and FedRAMP obligations.
Data Privacy & Risk Strategy
Global Privacy: Oversee our GDPR and US privacy compliance efforts, ensuring "Privacy by Design" is integrated into our product development and data handling practices.
Quantified Risk: Maintain and evolve the corporate risk register. You will provide the SVP of Operations with data-driven, quantified risk insights to guide resource allocation and strategic business decisions.
Security Metrics & KRI Reporting: Define and maintain a security metrics program including Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). Report to leadership a consistent, board-ready view of security posture, program maturity, and trend data over time.
Secure Software Development & Vulnerability Management
Secure SDLC Governance & Framework Alignment: Embed security controls across the SDLC, from threat modeling and secure design through static/dynamic analysis and pre-production gates, ensuring demonstrable alignment to appropriate compliance frameworks.
CVE Management & Vulnerability Lifecycle: Coordinate vulnerability management program end-to-end working with SVP of engineering to enable SLA-driven remediation of CVEs across product and infrastructure, using a CVSS-informed risk-based approach with executive-level reporting on residual risk posture.
Developer Security Enablement: Collaborate with DevOps engineering to integrate security tooling into CI/CD pipelines, defining guardrails for container images, IaC, and dependency management that enforce secure defaults without impeding engineering velocity.
Bug Intake & Coordinated Disclosure Program: Maintain and improve the formalized security bug intake program and Coordinated Vulnerability Disclosure (CVD) policy. Ensure tracking and ownership process for routing for internally discovered and externally reported vulnerabilities, tracking all findings to closure.
Requirements & Qualifications
Certification: CISSP is strictly required.
Experience: 8+ years in GRC or Information Security leadership within a high-growth SaaS environment.
Framework Expertise: Direct experience achieving or maintaining a FedRAMP Moderate ATO; deep familiarity with NIST 800-53 controls is essential.
Incident Response: Proven ability to lead through security events and design robust response frameworks.
Technical Literacy: Ability to discuss cloud architecture (AWS/Azure), IAM roles, and containerization with senior engineering and DevOps leads.
Communication: High-level executive presence for board and customer reporting, paired with a "roll-up-your-sleeves" attitude required in a small, agile team.
WHERE YOU’LL GO
WHAT WE OFFER TO OUR EMPLOYEES
Please note: Benefits listed below are for employees in the United States; contractor roles or international positions may differ
It’s an exciting time to be at Hyperproof — we recently raised $40 million in our Series B financing, further cementing Hyperproof as the emerging leader in the risk and compliance management space.
At Hyperproof’s core are our passionate team members who focus on user experience, beautiful design, and evangelize a positive social impact of our cloud based platform. We help organizations streamline their risk and compliance workflows so our customers can spend more time strategically managing programs and less time wrangling spreadsheets.
We are disrupting the governance, risk, and compliance software space with our innovative platform by helping traditionally unsung heroes (compliance professionals) do the right things so the wrong things don’t happen.
Learn more about the @hyperproof culture and how it all started.
A NOTE ABOUT OUR INTERVIEW PROCESS
We’re committed to creating a fair, respectful, and secure hiring experience for everyone. As part of that commitment, we use standard verification steps throughout our interview process.
Here’s what that means for you:
These steps are applied consistently for all candidates and are designed to ensure an equitable experience for everyone.
EQUAL OPPORTUNITY EMPLOYER
Hyperproof is committed to a diverse and inclusive workplace — it’s one of our core values! Hyperproof is an equal opportunity employer and does not discriminate on the basis of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or other legally protected status.
Our company is dedicated to building a diverse, inclusive, and authentic workplace. If you're excited about this role, but your experience doesn't perfectly fit every qualification, we encourage you to apply anyway. You may be just the right person for this role or others.
To ensure a smooth interview process, all candidates will be required to provide a valid phone number that is not a VOIP (Voice Over Internet Protocol) number. This helps us maintain clear and reliable communication throughout your interview experience.
Health Insurance
Health: coverage for medical, dental, and vision - employee and dependents
Home Office Stipend
$500 home office stipend - at the time of hire. Any additional home office needs are requested as needed.
Two company-wide breaks
Two Hypercharge weeks of rest where we close company-wide (July & Dec)
Paid Parental Leave
12 weeks of Parental leave and 1 year free diapers and wipes with Honest
Paid Time Off
Unlimited PTO: strongly encouraged to unplug and recharge
Wellness Stipend
$100 quarterly paid wellness stipend
Hyperproof builds a streamlined platform that simplifies risk and compliance workflows for organizations. Catering to businesses that prioritize operational efficiency and social impact, Hyperproof stands out with its strong emphasis on user experience.
Please mention you found this job on AI Jobs. It helps us get more startups to hire on our site. Thanks and good luck!
Understand the required skills and qualifications, anticipate the questions you may be asked, and study well-prepared answers using our sample responses.
Director Q&A's