This is a high-visibility, high-impact role at the center of Gong’s security and compliance story. As our Senior GRC Security Lead, you will be the architect of foundational programs we are building — Gong’s first-ever Common Controls Framework, standing up a formal risk process and register, implementing a GRC tooling ecosystem, and owning the full policy, standards, and exceptions management lifecycle.

This is not a role for someone looking to inherit a mature program. It’s a role for a builder — someone who thrives in ambiguity, operates with urgency, and finds energy in creating order from complexity. You will work directly with Legal, Sales, Engineering, Customer Audit teams, and executive stakeholders, and your fingerprints will be visible across everything Gong builds for compliance and trust for years to come.

RESPONSIBILITIES

• Design and implement Gong’s Common Controls Framework, mapping controls across SOC 2, ISO 27001, 27017, 27701, 27018, HIPAA, PCI, and other applicable frameworks.
• Rationalize overlapping requirements across frameworks to reduce compliance burden and create a single source of truth for control ownership.                                               
• Partner with Engineering, Infrastructure, and Product Security to embed controls at the architecture level, not just as audit checkboxes.
• Establish control testing methodology, evidence collection standards, and continuous control monitoring processes.
• Serve as the subject-matter expert on control mapping during customer and external audits, RFPs, and enterprise sales engagements.
• Build Gong’s product & enterprise risk register from the ground up — defining risk taxonomy, scoring methodology, risk appetite thresholds, and ownership models.
• Implementation of a GRC platform and system of record, and ability to build executive level dashboards to track vulnerability, risk, and control remediation.
• Create and maintain risk treatment plans in partnership with risk owners across the business, tracking remediation milestones and escalating blockers.
• Develop executive-level risk reporting cadences and dashboards for the Head of GRC and senior leadership.
• Own the complete lifecycle of Gong’s information security policy suite — creation, review cycles, version control, and employee acknowledgment tracking.
• Establish and operate a formal exceptions management program, including intake, risk assessment, approval workflows, compensating controls, and periodic review.
• Ensure policies remain aligned with evolving regulatory requirements, industry frameworks, and Gong’s rapidly changing technology environment.
• Drive policy adoption through clear communication, training support, and cross-functional partnership.
• Liaise with external auditors and certification bodies for SOC 2, ISO, and other certifications

QUALIFICATIONS 

• 7+ years of progressive experience in GRC, Information Security, or a closely related function — with meaningful time spent building or scaling programs, not just running them.
• Demonstrated hands-on experience building a GRC program at scale — ideally in a high-growth SaaS or technology company.
• Deep expertise across multiple compliance and security frameworks, including SOC 2 Type II, ISO 27001, NIST CSF, and at least one regulatory framework (GDPR, CCPA, HIPAA, or equivalent).
• Experience creating and implementing GRC Record of Truth/Tooling.
• Strong policy and standards writing ability — capable of translating complex regulatory language into clear, actionable documentation.
• Experience conducting and managing product & enterprise risk assessments, with a working knowledge of risk quantification methodologies.
• Proven ability to manage and communicate with senior stakeholders, including Legal, Engineering, and executive audiences.
• Bachelor’s degree in Information Security, Computer Science, Business, or a related field; equivalent practical experience considered.
• Relevant certifications strongly preferred: CISSP, CISM, CRISC, CISA, CCSP, or comparable credentials.

PERKS & BENEFITS 

• We offer Gongsters a variety of medical, dental, and vision plans, designed to fit you and your family’s needs.
• Wellbeing Fund - flexible wellness stipend to support a healthy lifestyle.
• Mental Health benefits with covered therapy and coaching.
• 401(k) program to help you invest in your future.
• Education & learning stipend for personal growth and development.
• Flexible vacation time to promote a healthy work-life blend.
• Paid parental leave to support you and your family.
• Company-wide recharge days each quarter.
• Work from home stipend to help you succeed in a remote environment.

The annual salary hiring range for this position is $121,000 - $185,000 USD. 

Compensation is based on factors unique to each candidate, including, but not limited to, job-related skills, qualification, education, experience, and location. At Gong, we have a location-based compensation structure, which means there may be a different range for candidates in other locations. The total compensation package for this position, in addition to base compensation, may include incentive compensation, bonus, equity, and benefits. Some of our sales compensation programs also offer the potential to achieve above targeted earnings for those who exceed their sales targets. 

We are always looking for outstanding Gongsters! So if this sounds like something that interests you regardless of compensation, please reach out. We may have more roles for you to consider and would love to connect.

We have noticed a rise in recruiting impersonations across the industry, where scammers attempt to access candidates' personal and financial information through fake interviews and offers. All Gong recruiting email communications will always come from the @gong.io domain. Any outreach claiming to be from Gong via other sources should be ignored.

Gong is an equal-opportunity employer. We believe that diversity is integral to our success, and do not discriminate based on race, color, religion, age, sex, sexual orientation, gender identity, national origin, disability, military status, genetic information, or any other basis protected by applicable law.

To review Gong's privacy policy, visit https://www.gong.io/gong-io-job-candidates-privacy-notice/ for more details.

#LI-SM1