About Procare

For over 30 years, Procare Solutions has been dedicated to empowering early childhood educators by providing products and services that enable them to focus on the care, safety and education of children.  We recognize the responsibility that comes with nurturing and educating children, which is why our child care management solutions are designed to automate business processes, help ensure safety and compliance, communicate with families and provide educational resources and training to help teachers and children thrive.

Over 40,000 satisfied customers have chosen Procare Solutions as their trusted partner in providing exceptional care for young minds.   

A Little About the Role

The VP Information Security is a senior leader responsible for establishing and executing Procare’s enterprise-wide information security strategy, program, and culture. Reporting to the CTO this role will serve as the company's top security leader — translating complex cyber risk into business language, protecting customer data, enabling compliant product growth, and building a world-class security organization.

This is an operationally engaged, high-visibility role that blends strategic vision with operational execution. The ideal candidate is a proven security leader who thrives in a fast-moving SaaS environment, understands how security is changing in an AI first world, and can operate confidently in the boardroom while remaining deeply trusted by engineering and product teams.

Procare's security organization protects 40,000+ childcare centers and millions of families who depend on our platform daily. Our program includes:

• Mature compliance posture: SOC 2 Type II certified across all products; PCI DSS v4.0.1 Level 1 Service Provider; TX-RAMP authorized
• Enterprise security tooling: CrowdStrike NextGen-SIEM, Contrast Security/Veracode for application security, Automox for patch management, Barracuda/Abnormal.ai for email security
• Proactive security culture: Monthly product security meetings, CSIRT incident response team, public trust center (SafeBase), quarterly Security Steering Committee with C-suite participation
• Parent company support: Member of Roper Technologies family with access to shared security resources, threat intelligence, and enterprise tooling

What you’ll do:

Security Strategy & Leadership

• • Define, own, and continuously evolve a multi-year enterprise security roadmap aligned to business 
  objectives, growth stage, and risk appetite
• • Serve as the primary security advisor to the executive leadership team, present security posture, risk 
  metrics, and investment cases with clarity
• Lead a high-performing security organization including Security Operations, GRC, AppSec, and Cloud 
  Security functions
• • Champion a security-first culture across the company through education, executive sponsorship, and 
  accountability
• • Translate technical risk into business impact using quantitative risk frameworks (e.g., FAIR) to influence 
  budget and strategic decisions
• • Navigate Roper Technologies cybersecurity framework, maintaining compliance with mandatory 
  foundational controls and implementing selected optional controls to achieve maturity targets; serve as 
  primary security liaison to parent company
• • Establish AI security governance program to evaluate, approve, and manage AI tool adoption across the 
  organization; implement controls for AI-specific risks including data leakage, prompt injection, and model 
  security
• • Manage security across diverse product portfolio (5+ applications) with varying technology stacks, 
  customer bases, and compliance requirements; ensure consistent security standards while 
  accommodating product-specific needs
• • Build and maintain executive cybersecurity dashboards providing real-time visibility into security posture, 
  risk metrics, and program progress for board, parent company, and executive leadership

Cloud & Product Security

• • Secure the company's SaaS platform and cloud environments (AWS/Azure/GCP) by driving secure SDLC, 
  vulnerability management, remediation SLAs, and penetration testing programs
  • Partner with Product and Engineering leadership to embed security by design — shifting security left into 
  development workflows without impeding velocity
  • Oversee Identity and Access Management (IAM), Zero Trust architecture, data encryption, and cloud 
  security posture management (CSPM/CNAPP)
  • Define and maintain security standards for APIs, microservices, container security, and third-party 
  integrations

Governance, Risk & Compliance (GRC)

• Own and maintain the company's Information Security Management System (ISMS), risk register, and policy framework
• Lead and maintain Type II and PCI DSS v4.0.1 certifications; oversee ISO 27001, TX-RAMP, GDPR, CCPA, and other applicable regulatory frameworks
• Manage customer security questionnaires, enterprise security reviews, and security-related RFP/procurement processes in partnership with Sales and Legal
• Develop and enforce vendor and third-party risk management programs to minimize supply chain exposure
• Ensure compliance with applicable federal, state, and international data privacy and security regulations
• Manage state-specific compliance programs including TX-RAMP certification with quarterly vulnerability reporting and evidence submission requirements
• Implement and maintain customer trust center and security documentation portal to streamline enterprise security reviews and RFP processes
• Lead supply chain security and vendor breach response program; assess impact of third-party compromises and coordinate remediation across affected systems
• Ensure compliance with child data protection requirements and education sector-specific regulations; implement specialized controls for sensitive family and student information

Security Operations & Incident Response

• Lead a 24/7-capable security operations capability including SIEM, EDR, XDR, and threat intelligence platforms
• Own the cyber incident response program: detection, investigation, containment, communication, and post-incident review (PIR) processes
• Test business continuity and disaster recovery plans with cross-functional stakeholders
• Monitor emerging threat intelligence; proactively brief leadership on ransomware, social engineering, supply chain, and AI-driven threat vectors
• Lead Zero Trust architecture planning and implementation across corporate and product environments as multi-year strategic initiative: coordinate with infrastructure, network, and identity teams

Corporate Security & IT Risk Management

• Oversee corporate IT security including endpoint protection, patch management, and corporate network security controls
• Implement enterprise patch management programs using automated tools to ensure timely remediation of vulnerabilities across workstations and servers
• Direct Active Directory security assessments and identity hygiene programs across all domain instances
• Ensure MFA enforcement for all privileged accounts and coordinate rollout of authentication requirements for staff and customers

People & Organizational Leadership

• Recruit, develop, and retain a diverse security team including Security Engineers, Analysts, GRC Specialists, and an AppSec function
• Define team structure, career ladders, OKRs, and budget for the security organization
• Manage external security vendors, MSSPs, auditors, and counsel relationships

Our ideal candidate will have:

• 12+ years' of progressive experience in information security, with at least 4 years' in a CISO, Deputy CISO, or VP of Security role
• Proven track record leading security at a B2B SaaS or cloud-native technology company; experience scaling security programs from growth stage to enterprise maturity
• Deep expertise in cloud security architecture (AWS, Azure, and/or GCP), secure SDLC, and modern threat detection and response
• Hands-on leadership of SOC 2 Type II and PCI audits; direct experience with ISO 27001, GDPR, CCPA
• Demonstrated ability to communicate security risk to non-technical executives and board members; experience presenting to audit committees or governance boards
• Experience managing security through enterprise sales cycles including customer trust reviews, penetration test sharing, and security questionnaire programs
• Track record of building and scaling security teams from the ground up, including hiring, organizational design, and vendor management
• Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or a related field required; Master's degree or MBA preferred
• One or more industry certifications strongly preferred: CISSP, CISM, CCSP, CISA, CRISC, CEH
• Executive presence with the ability to build trust at board level and peer-level across the C-suite
• Strong business acumen — understands how security decisions impact revenue, customer trust, and company valuation
• Exceptional communication skills: able to explain complex security concepts in plain language to diverse audiences
• Collaborative, low-ego leader who can influence without authority and build bridges between security, engineering, legal, and sales
• Resilient under pressure; sound judgment in high-stakes incident scenarios
• Skilled at managing competing priorities across multiple compliance programs, product teams, and parent company requirements; able to sequence initiatives and communicate trade-offs effectively

Security Technology Experience

Core Security Platforms:

• Cloud security: Wiz, Orca, Prisma Cloud, or equivalent CSPM/CNAPP solutions
• Endpoint/XDR: CrowdStrike, SentinelOne, Microsoft Defender, or equivalent
• SIEM/SOAR: CrowdStrike NextGen-SIEM, Splunk, Sumo Logic, or equivalent
• Identity/IAM: Okta, Auth0, Azure AD, or equivalent

Specialized Security Tools:

• Email security: Proofpoint, Mimecast, Abnormal.ai, or equivalent next-gen solutions
• Application security: Veracode, Checkmarx, Contrast Security, Snyk, or equivalent SAST/DAST platforms
• GRC/Compliance: Vanta, Drata, OneTrust, or equivalent automation platforms
• Trust & transparency: SafeBase, Whistic, or equivalent trust center solutions
• Patch management: Automox, Ivanti, or equivalent endpoint management platforms

Emerging Security Categories:

• AI security and governance tools (familiarity with landscape preferred)
• Zero Trust architecture frameworks and implementation tools

Physical Requirements:

• This position works most of the time in a fixed office location and may involve sitting and/or standing for prolonged periods
• Frequently required to communicate verbally and in writing (mostly email) with customers, prospects, and other employees
• Use of computer, telephone, and other office equipment for the greater part of the workday
• Occasional travel may be required for this position

Why Procare?

• Excellent comprehensive benefits packages including: medical, dental, & vision plans
• HSA option with employer contributions
• Vacation time, holidays, sick days, volunteer & personal days
• 401K Plan with employer match and immediate vesting
• Employee Stock Purchase Plan
• Employee Discount Program
• Medical, Dependent Care, and Transportation FSA Plans
• Company paid Short and Long-Term disability and Life Insurance
• RTD EcoPass for all Denver employees
• Tuition Reimbursement and continued Professional Development
• Fast paced, high energy workplace environment in prime downtown location
• Regular company provided meals

Salary

$200,000 - $250,000/year DOE

Location

This position is based in our Denver, CO office. We are currently in a hybrid in-office/remote working model based on business needs. Candidates must be willing and able to work from our Denver, CO office a minimum of 3 days a week.

Your Mission 

We are seeking a rare combination of disciplines: an experienced Sr. Compliance Engineer with deep AI Subject Matter Expertise (SME) and export compliance background to join our Governance, Risk, and Compliance (GRC) team. This role is responsible for building, implementing, and sustaining the organizational compliance posture across key regulatory and security frameworks — with a primary emphasis on RMF (NIST 800-53 Rev. 5 + Classified Overlays), CMMC Level 3, NIST 800-171 Rev. 3, EAR/ITAR cyber regulations, and — critically - the governance, risk management, and compliance controls surrounding AI/ML systems and large language models (LLMs) deployed across the enterprise. 

As AI becomes embedded in True Anomaly's operations, mission systems, and products, this role serves as the organizational authority on how AI capabilities are adopted, audited, and controlled responsibly. You will architect and operationalize compliance checkpoints and governance gates within LLM pipelines, evaluate AI vendors and platforms (including OpenAI, Anthropic Claude, and others) against classified and unclassified compliance requirements, and ensure AI-driven workflows satisfy both regulatory obligations and internal risk tolerance. 

The ideal candidate brings deep GRC knowledge, hands-on AI/LLM engineering fluency, and the ability to engage credibly with compliance assessors, government partners, and internal AI/ML engineering teams alike. 

Responsibilities 

Compliance Program Execution 

• Lead and support compliance assessment readiness across key organizational frameworks including NIST SP 800-171 Rev. 2 and 3, CMMC Level 3, NIST SP 800-53 Rev. 5, and the NIST Cybersecurity Framework (CSF). 

• Provide direction on cybersecurity readiness to address EAR and ITAR-related controls and requirements. 

• Drive CMMC readiness activities across the organization, including scoping, gap analysis, control implementation validation, evidence collection, and pre-assessment preparation. 

• Review, maintain, and mature System Security Plans (SSPs) to accurately reflect organizational control implementations, system boundaries, and operational practices — including AI/ML system boundaries and data flows. 

• Manage Plans of Actions and Milestones (POA&Ms), tracking open findings to resolution, communicating status to GRC leadership, and coordinating remediation efforts across responsible teams. 

• Conduct internal compliance audits and control effectiveness reviews to ensure ongoing adherence to applicable frameworks and to surface emerging gaps before external assessments. 

• Maintain audit-ready evidence repositories and documentation packages, ensuring traceability between controls, evidence, and framework requirements. 

AI Governance, Risk & Compliance (AI-GRC) 

• Serve as the organizational AI compliance SME — the primary authority on how AI/LLM systems (including OpenAI GPT models, Anthropic Claude, open-source models, and internally developed models) are evaluated, onboarded, and continuously governed within True Anomaly's compliance boundaries. 

• Design, implement, and maintain compliance checkpoints and enforcement gates within LLM pipelines, including:  

• Input/output filtering and content policy enforcement layers 

• Prompt injection detection and mitigation controls 

• Data classification guardrails to prevent CUI, ITAR-controlled, or classified data from flowing into non-authorized AI systems or endpoints 

• Automated audit logging of AI interactions for traceability and incident investigation 

• Model access control and role-based permissions within AI platforms 

• Conduct AI-specific risk assessments, including evaluation of AI vendor data handling practices, model training data provenance, and third-party AI API security postures against NIST AI RMF, NIST SP 800-53 AI overlays, and internal standards. 

• Develop and enforce an AI System Acceptable Use Policy and supporting standards that govern how employees and systems interact with LLMs, including permissible data inputs, output handling, human-in-the-loop requirements, and escalation procedures. 

• Evaluate proposed AI/ML use cases for regulatory risk (EAR/ITAR, CMMC, data privacy) and provide compliance go/no-go determinations with documented rationale. 

• Collaborate with AI/ML engineers and DevSecOps teams to integrate compliance gates into CI/CD pipelines and MLOps workflows, ensuring model changes and prompt changes undergo review before production deployment. 

• Maintain an AI system inventory, tracking all deployed models, APIs, integrations, and associated risk and compliance status. 

• Monitor emerging AI regulatory developments (e.g., EO 14110, NIST AI RMF, DoD AI Ethics Principles, EU AI Act implications for U.S. defense partners) and assess organizational impact. 

Cross-Functional Compliance Enablement 

• Serve as a primary GRC team resource for compliance questions, control guidance, and framework interpretation across engineering, IT, operations, legal, and security teams. 

• Partner with IT and security operations teams to verify that technical controls — including access management, logging, configuration baselines, and incident response procedures — meet CMMC and NIST requirements at an organizational level. 

• Partner with AI/ML engineers, data scientists, and product teams to embed compliance thinking into AI system design, model selection, and deployment architecture. 

• Collaborate with the Enterprise Risk Manager and broader GRC leadership to ensure compliance findings — including AI-specific risks — are reflected in the enterprise risk register and remediation priorities. 

• Support the development of compliance training and awareness materials, including AI-specific training that builds organizational understanding of responsible AI use, LLM risk, and CMMC obligations. 

• Coordinate with external assessors, third-party auditors, and government partners during assessment engagements, serving as a knowledgeable point of contact for evidence walkthroughs and control discussions. 

Qualifications 

• 7+ years of experience in IT security compliance, GRC, or a closely related discipline, with direct ownership of compliance program activities. 

• Demonstrated expertise in NIST SP 800-171, CMMC (Level 2 or 3), and NIST SP 800-53, with hands-on experience conducting gap assessments, implementing controls, and preparing organizations for external audits. 

• Extensive, hands-on experience with AI/LLM systems, including practical knowledge of platforms such as OpenAI (GPT-4/o-series), Anthropic Claude, Meta Llama, Microsoft Azure OpenAI Service, and/or comparable commercial and open-source LLM ecosystems. 

• Demonstrated ability to design, implement, and operationalize compliance controls within LLM pipelines, including guardrail layers, content filtering, audit logging hooks, and data classification enforcement. 

• Working knowledge of AI security risks, including prompt injection, jailbreaking, data exfiltration via LLM outputs, model inversion, and supply chain risks associated with third-party AI APIs. 

• Familiarity with NIST AI Risk Management Framework (AI RMF) and its application to enterprise and defense AI deployments. 

• Strong understanding of SSP development and maintenance, POA&M management, and audit evidence lifecycle practices in an organizational (non-product) compliance context. 

• Proven experience developing and operationalizing information security policies, standards, and procedures across a multi-disciplinary organization. 

• Strong communication skills with the ability to explain compliance requirements — including AI risk concepts — clearly to both technical practitioners and non-technical business stakeholders. 

• Highly organized, with demonstrated ability to manage multiple concurrent compliance workstreams and deadlines in a fast-paced environment. 

• Active or ability to obtain SECRET or TS/SCI security clearance. 

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Strong EAR/ITAR background as it pertains to cybersecurity, AI-generated outputs, and policy development. 

• J.D. focusing on technology law, export compliance (EAR and ITAR), AI regulation, or cyber law. 

• Experience building MLOps or AI DevSecOps pipelines with integrated compliance gates, including automated policy enforcement, prompt review workflows, or model change management processes. 

• Hands-on experience with AI safety and alignment tooling (e.g., LangChain guardrails, NeMo Guardrails, Azure Content Safety, OpenAI Moderation API, Anthropic Constitutional AI/policy layer configurations). 

• Experience evaluating AI vendor agreements and data processing agreements against DoD/CMMC/ITAR data handling requirements. 

• Familiarity with DoD AI Ethics Principles, Responsible AI (RAI) frameworks, and emerging federal AI governance requirements (e.g., EO 14110, OMB AI guidance). 

• Industry certifications such as:  

• Certified Information Systems Auditor (CISA) 

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Security Professional (CISSP) 

• CMMC Registered Practitioner (RP) or Certified Professional (CP) 

• CompTIA Security+ or equivalent 

• AWS/Azure AI or Security certifications 

• Background in startup, aerospace, defense technology, or SaaS environments operating under DoD compliance obligations. 

• Familiarity with cloud environments — particularly Azure Government, AWS GovCloud, or Azure OpenAI Government deployments — as they relate to organizational control implementation and AI boundary scoping. 

• Experience coordinating with C/3PAOs or supporting CMMC assessments. 

• Working knowledge of DFARS 252.204-7012, ITAR, and supply chain compliance obligations. 

• Familiarity with Agile/Scrum environments and hybrid project delivery models. 

Compensation 

• Base Salary: Denver - $145,000 to $195,000, Long Beach - $150,000 to $205,000, Washington, DC - $150,000 to $205,000 

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

Additional Requirements 

• Work Location: Successful candidates will be located near Denver, CO, Long Beach, CA, or Washington D.C. While we observe a hybrid work environment, some work must be done on site. #LI-Onsite

• Work Environment: Standard office setting, working at a desk or in a production factory environment. 

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

Your Mission 

We are seeking a Senior Enterprise Risk Manager to build, lead, and mature two distinct but interconnected lines of effort: Enterprise Risk Management (ERM) and Third-Party Vendor Risk Management (TPVRM). This is a foundational leadership role for a seasoned risk professional who thrives in fast-moving, mission-critical environments and understands the unique demands of operating at the intersection of defense, aerospace, and commercial SaaS. 

The ideal candidate brings deep experience navigating regulated government environments—including RMF, DoD IL5/IL6, and CMMC—and is fluent in industry-standard risk quantification and assessment methodologies such as FAIR (Factor Analysis of Information Risk) and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation). They pair that expertise with a startup mindset that enables them to build programs from the ground up, not just maintain inherited ones. You will work cross-functionally with engineering, security, legal, compliance, product, and executive leadership to identify, assess, communicate, and mitigate risk across the enterprise and its extended supply chain. 

Responsibilities: 

Enterprise Risk Management 

• Design, implement, and continuously mature a scalable enterprise risk management program aligned to NIST RMF, ISO 31000, and applicable DoD frameworks. 

• Apply FAIR methodology to quantify cyber and operational risk in financial terms, enabling data-driven prioritization and executive-level risk decision-making. 

• Leverage OCTAVE or similar threat-centric methodologies to lead structured risk assessments that identify critical assets, threat profiles, and organizational vulnerabilities. 

• Establish and maintain an enterprise risk register, risk appetite statements, and risk tolerance thresholds in collaboration with executive leadership and the Board (as applicable). 

• Lead recurring risk identification, assessment, and prioritization processes across business units, ensuring alignment between operational risk posture and strategic objectives. 

• Develop and maintain executive-ready risk dashboards, KPI/KRI reporting, and program metrics using tools such as Jira, Confluence, GRC platforms, and MS Project. 

• Conduct and coordinate internal audits and risk assessments to ensure adherence to DoD compliance standards, including NIST SP 800-53 Rev. 5, NIST SP 800-171, RMF (IL5 and IL6), and CMMC Level 3. 

• Support audit readiness activities including pre-assessment preparation, evidence collection, POA&M management, and post-audit remediation planning. 

• Develop, implement, and mature information security and enterprise risk policies, standards, and guidelines based on industry best practices. 

• Serve as a primary point of contact for internal stakeholders, executive leadership, and external assessors, certification bodies, and government partners. 

Third-Party Vendor Risk Management 

• Build and lead a formalized Third-Party Vendor Risk Management program, establishing vendor classification tiers, risk assessment methodologies, and ongoing monitoring cadences. 

• Define and operationalize vendor onboarding risk assessments, including security questionnaires, compliance validations, and contractual risk controls (e.g., SLAs, right-to-audit clauses, data handling requirements). 

• Maintain a vendor risk inventory and lifecycle management process covering initial due diligence through offboarding, ensuring continuous visibility into third-party risk exposure. 

• Collaborate with legal, procurement, and supply chain teams to embed risk criteria into vendor selection, contract negotiation, and renewal processes. 

• Monitor third-party vendors for changes in risk posture, including cybersecurity incidents, financial instability, regulatory actions, and ITAR/export control concerns. 

• Develop vendor risk reporting and executive-level dashboards to provide ongoing transparency into third-party exposure across critical suppliers and technology partners. 

• Ensure TPVRM program alignment with applicable regulatory requirements including CMMC supply chain requirements, DFARS clauses, and DoD IL environment authorization boundaries. 

Cross-Functional Leadership 

• Build, mentor, and provide technical guidance to junior risk team members and project contributors across both lines of effort. 

• Drive alignment across engineering, security operations, product compliance, IT operations, legal, and business operations teams on risk priorities and remediation timelines. 

• Track program milestones, identify dependencies and blockers, and drive timely course corrections with a bias toward action. 

• Continuously improve program workflows, reporting processes, and team coordination for scalable, repeatable, and consistent risk program execution. 

• Proactively track emerging regulatory, threat, and supply chain risk requirements and update program posture accordingly. 

Qualifications 

• 10+ years of experience in enterprise risk management, GRC, cybersecurity risk, or related disciplines, with demonstrated ownership of risk programs at a senior level. 

• Proven track record in startup or high-growth technology environments, with demonstrated ability to build risk programs from the ground up under resource and time constraints. 

• Experience applying FAIR for risk quantification and OCTAVE or similar frameworks for threat and asset-centric risk assessments. 

• Direct experience with U.S. government or defense sector programs, including working knowledge of DoD RMF (IL5 and IL6), NIST SP 800-53, NIST SP 800-171, and CMMC. 

• Hands-on experience leading or significantly contributing to Third-Party/Vendor Risk Management programs, including vendor tiering, due diligence workflows, and ongoing monitoring. 

• Strong proficiency in risk management and GRC documentation tools including Jira, Confluence (Atlassian suite), MS Project, enterprise GRC platforms, and MS Visio or Lucidchart. 

• Excellent communication and stakeholder management skills, with a strong ability to translate technical risk into business language for executives and board-level audiences. 

• Active or ability to obtain SECRET, TS/SCI security clearance. 

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Background in aerospace, defense technology, or SaaS companies operating in regulated government markets; experience with both commercial and government customer bases strongly preferred. 

• Proficient with creating risk programs in a startup environment, scaling, and adapting to changing organizational structure 

• Experience managing certification or authorization initiatives across one or more of: FedRAMP, SOC 2, DoDIN APL, ISO 27001, CMMC as it pertains to risk. 

• Industry certifications such as:  

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Auditor (CISA) 

• Certified Information Systems Security Professional (CISSP) 

• Certified in the Governance of Enterprise IT (CGEIT) 

• Certified ScrumMaster (CSM) or Agile PM certification 

• Experience with cloud environments, particularly Azure Government and/or AWS GovCloud, and understanding of authorization boundary design. 

• Working knowledge of ITAR, EAR, and export control considerations as they apply to vendor and supply chain risk. 

• Familiarity with Agile/Scrum and hybrid project delivery models. 

• Experience with DFARS, FAR, and government contracting compliance requirements. 

Compensation 

• Base Salary: Denver - $160,000 to $220,000, Long Beach - $165,000 to $230,000, Washington DC - $165,000 to $230,000 

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

Additional Requirements 

• Work Location: This role will be onsite at one of our facilities in Centennial, CO, Long Beach, California, or Washington, D.C. #LI-Onsite 

• Work Environment: Standard office setting, working at a desk or in a production factory environment  

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

Your Mission 

We are seeking a driven and detail-oriented Enterprise Risk Analyst to support two distinct but interconnected lines of effort: Enterprise Risk Management (ERM) and Third-Party Vendor Risk Management (TPVRM). Reporting to the Senior Enterprise Risk Manager, you will play a hands-on role in executing risk assessments, maintaining program documentation, tracking remediation activities, and building the data foundation that powers executive-level risk decision-making. 

This role is ideal for a mid-career risk professional who is fluent in frameworks such as NIST RMF and CMMC, is developing practical experience with risk quantification methodologies like FAIR and OCTAVE, and is eager to grow within a fast-paced aerospace and defense SaaS environment. You will work closely with engineering, security, legal, compliance, and operations teams to help identify, document, and track risk across the enterprise and its third-party supply chain. 

Responsibilities:

Enterprise Risk Management 

• Support the design, execution, and continuous improvement of the enterprise risk management program under the direction of the Senior Enterprise Risk Manager. 

• Assist in conducting structured risk assessments using OCTAVE or similar threat-and-asset-centric methodologies, documenting findings, threat profiles, and recommended mitigations. 

• Support the application of FAIR methodology to help quantify risks in financial terms and contribute to risk prioritization analyses for leadership. 

• Maintain and update the enterprise risk register, ensuring accuracy of risk ratings, ownership assignments, remediation status, and residual risk tracking. 

• Build and maintain program dashboards, KPI/KRI reports, and status tracking using tools such as Jira, Confluence, enterprise GRC platforms, and MS Project. 

• Assist with audit readiness activities including evidence collection, pre-assessment preparation, control documentation, and post-audit remediation tracking. 

• Support POA&M management for IL5 and IL6 environments, tracking open items to closure and escalating blockers to the Enterprise Risk Manager. 

• Contribute to the development and maintenance of risk policies, standards, and guidelines aligned to NIST SP 800-53 Rev. 5, NIST SP 800-171, RMF, and CMMC Level 3. 

• Coordinate and track internal audit schedules, findings, and corrective action plans across business units. 

Third-Party Vendor Risk Management 

• Execute vendor risk assessments as part of the onboarding and periodic review lifecycle, including security questionnaire administration, documentation review, and risk scoring. 

• Maintain the vendor risk inventory and lifecycle tracking records, ensuring all vendors are appropriately tiered and assessed on schedule. 

• Monitor vendor risk signals including cybersecurity advisories, regulatory actions, and contractual compliance status, escalating material changes to the Enterprise Risk Manager. 

• Support contract and procurement teams by providing vendor risk assessment findings and recommended risk mitigation language. 

• Assist in ensuring TPVRM program alignment with CMMC supply chain requirements, DFARS clauses, and ITAR/export control considerations for critical suppliers. 

• Develop and maintain vendor risk reporting inputs and dashboard content to support executive-level visibility into third-party risk exposure. 

Cross-Functional Collaboration 

• Serve as a reliable day-to-day point of contact for risk-related inquiries from internal stakeholders across engineering, security, operations, and legal teams. 

• Track program milestones, action items, and deliverables, proactively communicating status and flagging risks or dependencies to the Enterprise Risk Manager. 

• Continuously improve risk program workflows, documentation templates, and reporting processes to support scalable and repeatable execution. 

• Support the preparation of materials for internal leadership briefings, external assessor interactions, and government partner reviews. 

Qualifications 

• 5+ years of experience in enterprise risk management, GRC, cybersecurity risk, compliance, or a closely related discipline. 

• Working knowledge of NIST SP 800-53, NIST SP 800-171, DoD RMF (IL5/IL6), and CMMC, with direct experience supporting assessments or audits under one or more of these frameworks. 

• Familiarity with risk assessment methodologies including FAIR and/or OCTAVE, with a desire to deepen applied expertise in risk quantification. 

• Experience supporting or executing third-party/vendor risk assessments, including questionnaire administration, documentation review, and risk tracking. 

• Hands-on experience with program management and GRC documentation tools including Jira, Confluence (Atlassian suite), MS Project, enterprise GRC platforms, and MS Visio or Lucidchart. 

• Strong written and verbal communication skills, with the ability to clearly document findings and translate risk concepts for both technical and non-technical audiences. 

• Highly organized, self-directed, and comfortable managing multiple workstreams simultaneously in a fast-paced, regulated environment. 

• Active or ability to obtain SECRET, TS/SCI security clearance. 

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

Preferred Qualifications 

• Background in startup, aerospace, defense technology, or SaaS companies operating in regulated government markets. 

• Industry certifications such as:  

• Certified in Risk and Information Systems Control (CRISC) 

• Certified Information Systems Auditor (CISA) 

• Open FAIR Certification (The Open Group) 

• CompTIA Security+ or equivalent 

• Certified ScrumMaster (CSM) or similar Agile certification 

• Experience with cloud environments, particularly Azure Government and/or AWS GovCloud. 

• Familiarity with POA&M management, SSP documentation, and audit evidence collection in DoD authorization contexts. 

• Working knowledge of ITAR, EAR, DFARS, and export control considerations as they relate to vendor and supply chain risk. 

• Familiarity with Agile/Scrum and hybrid project delivery models. 

Compensation 

• Base Salary: Denver - $115,000 to $155,000, Long Beach - $120,000 to $165,000, Washington, DC - $120,000 to $165,000 

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience. 

Additional Requirements 

• Work Location: This role will be onsite at one of our office locations: Centennial, CO, Long Beach, CA, or Washington, DC  #LI-Onsite 

• Work Environment: Standard office setting, working at a desk or in a production factory environment 

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs. 

This position will be open until it is successfully filled. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

YOUR MISSION

We’re looking for a Senior Technical Program Manager to join our Security & Infrastructure PMO: a highly visible, high-impact role at the center of critical initiatives. This is a dynamic, generalist position where you’ll drive execution across a diverse portfolio spanning industrial, application, platform, and enterprise security programs. You’ll play a key role in both delivering complex projects and maintaining the operational rhythms that keep these functions running at scale.

This role requires someone who can quickly build context, partner effectively with technical leaders, and deliver results across a wide range of domains. You’ll operate at the intersection of strategy and execution, ensuring alignment, momentum, and clarity across teams.

Our portfolio is broad and mission-critical, covering secure facilities and network infrastructure, application and product security, vulnerability management, cloud and platform security, identity and access management, and the processes that underpin them. While deep expertise in every area isn’t required, success in this role depends on your ability to ramp quickly, engage with credibility, and drive outcomes regardless of domain.

RESPONSIBILITIES 

• Own end-to-end program management for assigned initiatives, from intake through delivery, including milestone tracking, dependency management, risk identification, and stakeholder communication 

• Support team operational rhythms: meeting cadences, backlog health, status reporting, and cross-team coordination 

• Work with engineering and security leads on effort estimation, task decomposition, and resource alignment; surface conflicts before they become delivery problems 

• Manage cross-functional dependencies with IT, GRC, facilities, vendors, and external stakeholders as required 

• Maintain current program visibility for leadership, milestone-oriented and risk-flagged 

• Flex across security domains as priorities shift; bring the same execution rigor to a secure facility buildout as to a vulnerability management program 

• Partner with the PMO Lead on roadmap planning and steering: prioritization, capacity planning, and plan maintenance 

QUALIFICATIONS 

• 7+ years of technical program management experience in cybersecurity, defense technology, or regulated environments 

• Prior experience as an information security engineer or security sales/solutions engineer at a security product or services company before transitioning to program management 

• Demonstrated ability to manage concurrent work streams with cross-functional dependencies and external stakeholders 

• Strong Jira or equivalent proficiency; ability to build and maintain structured tracking across multi-team portfolios 

• Comfortable operating where scope, priorities, and assignments shift with portfolio demand 

• Clear, direct communicator; able to simplify complex status for executive audiences and push back when warranted 

• U.S. citizen and eligible for DoD Secret or TS/SCI clearance. 

PREFERRED SKILLS AND EXPERIENCE 

• Experience across more than one security domain: application, infrastructure, physical/industrial, or security operations 

• Hands-on enterprise security experience, either in a security operations capacity or delivering security stack projects 

• Familiarity with industrial security operations (cleared facility management, personnel security programs, or classified network infrastructure) enough to engage credibly with the team and manage their work 

• Familiarity with NIST RMF, FedRAMP, or federal compliance environments 

• Experience in defense technology, aerospace, or DoD contractor environments 

COMPENSATION  

• Base Salary:  Denver- $145,000-$195,000, Long Beach: $150,000-$205,000

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave 

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education and experience. 

ADDITIONAL REQUIREMENTS 

• Ability to maintain or obtain a security clearance (clearable required) 

• Work Location: this role will be fully onsite at Centennial, CO or Long Beach, CA 

• Work environment is in a standard office, working at a desk or in a production factory. 

• Physical demands may include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20lbs. 

This position will be open until it is successfully filled. To submit your application, please follow the directions below. #LI-Onsite 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

We value diversity of experience, knowledge, backgrounds and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know. 

Voyager is an innovative defense, national security and space technology company committed to advancing and delivering transformative, mission-critical solutions. We tackle the most complex challenges to unlock new frontiers for human progress, fortify national security, and protect critical assets to lead in the race for technological and operational superiority from ground to space. 

Forge the Future: Join Voyager Technologies 

The future belongs to those who build it. At Voyager Technologies, we’re building technologies that protect lives, expand frontiers and prepare us for what’s next. And we’re doing that with people who are wired to solve, build, adapt and lead. These roles are not for the faint of heart.  

You’ll help lay the foundation for humanity's future. Join a culture where innovation thrives, curiosity is rewarded, and impact is real. We’re a company of doers, thinkers and builders, united by purpose and grounded in reality. 

If you want to put your skills to work where the stakes are real and the mission is bigger than any one person, forge the future with Voyager. 

____________________________________________________________________________________ 

Job Summary: 

Voyager Technologies is seeking a detail-oriented, mission-driven IT Compliance / GRC Analyst to lead cybersecurity governance, regulatory compliance, and risk management activities across our space, aerospace, and defense programs.

This role ensures the organization can securely handle Controlled Unclassified Information and (CUI), ITAR/export-controlled data while maintaining continuous compliance with:

• NIST SP 800-171
• CMMC Level 2/3
• DFARS 252.204-7012
• ITAR / EAR Export Control
• NASA / DoD contract security clauses

You will partner with IT, engineering, program management, legal, and contracts teams to translate regulatory requirements into practical, auditable controls that enable mission delivery — not slow it down.

If you enjoy building order from complexity, preparing organizations for audits, and designing security programs that scale, you’ll thrive here.

Responsibilities: 

Governance & Compliance Program

• Own and maintain the organization’s cybersecurity compliance framework
• Map controls to:
• NIST 800-171
• CMMC practices
• DFARS clauses
• ITAR/EAR requirements
• Develop and maintain:
• System Security Plans (SSPs)
• POA&Ms
• Policies, standards, procedures
• Control evidence repositories
• Establish continuous monitoring processes

Audit & Assessment Readiness

• Lead preparation for:
• CMMC assessments (C3PAO)
• DCMA/DoD/NASA audits
• Prime contractor reviews
• Coordinate evidence collection and artifact management
• Track remediation plans and closure metrics
• Conduct internal mock audits and gap assessments
• Serve as primary liaison for assessors and government representatives

Risk Management

• Conduct enterprise and system-level risk assessments
• Maintain risk register and mitigation plans
• Perform impact analysis for new technologies and programs
• Evaluate supplier and subcontractor cybersecurity posture
• Support incident reporting obligations (DFARS 7012 timelines)

Data Protection & Export Control

• Ensure compliant handling of:
• CUI
• ITAR/EAR technical data
• Sensitive government information
• Define data classification and marking standards
• Support enclave design and segmentation strategies
• Advise teams on compliant collaboration (GCC High/Azure Gov, secure sharing)

Cross-Functional Partnership

• Work with:
• IT operations
• Security/SOC teams
• Engineering & DevOps
• Contracts & Legal
• Program Managers
• Integrate security requirements into new systems and proposals
• Support contract bids with compliance documentation

Training & Culture

• Deliver CUI/ITAR handling and compliance awareness training
• Coach system owners on control ownership
• Promote “audit ready every day” mindset
• Lead tabletop exercises and readiness drills

Required Qualifications: 

• High school diploma or equivalent
• 4–8+ years in cybersecurity, IT compliance, or GRC roles
• Experience supporting a regulated or defense contractor environment
• Hands-on knowledge of:
• NIST SP 800-171
• CMMC
• DFARS 252.204-7012
• ITAR/EAR or export controls
• Experience creating SSPs and POA&Ms
• Experience preparing for audits or formal assessments
• Strong documentation and evidence management skills
• Excellent communication and cross-functional collaboration
• U.S. Person status required (ITAR eligibility)
• Ability to obtain a security clearance

Preferred Qualifications: 

• Experience with:
  • Microsoft GCC High or Azure Government
  • FedRAMP or GovCloud environments
  • Supply chain cybersecurity risk management (SCRM)
  • Government proposals / contract compliance
• Experience using GRC tools (Archer, ServiceNow GRC, Drata, etc.)
• Background in aerospace, space systems, or DoD programs
• Certifications (nice to have)
  • CISM
  • CISSP
  • CRISC
  • CISA
  • CMMC RP/CCA/CCI
  • Security+

Please click “Apply” to submit your application. 

The salary range represents the base salary range for this position. Actual compensation will vary and may be above or below the range based on various factors. Those include but are not limited to location, experience, and performance.

Voyager offers a comprehensive, total compensation package, which includes competitive salary, a discretionary annual bonus plan, paid time off (PTO), a comprehensive health benefit package, retirement savings, wellness program, and various other benefits. When you join our team, you’re not just an employee; you become part of a dynamic community dedicated to innovation and excellence. 

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State. 

Voyager is an Equal Opportunity Employer. Employment decisions are made without regard to race, color, religion, national or ethnic origin, sex, sexual orientation, gender identity or expression, age, disability, protected veteran status or other characteristics protected by law.  

Minority/Female/Disabled/Veteran 

The statements contained in this job description are intended to describe the general content and requirements for performance of this job. It is not intended to be an exhaustive list of all job duties, responsibilities, and requirements. This job description is not an employment agreement or contract. Management has the exclusive right to alter the scope of work within the framework of this job description at any time without prior notice. 

About SecurityScorecard:

SecurityScorecard is the global leader in cybersecurity ratings, with over 12 million companies continuously rated, operating in 64 countries. Founded in 2013 by security and risk experts Dr. Alex Yampolskiy and Sam Kassoumeh and funded by world-class investors, SecurityScorecard’s patented rating technology is used by over 25,000 organizations for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting; making all organizations more resilient by allowing them to easily find and fix cybersecurity risks across their digital footprint. 

Headquartered in New York City, our culture has been recognized by Inc Magazine as a "Best Workplace,” by Crain’s NY as a "Best Places to Work in NYC," and as one of the 10 hottest SaaS startups in New York for two years in a row. Most recently, SecurityScorecard was named to Fast Company’s annual list of the World’s Most Innovative Companies for 2023 and to the Achievers 50 Most Engaged Workplaces in 2023 award recognizing “forward-thinking employers for their unwavering commitment to employee engagement.”  SecurityScorecard is proud to be funded by world-class investors including Silver Lake Waterman, Moody’s, Sequoia Capital, GV and Riverwood Capital.

About the Role

SecurityScorecard's Solutions Architects team are trusted security advisors and business partners both internally and to prospective clients, offering deep knowledge about the market and our solution. We are intellectually curious, find great reward in delivering valuable solutions to customers, and are passionate about cybersecurity.

We are looking for an experienced and dynamic Solutions Architecture to work with our Sales teams across the US. The candidate will own the pre-sales technical engagement with our customers. The ideal candidate will have a strong technical background, exceptional verbal skills and be a strong cross functional collaborator.

Success in this role requires security and technical acumen to develop a deep understanding of SecurityScorecard's architecture and services and a consultative approach to understanding customer business needs. You'll leverage your strategic communication skills to engage in technical and business discussions with engineers and senior decision makers alike, translating customer needs into technical requirements and conveying the merit of SecurityScorecard's solutions throughout.  

NOTE:  It is a requirement that this role is in the Pacific or Mountain time zones.

Key Responsibilities

• Collaborate with the Sales team to identify technical requirements and develop customized solutions that address complex client needs, while driving revenue growth and customer satisfaction
• Delivery of compelling technical presentations, product demonstrations and Proof of Value projects for prospective clients
• Support SecurityScorecard at Industry events and C level round table events
• Work closely with Product Management and Engineering to provide market feedback and influence product roadmap based on customer needs and competitive landscape
• Proven track record of gathering detailed success metrics for customer PoV’s, including tracking and reporting
• Awareness and enforcement of MEDDPICC best practices in sales cycles
• Become a subject matter expert on cyber first Supply Chain services.
• Ability to engage with all different types of personalities and working styles across the team
• Build and foster strong relationships with other business teams, such as Marketing, Support and Customer Success
• Not afraid to be a champion for your prospects, advocating for their needs.

Skills and Experience

• 5+ years of relevant work experience (cybersecurity, TPRM, GRC, and/or similar)
• Demonstrated presentation and interpersonal skills; communicate in front of large groups with a mixed audience of technical and non-technical 
• Experience working with enterprise level clients and managing complex sales cycles
• Demonstrated ability to manage complex technical projects, demonstrate clear business value and lead technical strategy in sales engagements
• Bachelor Degree in Computer Science or equivalent work experience
• Sales experience NOT REQUIRED, but experience of selling technical SaaS and/or managed service solutions a plus
• Industry Certifications such as CEH, CISSP, CompTIA Security+ CISA  GCIH etc a plus

Traits

• Highly motivated self starter who works well cross functionally
• Intellectually curious; seeks to continually self-educate and evolve domain specific knowledge 
• Willing to travel on day and overnight trips throughout the US

Benefits:

Specific to each country, we offer a competitive salary, stock options, Health benefits, and unlimited PTO, parental leave, tuition reimbursements, and much more!

The estimated total compensation range for this position is $100,000 - $195,000 (base plus bonus). Actual compensation for the position is based on a variety of factors, including, but not limited to affordability, skills, qualifications and experience, and may vary from the range. In addition to base salary, employees may also be eligible for annual performance-based incentive compensation awards and equity, among other company benefits. 

SecurityScorecard is committed to Equal Employment Opportunity and embraces diversity. We believe that our team is strengthened through hiring and retaining employees with diverse backgrounds, skill sets, ideas, and perspectives. We make hiring decisions based on merit and do not discriminate based on race, color, religion, national origin, sex or gender (including pregnancy) gender identity or expression (including transgender status), sexual orientation, age, marital, veteran, disability status or any other protected category in accordance with applicable law. 

We also consider qualified applicants regardless of criminal histories, in accordance with applicable law. We are committed to providing reasonable accommodations for qualified individuals with disabilities in our job application procedures. If you need assistance or accommodation due to a disability, please contact talentacquisitionoperations@securityscorecard.io.

Any information you submit to SecurityScorecard as part of your application will be processed in accordance with the Company’s privacy policy and applicable law. 

SecurityScorecard does not accept unsolicited resumes from employment agencies.  Please note that we do not provide immigration sponsorship for this position.   #LI-DNI