Job Summary
Under the supervision of the Vice President of Information Technology, the Senior Analyst, Technology Governance & Controls is responsible for strengthening CGC’s enterprise technology governance framework, internal control environment, and operational risk posture. This role helps ensure that technology-related processes, system access models, vendor relationships, documentation standards, and change practices align with organizational expectations for accountability, audit readiness, and institutional durability. 

The Senior Analyst serves as a key internal resource for access governance, control evidence management, policy administration, risk tracking, vendor oversight support, continuity planning coordination, and governance reporting. This position translates governance expectations into practical, repeatable operating disciplines that support secure and efficient business execution. 

This role is well suited for a proactive professional who can operate effectively in a growing and evolving organization, bring structure where processes continue to mature, and execute with sound judgment, discretion, and a high degree of ownership. Success in this position requires collaboration, professionalism, strong written communication, and the ability to improve how work gets done through practical use of automation, AI tools, and modern workflow capabilities. This role is central to CGC's enterprise governance maturity, maintaining the frameworks, processes, and controls that allow IT systems, data, and vendors to operate with accountability and discipline.

Key Responsibilities

• Support CGC’s enterprise technology governance and control environment through disciplined administration of repeatable oversight processes. 
• Coordinate periodic user access reviews, entitlement recertifications, segregation-of-duties support reviews, and permission validation activities across enterprise systems.
• Maintain repositories of control evidence, approvals, documentation, and artifacts required for audits, internal reviews, external assessments, or regulatory inquiries.
• Administer the lifecycle of technology-related policies, standards, and procedures, including version control, review schedules, approvals, acknowledgments, and publication tracking.
• Support vendor governance and third-party risk management processes, including intake coordination, due diligence documentation, contract control support, and remediation follow-up.
• Maintain governance logs and trackers related to risks, issues, exceptions, incidents, remediation items, and management action plans.
• Administer and monitor the technology change management process including ticket completeness, approval validation, testing evidence review, and record retention within the Technology Service Desk in Jira.
• Coordinate business continuity and disaster recovery governance activities, including inventories, documentation updates, exercise support, and remediation tracking.
• Prepare dashboards, reports, metrics, and presentations related to governance performance, access controls, training completion, vendor reviews, policy status, and control maturity, including PowerBI reporting where applicable.
• Assist in administration of security awareness initiatives, policy acknowledgments, phishing simulations, and workforce education programs.
• Identify opportunities to streamline governance processes through workflow automation, AI-enabled productivity tools, agentic workflows, and improved operating procedures consistent with internal control expectations.
• Partner with Finance, Legal, Risk, Operations, and business stakeholders to improve enterprise accountability and governance practices.
• Handle sensitive information with discretion and professionalism, escalating concerns appropriately.
• Operate with a high degree of ownership, reliability, and judgment in a dynamic environment with evolving priorities.
• Perform other duties as assigned in support of CGC’s mission and operational needs.

Required Skills and Abilities

• Experience in governance, internal controls, risk management, audit support, compliance operations, technology administration, or related business operations environments.
• Demonstrated experience managing documentation, evidence, approvals, trackers, or structured operational processes with strong attention to detail.
• Familiarity with access governance concepts, role-based permissions, and enterprise system control practices.
• Strong organizational skills with the ability to manage multiple priorities and deadlines.
• Excellent written communication and presentation skills.
• Demonstrated ability to operate effectively in evolving environments with changing priorities and developing processes.
• Proven professionalism, discretion, and sound judgment when handling confidential or sensitive matters.
• Demonstrated digital fluency and ability to quickly learn modern platforms and emerging technologies.

Education and Experience

• Bachelor’s degree and 5+ years of directly related experience, or equivalent combination of education and experience.
• Experience supporting technology within financial services, nonprofit, startup, federally funded, or regulated environments.
• Familiarity with frameworks such as COSO, NIST, SOC, ISO 27001, or similar governance/control standards.
• Experience with enterprise platforms such as Vanta, Microsoft 365, PowerBI, Entra ID, Jira, Confluence, Box, NetSuite, Salesforce, or comparable systems.
• Experience supporting vendor management, procurement controls, contract administration, or third-party risk processes.
• Familiarity with workflow automation tools, AI productivity tools, prompt engineering, and emerging agentic workflow concepts.
• Certifications such as CISA, CRISC, Security+, ITIL, PMP, Lean Six Sigma, or similar credentials are a plus.

Compensation and Benefits

• The salary range for the Senior Analyst position is between $117,715.00 – $132,549.00 annually.
• Senior Analyst will be eligible for an annual bonus based on job and organizational performance.
• The benefits offered for the Senior Analyst include health insurance, 401k, vacation leave and sick leave.

The Role:

As a Sr. Sales Engineer, you’ll partner closely with our LATAM region account teams to support enterprise customers and prospects in addressing their most pressing cybersecurity challenges. In this role, you’ll lead complex pilot engagements and guide the transition to successful onboarding of tailored solutions—ensuring strong outcomes and long-term customer success. The position requires a blend of cybersecurity expertise, technical engineering skills, analytical thinking, and strategic business acumen.

What You'll Do:

• Be a content creator, not just a consumer—drive the creation of new ideas, presentations, and technical approaches
• Engage directly with prospective clients to understand requirements, field technical questions, and deliver compelling product demos
• Plan and execute product proof of value (POV) engagements
• Develop and deliver sample use cases and analytical demo scenarios
• Document and maintain the technical sales process, ensuring clarity and consistency across the team
• Triage and resolve key analytical, technical, and operational challenges
• Drive user adoption across diverse use cases and customer environments
• Lead interactive, technical workshops to showcase product value

What You'll Bring:

• Ability to lead both technical and sales calls independently within 45–60 days
• Minimum 5 years' experience as a Sales Engineer or Intelligence Analyst/Officer
• Proven track record of success in a pre-sales role at a cybersecurity or threat intelligence organization
• Deep expertise in cybersecurity or threat intelligence, with hands-on or operational experience in at least one of the following areas:
• SOC/SIEM
• Vulnerability Management
• Incident Response / Red Team
• Threat Hunting / Threat Research
• OSINT or All-Source Intelligence
• Cyber Threat Intelligence (CTI)
• Strong communication and collaboration skills across technical and executive audiences
• Willingness to travel up to 30% (non-pandemic conditions)
• Relevant certifications (e.g., CISSP, Security+, CISM) preferred but not required

#LI-Remote

We are looking for an Incident Response Analyst to join the Incident Response Team on Recorded Future’s Enterprise Security team, within the overall Security organization at Recorded Future. This individual will support all functions and aspects of Enterprise Security at Recorded Future, including security operations, incident response, risk management, compliance, and training. This role is geared toward a more junior individual with a solid understanding of security fundamentals across a broad spectrum of disciplines.

What You'll Do: 

• Support the security operations, incident response, and risk management team efforts
• Triage and communicate impact and severity of alerts to larger security team
• Work across all parts of the Security team to document and communicate current and future efforts
• Understand and action on events and information contained with system(s) logs
• Organize and action on information contained within security ticketing system
• Coalesce and organize routine reports for communication to large audiences

What You'll Bring:

• 2 years of experience of core knowledge of security fundamentals. Breadth of knowledge should span all disciplines of the security field, to include security operations, incident response, risk management, compliance, and training
• Working knowledge of common EDR, SIEM, and MDM platforms
• Experience with common ticketing systems such as JIRA and knowledge management platforms such as Confluence
• Scripting skills with languages such as Python, Perl, and Bash to develop custom code when needed
• Working knowledge of common SIEM tools, including Splunk
• Working knowledge of common compliance frameworks such as ISO 27001, SOC & CMMC
• Experience operating within a CSIRT or SOC environment is a plus
• Basic understanding of networking and network security fundamentals
• Ability to diffuse large sets of data and information into actionable recommendations for the security team and leadership
• Strong problem-solving and analytical skills
• Time management and organizational skills
• Willingness to travel up to 10% of the time

What we are looking for

Aurora hires talented people with diverse backgrounds who are ready to help build a transportation ecosystem that will make our roads safer, get crucial goods where they need to go, and make mobility more efficient and accessible for all.

We're searching for a Staff Security Platform Engineer to join our Enterprise Security Engineering team, reporting to the Technical Lead Manager of Security Engineering.

Aurora is scaling its autonomous trucking operations, and we need someone who makes our security tools actually work, not just deployed, but deeply configured, continuously tuned, and fully leveraged. This role is for the practitioner who has spent their career living inside security platforms: the person who knows their EDR better than the vendor's own support team, who can write a SIEM query from memory, and who instinctively knows when an alert is misfiring and exactly why.

This is not a software engineering role. It's a role for an elite security operator — someone with the instincts of a seasoned SOC analyst and the technical depth to own the platforms that power detection, response, and protection at enterprise scale. If you find deep satisfaction in mastering a tool, closing a coverage gap, or hunting down a threat that nobody else noticed, this role was written for you.

In this role you will

• Own the operational health, configuration, and continuous improvement of Aurora's enterprise security platform stack — including EDR/XDR, MDM, SIEM, DLP, IAM/IGA, DNS security, Email security, and PKI — ensuring each tool is tuned, policy-complete, and delivering reliable signal.
• Develop and refine detection rules, correlation logic, and alert policies, reducing noise while ensuring Aurora maintains high-fidelity coverage against real threats.
• Conduct proactive threat hunting across Aurora's security telemetry — forming hypotheses, querying logs, and investigating anomalies before they surface as incidents.
• Serve as the deepest internal expert on Aurora's enterprise security tooling, acting as the escalation point for complex platform issues, misconfigurations, and detection failures.
• Participate in the team's on-call rotation, leading deep-dive investigations into security alerts and incidents and driving triage, containment, and root cause analysis.
• Continuously audit and validate that existing security controls are configured to actually do what they're supposed to do — not just deployed and forgotten.
• Maintain operational runbooks, detection documentation, and platform configuration records, ensuring the team can operate consistently and scale institutional knowledge.

Required qualifications

• 12+ years of hands-on experience in enterprise security operations, security platform administration, or a senior SOC engineering role — with a career built on deep operational ownership of security tooling rather than software development.
• Expert-level proficiency administering and operating at least two enterprise security platforms (e.g., CrowdStrike, SentinelOne, Splunk, Panther, Sentinel, Jamf, Kandji/Iru, Puppet, WorkspaceONE, Intune, Zscaler, Okta, Proofpoint, Wiz, osquery), with strong working knowledge across several others.
• Demonstrated ability to tune and optimize security platforms beyond out-of-the-box configurations — writing custom detection logic, adjusting policy sets, and validating control effectiveness.
• Strong log analysis and threat hunting skills: you know how to build a hypothesis, write the query, follow the thread, and know when to escalate.
• Experience conducting thorough incident investigations — triage, containment, root cause analysis, and post-incident review — and communicating findings clearly to technical and non-technical stakeholders.
• Ability to assess security control effectiveness: not just "is this tool deployed" but "is it configured correctly, covering the right scope, and generating actionable signal."
• Comfort working under pressure in ambiguous, fast-moving situations with competing priorities.

Desirable qualifications

• Scripting ability for automation, log parsing, or workflow improvement (Python, Bash, or similar) — you don't need to be a software engineer, but you can write a script when it saves you an hour.
• Deep familiarity with MITRE ATT&CK as an operational tool for detection gap analysis and threat hunting hypothesis development.
• Experience with AWS security telemetry (CloudTrail, GuardDuty, Security Hub) and integrating cloud signals into a corporate SIEM.
• Familiarity with Zero Trust and identity-centric security models as they apply to policy enforcement in IAM and endpoint platforms.
• Platform-specific certifications such as CrowdStrike Certified Falcon Administrator, Splunk Core Certified Power User, or equivalent — or practitioner certifications like GCIH, GCIA, GCFE, or GCFA.

The base salary range for this position is $171,000 - $247,000 per Year. Aurora’s pay ranges are determined by role, level, and location. Within the range, the successful candidate’s starting base pay will be determined based on factors including job-related skills, experience, qualifications, relevant education or training, and market conditions. These ranges may be modified in the future. The successful candidate will also be eligible for an annual bonus, equity compensation, and benefits.

What we are looking for

Aurora hires talented people with diverse backgrounds who are ready to help build a transportation ecosystem that will make our roads safer, get crucial goods where they need to go, and make mobility more efficient and accessible for all.

We're searching for a Staff Security Platform Engineer to join our Enterprise Security Engineering team, reporting to the Technical Lead Manager of Security Engineering.

Aurora is scaling its autonomous trucking operations, and we need someone who makes our security tools actually work, not just deployed, but deeply configured, continuously tuned, and fully leveraged. This role is for the practitioner who has spent their career living inside security platforms: the person who knows their EDR better than the vendor's own support team, who can write a SIEM query from memory, and who instinctively knows when an alert is misfiring and exactly why.

This is not a software engineering role. It's a role for an elite security operator — someone with the instincts of a seasoned SOC analyst and the technical depth to own the platforms that power detection, response, and protection at enterprise scale. If you find deep satisfaction in mastering a tool, closing a coverage gap, or hunting down a threat that nobody else noticed, this role was written for you.

In this role you will

• Own the operational health, configuration, and continuous improvement of Aurora's enterprise security platform stack — including EDR/XDR, MDM, SIEM, DLP, IAM/IGA, DNS security, Email security, and PKI — ensuring each tool is tuned, policy-complete, and delivering reliable signal.
• Develop and refine detection rules, correlation logic, and alert policies, reducing noise while ensuring Aurora maintains high-fidelity coverage against real threats.
• Conduct proactive threat hunting across Aurora's security telemetry — forming hypotheses, querying logs, and investigating anomalies before they surface as incidents.
• Serve as the deepest internal expert on Aurora's enterprise security tooling, acting as the escalation point for complex platform issues, misconfigurations, and detection failures.
• Participate in the team's on-call rotation, leading deep-dive investigations into security alerts and incidents and driving triage, containment, and root cause analysis.
• Continuously audit and validate that existing security controls are configured to actually do what they're supposed to do — not just deployed and forgotten.
• Maintain operational runbooks, detection documentation, and platform configuration records, ensuring the team can operate consistently and scale institutional knowledge.

Required qualifications

• 12+ years of hands-on experience in enterprise security operations, security platform administration, or a senior SOC engineering role — with a career built on deep operational ownership of security tooling rather than software development.
• Expert-level proficiency administering and operating at least two enterprise security platforms (e.g., CrowdStrike, SentinelOne, Splunk, Panther, Sentinel, Jamf, Kandji/Iru, Puppet, WorkspaceONE, Intune, Zscaler, Okta, Proofpoint, Wiz, osquery), with strong working knowledge across several others.
• Demonstrated ability to tune and optimize security platforms beyond out-of-the-box configurations — writing custom detection logic, adjusting policy sets, and validating control effectiveness.
• Strong log analysis and threat hunting skills: you know how to build a hypothesis, write the query, follow the thread, and know when to escalate.
• Experience conducting thorough incident investigations — triage, containment, root cause analysis, and post-incident review — and communicating findings clearly to technical and non-technical stakeholders.
• Ability to assess security control effectiveness: not just "is this tool deployed" but "is it configured correctly, covering the right scope, and generating actionable signal."
• Comfort working under pressure in ambiguous, fast-moving situations with competing priorities.

Desirable qualifications

• Scripting ability for automation, log parsing, or workflow improvement (Python, Bash, or similar) — you don't need to be a software engineer, but you can write a script when it saves you an hour.
• Deep familiarity with MITRE ATT&CK as an operational tool for detection gap analysis and threat hunting hypothesis development.
• Experience with AWS security telemetry (CloudTrail, GuardDuty, Security Hub) and integrating cloud signals into a corporate SIEM.
• Familiarity with Zero Trust and identity-centric security models as they apply to policy enforcement in IAM and endpoint platforms.
• Platform-specific certifications such as CrowdStrike Certified Falcon Administrator, Splunk Core Certified Power User, or equivalent — or practitioner certifications like GCIH, GCIA, GCFE, or GCFA.

The base salary range for this position is $189,000 - $274,000 per Year. Aurora’s pay ranges are determined by role, level, and location. Within the range, the successful candidate’s starting base pay will be determined based on factors including job-related skills, experience, qualifications, relevant education or training, and market conditions. These ranges may be modified in the future. The successful candidate will also be eligible for an annual bonus, equity compensation, and benefits.

What we are looking for

Aurora hires talented people with diverse backgrounds who are ready to help build a transportation ecosystem that will make our roads safer, get crucial goods where they need to go, and make mobility more efficient and accessible for all.

We're searching for a Staff Security Platform Engineer to join our Enterprise Security Engineering team, reporting to the Technical Lead Manager of Security Engineering.

Aurora is scaling its autonomous trucking operations, and we need someone who makes our security tools actually work, not just deployed, but deeply configured, continuously tuned, and fully leveraged. This role is for the practitioner who has spent their career living inside security platforms: the person who knows their EDR better than the vendor's own support team, who can write a SIEM query from memory, and who instinctively knows when an alert is misfiring and exactly why.

This is not a software engineering role. It's a role for an elite security operator — someone with the instincts of a seasoned SOC analyst and the technical depth to own the platforms that power detection, response, and protection at enterprise scale. If you find deep satisfaction in mastering a tool, closing a coverage gap, or hunting down a threat that nobody else noticed, this role was written for you.

In this role you will

• Own the operational health, configuration, and continuous improvement of Aurora's enterprise security platform stack — including EDR/XDR, MDM, SIEM, DLP, IAM/IGA, DNS security, Email security, and PKI — ensuring each tool is tuned, policy-complete, and delivering reliable signal.
• Develop and refine detection rules, correlation logic, and alert policies, reducing noise while ensuring Aurora maintains high-fidelity coverage against real threats.
• Conduct proactive threat hunting across Aurora's security telemetry — forming hypotheses, querying logs, and investigating anomalies before they surface as incidents.
• Serve as the deepest internal expert on Aurora's enterprise security tooling, acting as the escalation point for complex platform issues, misconfigurations, and detection failures.
• Participate in the team's on-call rotation, leading deep-dive investigations into security alerts and incidents and driving triage, containment, and root cause analysis.
• Continuously audit and validate that existing security controls are configured to actually do what they're supposed to do — not just deployed and forgotten.
• Maintain operational runbooks, detection documentation, and platform configuration records, ensuring the team can operate consistently and scale institutional knowledge.

Required qualifications

• 12+ years of hands-on experience in enterprise security operations, security platform administration, or a senior SOC engineering role — with a career built on deep operational ownership of security tooling rather than software development.
• Expert-level proficiency administering and operating at least two enterprise security platforms (e.g., CrowdStrike, SentinelOne, Splunk, Panther, Sentinel, Jamf, Kandji/Iru, Puppet, WorkspaceONE, Intune, Zscaler, Okta, Proofpoint, Wiz, osquery), with strong working knowledge across several others.
• Demonstrated ability to tune and optimize security platforms beyond out-of-the-box configurations — writing custom detection logic, adjusting policy sets, and validating control effectiveness.
• Strong log analysis and threat hunting skills: you know how to build a hypothesis, write the query, follow the thread, and know when to escalate.
• Experience conducting thorough incident investigations — triage, containment, root cause analysis, and post-incident review — and communicating findings clearly to technical and non-technical stakeholders.
• Ability to assess security control effectiveness: not just "is this tool deployed" but "is it configured correctly, covering the right scope, and generating actionable signal."
• Comfort working under pressure in ambiguous, fast-moving situations with competing priorities.

Desirable qualifications

• Scripting ability for automation, log parsing, or workflow improvement (Python, Bash, or similar) — you don't need to be a software engineer, but you can write a script when it saves you an hour.
• Deep familiarity with MITRE ATT&CK as an operational tool for detection gap analysis and threat hunting hypothesis development.
• Experience with AWS security telemetry (CloudTrail, GuardDuty, Security Hub) and integrating cloud signals into a corporate SIEM.
• Familiarity with Zero Trust and identity-centric security models as they apply to policy enforcement in IAM and endpoint platforms.
• Platform-specific certifications such as CrowdStrike Certified Falcon Administrator, Splunk Core Certified Power User, or equivalent — or practitioner certifications like GCIH, GCIA, GCFE, or GCFA.

The base salary range for this position is $189,000 - $274,000 per Year. Aurora’s pay ranges are determined by role, level, and location. Within the range, the successful candidate’s starting base pay will be determined based on factors including job-related skills, experience, qualifications, relevant education or training, and market conditions. These ranges may be modified in the future. The successful candidate will also be eligible for an annual bonus, equity compensation, and benefits.

What we are looking for

Aurora hires talented people with diverse backgrounds who are ready to help build a transportation ecosystem that will make our roads safer, get crucial goods where they need to go, and make mobility more efficient and accessible for all.

We're searching for a Staff Security Platform Engineer to join our Enterprise Security Engineering team, reporting to the Technical Lead Manager of Security Engineering.

Aurora is scaling its autonomous trucking operations, and we need someone who makes our security tools actually work, not just deployed, but deeply configured, continuously tuned, and fully leveraged. This role is for the practitioner who has spent their career living inside security platforms: the person who knows their EDR better than the vendor's own support team, who can write a SIEM query from memory, and who instinctively knows when an alert is misfiring and exactly why.

This is not a software engineering role. It's a role for an elite security operator — someone with the instincts of a seasoned SOC analyst and the technical depth to own the platforms that power detection, response, and protection at enterprise scale. If you find deep satisfaction in mastering a tool, closing a coverage gap, or hunting down a threat that nobody else noticed, this role was written for you.

In this role you will

• Own the operational health, configuration, and continuous improvement of Aurora's enterprise security platform stack — including EDR/XDR, MDM, SIEM, DLP, IAM/IGA, DNS security, Email security, and PKI — ensuring each tool is tuned, policy-complete, and delivering reliable signal.
• Develop and refine detection rules, correlation logic, and alert policies, reducing noise while ensuring Aurora maintains high-fidelity coverage against real threats.
• Conduct proactive threat hunting across Aurora's security telemetry — forming hypotheses, querying logs, and investigating anomalies before they surface as incidents.
• Serve as the deepest internal expert on Aurora's enterprise security tooling, acting as the escalation point for complex platform issues, misconfigurations, and detection failures.
• Participate in the team's on-call rotation, leading deep-dive investigations into security alerts and incidents and driving triage, containment, and root cause analysis.
• Continuously audit and validate that existing security controls are configured to actually do what they're supposed to do — not just deployed and forgotten.
• Maintain operational runbooks, detection documentation, and platform configuration records, ensuring the team can operate consistently and scale institutional knowledge.

Required qualifications

• 12+ years of hands-on experience in enterprise security operations, security platform administration, or a senior SOC engineering role — with a career built on deep operational ownership of security tooling rather than software development.
• Expert-level proficiency administering and operating at least two enterprise security platforms (e.g., CrowdStrike, SentinelOne, Splunk, Panther, Sentinel, Jamf, Kandji/Iru, Puppet, WorkspaceONE, Intune, Zscaler, Okta, Proofpoint, Wiz, osquery), with strong working knowledge across several others.
• Demonstrated ability to tune and optimize security platforms beyond out-of-the-box configurations — writing custom detection logic, adjusting policy sets, and validating control effectiveness.
• Strong log analysis and threat hunting skills: you know how to build a hypothesis, write the query, follow the thread, and know when to escalate.
• Experience conducting thorough incident investigations — triage, containment, root cause analysis, and post-incident review — and communicating findings clearly to technical and non-technical stakeholders.
• Ability to assess security control effectiveness: not just "is this tool deployed" but "is it configured correctly, covering the right scope, and generating actionable signal."
• Comfort working under pressure in ambiguous, fast-moving situations with competing priorities.

Desirable qualifications

• Scripting ability for automation, log parsing, or workflow improvement (Python, Bash, or similar) — you don't need to be a software engineer, but you can write a script when it saves you an hour.
• Deep familiarity with MITRE ATT&CK as an operational tool for detection gap analysis and threat hunting hypothesis development.
• Experience with AWS security telemetry (CloudTrail, GuardDuty, Security Hub) and integrating cloud signals into a corporate SIEM.
• Familiarity with Zero Trust and identity-centric security models as they apply to policy enforcement in IAM and endpoint platforms.
• Platform-specific certifications such as CrowdStrike Certified Falcon Administrator, Splunk Core Certified Power User, or equivalent — or practitioner certifications like GCIH, GCIA, GCFE, or GCFA.

The base salary range for this position is $189,000 - $274,000 per Year. Aurora’s pay ranges are determined by role, level, and location. Within the range, the successful candidate’s starting base pay will be determined based on factors including job-related skills, experience, qualifications, relevant education or training, and market conditions. These ranges may be modified in the future. The successful candidate will also be eligible for an annual bonus, equity compensation, and benefits.

About the Role

We are seeking a GRC Automation Lead to join our GRC organization and build the technical foundation for how we scale our risk and compliance programs. In this role, you will lead the team that designs and implements automated workflows, data pipelines, and integrations that transform manual compliance processes into scalable engineering systems. 

This is a greenfield opportunity to establish the team, architecture, and integrations that will define how we approach governance, risk, and compliance at Anthropic. The core challenge is a data problem: compliance information lives across dozens of systems—cloud infrastructure, identity providers, HR platforms, ticketing tools, code repositories—and your job is to design systems that bring it together, normalize it, and make it actionable. Success in this role comes from understanding how systems connect and how data flows between them, not from writing code yourself.

At Anthropic, you'll also have a unique advantage: the ability to design AI-powered workflows where Claude acts as an extension of your team, handling tasks that would traditionally require additional headcount or manual effort. You'll need ingenuity to identify where agentic AI can accelerate evidence collection, interpret unstructured data, triage compliance gaps, and augment human judgment in risk assessments. Working closely with Security, IT, and Engineering teams, you'll translate compliance and regulatory requirements into solutions that support audit programs including SOC 2, ISO, HIPAA, and FedRAMP, building systems that combine traditional automation with AI capabilities to achieve scale that wouldn't otherwise be possible.

Responsibilities: 

• Lead the team that establishes foundational GRC processes and architecture. Design and build automated workflows for risk management and compliance, creating scalable systems that enable continuous monitoring as Anthropic grows.
• Build data pipelines that aggregate risk, control, and asset information from across our technology stack. This means solving hard data integration problems: mapping disparate schemas, handling inconsistent data quality, and creating unified views of compliance posture through dashboards and reporting tools.
• Inform GRC platform strategy and implementation: in partnership with other programs, evaluate, select, and deploy tooling that meets our compliance requirements.
• Translate written policies and compliance requirements into policy-as-code—working with Engineering and Security teams to express requirements as enforceable rules, automated checks, and continuous validation rather than static documents.
• Establish feedback loops between policy and implementation: surface where technical controls diverge from written requirements, identify where policies need to evolve based on infrastructure realities, and ensure that compliance requirements are expressed in terms engineers can act on.
• Design and deploy agentic AI workflows that extend team capacity, using Claude to serve as a virtual GRC analyst to automate evidence analysis, monitor control effectiveness, draft audit responses, interpret policy documents, and handle other tasks that require reasoning over unstructured information.
• Design and maintain integrations connecting GRC tooling with cloud infrastructure, identity management systems, HRIS platforms, ticketing systems, version control, and CI/CD pipelines—working with engineers to implement integrations that enable automated evidence collection and continuous compliance validation.
• Build and lead an AI-forward GRC engineering function as we scale: hiring team members, establishing practices, and defining the technical roadmap for governance and compliance automation at Anthropic.

You may be a good fit if you:

• Have 12+ years of total experience and 3-4+ years of experience managing technical individual contributors or systems-focused teams, with a proven track record of building or scaling small teams (2-5 people) in security, compliance, automation, or operations functions.
• Are a systems thinker first. You understand how complex environments work: how data flows between systems, where integration points exist, what breaks when systems don't talk to each other. Your strength is designing the right architecture and environment for security monitoring, not necessarily implementing it yourself.
• Have 5+ years of experience designing automated workflows, data pipelines, or system integrations, whether through traditional development, low-code platforms, GRC tools, or process automation. We care about your ability to solve integration problems more than your programming language proficiency.
• Have a relentless focus on data integration: you understand how to pull data from multiple sources, normalize it, join it meaningfully, and surface insights. You're comfortable reasoning about messy, inconsistent data and designing systems that handle edge cases gracefully.
• Understand APIs and integration patterns: REST APIs, webhooks, authentication flows, polling vs. push architectures, and can evaluate systems based on how well they expose data and support automation.
• Can work independently with minimal guidance, taking ownership of complex problems from design through implementation while managing ambiguity inherent in early-stage programs.
• Have strong analytical and problem-solving skills with attention to detail necessary for compliance work, balanced with pragmatism about risk-based prioritization in fast-paced environments.

Strong candidates may have:

• Experience designing or implementing AI-powered automation, agentic workflows, or LLM-based tooling in operational contexts.
• Experience with GRC platforms such as ServiceNow GRC, Vanta, Drata, OneTrust, RSA Archer, or similar tools including configuration, customization, and integration capabilities
• Familiarity with scripting languages (Python or similar) for automation tasks, API interactions, and data transformation.
• Prior experience in high-growth startup environments demonstrating ability to build scalable processes and adapt quickly to changing requirements and priorities
• Familiarity with Infrastructure as Code tools (Terraform, CloudFormation, Ansible) and DevSecOps practices including CI/CD pipeline integration and policy-as-code implementations.
• Familiarity with cloud platforms (AWS, GCP, Azure) and an understanding of how compliance-relevant data can be extracted from their APIs and logging systems.

Deadline to apply: None, applications will be received on a rolling basis.

This Senior IAM Engineer will own the Okta for Government High (FedRAMP High) tenant, which serves as the enterprise Identity Provider and Identity Governance platform for a 1,500+ user organization. The role is the primary technical resource responsible for the build, enhancement, and operation of key functions, including SSO integrations, Identity Governance (OIG), Lifecycle Management, Workflows automation, and Adaptive MFA policy.

In the first three months, you will help develop the core program documentation and workflows. You will collaborate with external teams like IT, Legal and People to integrate into company processes. You will work with our technical security experts to build Identity and Access management processes and procedures.

Responsibilities

• Own the Okta for Government High (FedRAMP High) tenant — configuration, health, lifecycle, and security posture
• Manage Universal Directory: on-prem AD Agent sync, HRIS attribute mastering, profile mappings, and group rules
• Build and maintain all SSO app integrations via the Okta Integration Network (OIN) using SAML, OIDC, and SCIM
• Own and maintain Okta Adaptive MFA policies: factor enrollment rules, risk-based step-up authentication, FIDO2/YubiKey/PIV/CAC configuration
• Maintain the Okta System Log to Microsoft Sentinel log streaming pipeline and retention configuration
• Own Okta Identity Governance (OIG): entitlement catalog, access certification campaign setup, SoD policy rules, and access request workflow design
• Own, Build and Maintain Okta Lifecycle Management: JML automation rules, HRIS connector configuration, and auto-provisioning and deprovisioning into all connected applications, access review triggers, and automated remediation
• Design, build, and document all Okta-side enhancements including new app onboarding, policy changes, and IGA configuration updates
• Write test cases for all Okta-side changes; execute UAT jointly with the Identity Governance & Operations Analyst before production promotion
• Support Identity Operations Specialist on Tier 2 Okta escalations and Workflow troubleshooting
• Assist Identity Governance & Operations Analyst with OIG campaign configuration and certification reporting

Requirements:

• 4+ years of hands-on Okta administration and engineering experience
• Demonstrated experience with Okta SSO app integrations via SAML 2.0 and OIDC
• Experience with Okta Lifecycle Management and HRIS connector configuration
• Experience building Okta Workflows for provisioning automation
• Experience with Okta Adaptive MFA policy configuration including FIDO2/WebAuthn and hardware token enrollment
• Experience with Okta Universal Directory including AD Agent deployment and profile mastering

Compliance Requirements: this role will be subject to US Federal regulations, therefore:

• Must be a U.S. Citizen or Lawful Permanent Resident (Green Card holder) — U.S. Person 
• Ability to obtain and maintain a security clearance or pass a background investigation consistent with CUI access
  
  

Preferred Qualifications:

• Experience with Okta for Government High (FedRAMP High) or FedRAMP Moderate environments — strong preference
• Okta Identity Governance (OIG) experience — access certifications, SoD, entitlement management
• Experience federating Okta to Microsoft Entra ID / GCCH as a SAML Service Provider
• Familiarity with CMMC, ITAR, GDPR, SOX, SOC 2 compliance requirements
• Experience with SCIM 2.0 provisioning to downstream applications
• Okta Identity Governance certification (preferred)

The approximate base salary range for this position is $126,887 - $166,127. The total compensation package includes base, bonus, equity, and a range of benefit options found on our career site.

Location: This role is based out of our College Park, Boulder, CO, or Bothell, WA offices, or can be remote in the US. 
Travel: Up to 1 week per quarter
Job ID:  1460

Build the Future with Us — EquipmentShare is Hiring a Security Analyst

At EquipmentShare, we’re not just filling a role — we’re assembling the best team on the planet to build something that’s never been built before. We’re on a mission to transform an industry that’s been stuck in the past by empowering contractors and communities through innovative technology, real-time support, and a team that truly cares.

We’re hiring a Security Analyst at our Corporate Headquarters in Columbia, MO and we’re looking for someone who’s ready to grow with us, bring energy and drive to their work, and help us build the future of construction. This position is onsite.

The Security Analyst will support EquipmentShare’s endpoint security, event monitoring, and incident response efforts across both Apple and Windows environments. This role will collaborate closely with IT, Infrastructure, Engineering, and external incident response partners to ensure timely detection and remediation of threats.

You will play a key role in maturing our security operations, improving visibility, and strengthening defensive controls across the enterprise.

Primary Responsibilities

• Perform triage and analysis of security events
• Support deployment and optimization of SIEM capabilities
• Maintain dashboards and generate reporting for leadership
• Validate configuration standards for macOS and Windows environments
• Assist with vendor security questionnaires and audit documentation
• Contribute to strengthening EquipmentShare’s overall security posture
• Develop testing playbooks and remediation recommendations based on red-team exercise outcomes
• Verify remediation efforts post-testing to confirm controls are properly hardened
• Conduct adversarial testing of internal IT systems, policies, and access controls to identify gaps and weaknesses before they can be exploited
• Review and challenge existing detection rules to determine if they would catch simulated attack behavior

Why EquipmentShare?

Because we do things differently — and we think you’ll feel it from day one. We’re a people-first company powered by cutting-edge technology. That means our proprietary T3 platform doesn’t just run our business — it also makes your job easier, safer, and more connected. Whether you’re behind the wheel, under the hood, leading a branch, or closing deals — tech supports you, and you drive us forward.

We’re a team of problem-solvers, go-getters, and builders. And we’re looking for teammates who take pride in doing meaningful work and want to be part of building something special.

Perks & Benefits

• Competitive compensation
  
  
• Full medical, dental, and vision coverage for full-time employees
  
  
• Generous PTO + paid holidays
  
  
• 401(k) + company match
  
  
• Gym membership stipend + wellness programs (earn PTO and prizes!)
  
  
• Company events, food truck nights
  
  
• 16 hours of paid volunteer time per year — give back to the community you call home
  
  
• Career advancement, leadership training, and professional development opportunities

About You

You want to be part of a team that’s not just changing an industry for the sake of change — we’re transforming it to make it safer, more secure, and more productive. You bring grit, heart, and humility to your work, and you’re excited about the opportunity to grow within a fast-paced, mission-driven environment.

We’re looking for people who:

• See challenges as opportunities
  
  
• Embrace change and continuous improvement
  
  
• Bring energy, effort, and optimism every day

Skills & Qualifications 

• 2–5 years of experience in cybersecurity, SOC, or security operations
• Hands-on experience with EDR tools (Microsoft Defender, JAMF Protect, CrowdStrike, SentinelOne, etc.)
• Experience working with a SIEM platform (Chronicle, Splunk, Sentinel, QRadar, or similar)
• Familiarity with macOS and Windows security fundamentals
• Strong understanding of networking fundamentals (TCP/IP, firewalls, segmentation)
• Experience analyzing authentication and system logs
• Strong documentation and analytical skills
• Experience with Google Chronicle or other cloud-native SIEM platforms
• Experience in distributed or multi-site enterprise environments
• Exposure to JAMF ecosystem
• Security certifications (Security+, CySA+, GCIH, or similar)
  
  

Education and Experience:

• • At least 2 years of experience in cybersecurity, SOC, or security operations
  • High school diploma or equivalent, required
  • College degree in Information Technology with a focus or experience in cyber security and infrastructure. 

  Physical Requirements:

  • Extended periods working at a desk and computer.
  • Ability to manage several screens and platforms during research tasks.

A Workplace For All

At EquipmentShare, we believe the best solutions come from a team that reflects the world around us. Our initiative — A Workplace For All — is rooted in the belief that we must work together to solve some of the toughest problems in construction. That means attracting, developing, and retaining great people from all walks of life.

We value different backgrounds, talents, and perspectives. We want you to feel like you belong here — because you do.

EquipmentShare is an EOE M/F/D/V.

Employment is contingent on passing a background check. Additionally, some roles require passing a drug test, depending on the job responsibilities.

Lantern Specialty Care is seeking a Senior Risk & Governance Analyst to join our GRC team as a key individual contributor. This is a newly created role, built to scale our risk and compliance capabilities as we expand our AI-forward healthcare technology platform. You will report directly to the Sr. GRC Manager and play a foundational role across four priority areas: maintaining our risk register, advancing AI risk governance, TPRM, and supporting our HIPAA compliance program.

This is a high-impact, cross-functional role. We are at a critical stage of maturing our GRC program. There is significant greenfield opportunity to build structure where gaps exist, particularly in risk management and AI governance. The ideal candidate is hands-on, comfortable with ambiguity, and excited to leave their fingerprints on programs that will shape the organization’s risk posture for years to come.

Location: Hybrid - at least 3 days/wk in our Dallas, TX office located at 2100 Ross Avenue, Suite 1900, Dallas, Texas 75201

Responsibilities: 

• Support the build-out of Lantern’s risk register by conducting risk identification workshops, defining risk taxonomy, assigning ownership, and establishing likelihood/impact scoring
• Map current control environment against the NIST CSF function; document gaps and develop a prioritized remediation roadmap
• Establish recurring risk review cadence with business unit owners
• Maintain and evolve the risk register as a living document; produce regular risk reporting for leadership
• AI governance framework aligned to the NIST AI RMF — covering model risk assessment, bias considerations, transparency standards, and accountability structures
• Build and maintain an AI systems inventory with risk ratings; assess new use cases before deployment in partnership with Engineering and Product
• Monitor emerging AI regulatory guidance (HHS, EU AI Act, state-level) and translate into actionable controls
• Manage ongoing HIPAA Privacy and Security compliance programs: gap assessments, remediation tracking, and workforce training coordination
• Support SOC 2 Type II, HITRUST CSF, and other applicable audit cycles
• Support TPRM activities including vendor risk assessments and vendor tiering maintenance

Requirements:

• Bachelor’s degree in Information Security, Healthcare Administration, Computer Science, or related field
• A minimum of 5 years’ experience in GRC, compliance, or information security
• A minimum of 3 years’ experience in healthcare or health-tech industries
• Direct & Hands-on experience with the following:
• Building or significantly maturing a risk register
• Performing or supporting HITRUST and/or SOC 2 audits
• HIPAA Privacy/Security Rule compliance programs
• NIST CSF or ISO 27001
• AI Specific Risk Management Frameworks such as NIST AI RMF or Similar frameworks

Certifications (Preferred)

• CISA, CRISC, CISSP, CHC, or CHPC highly desirable
• HITRUST CCSFP a strong plus

Technical Skills

• Proficiency with a GRC platform (Vanta, Drata, ServiceNow GRC, OneTrust, or equivalent)
• Working knowledge of AI/ML risk concepts and the NIST AI RMF
• Experience with third-party risk tools and structured vendor assessment workflows
• Ability to read, interpret, and operationalize regulatory guidance

 Strong Candidates Will:

• Be energized by building. This role has significant greenfield scope, and the best candidates will see that as an opportunity, not a gap
• Move with urgency and precision, flagging risk before it becomes an issue
• Balance rigor with pragmatism, enabling the organization to move fast while staying protected
• Communicate clearly to both technical and non-technical audiences without losing nuance
• Bring genuine curiosity about AI and emerging technology governance
• Embody Lantern’s LIGHT pillars — Logic, Inclusion, Grit, Humanity, Truth — in every interaction

Benefits

• Medical Insurance
• Dental Insurance
• Vision Insurance
• Short & Long Term Disability
• Life Insurance
• 401k with company match
• Flexible Time Off
• Paid Parental Leave

Responsibilities

We are looking for an exceptional Senior GRC Analyst to join our growing team. In this role, you will lead compliance assessments for frameworks such as NIST 800-171, ISO 27001, NIST 800-53 (FedRAMP), PCI, MLPS and IRAP, while also driving broader security compliance efforts. The ideal candidate will use strong analytical, communication, and problem-solving skills to evaluate controls, identify gaps, and recommend improvements across security domains. You will also be responsible for:

• Lead and participate in both internal and external audits for frameworks including ISO 27001/27701, PCI-DSS, NIST 800-171, NIST 800-53 (FedRamp), and IRAP

• Experience using or exploring AI/automation tools to enhance, streamline, or scale Governance, Risk, and Compliance (GRC) processes and workflows

• Manage and oversee risk, compliance, and governance initiatives across teams

• Coordinate with process owners, control owners, auditors, and consultants to ensure findings are tracked and addressed

• Conduct risk assessments, security audits, and third-party/vendor risk reviews

• Review contracts to ensure security and compliance requirements are met

• Identify process gaps and recommend improvements to enhance the organization’s security posture

• Communicate risks and compliance requirements clearly to both technical and non-technical stakeholders

• Perform regular user access reviews

• Develop and track remediation plans for identified risks and issues

• Maintain and update the risk register

• Oversee vendor security assurance processes

• Collaborate with stakeholders to design and implement effective internal controls aligned with regulatory standards

• Support risk and security discussions across cross-functional teams

• Build strong working relationships across departments

• Take on additional responsibilities as needed

Requirements

Qualifications / Experience / Technical Skills

Please note that the working hours for this position are from 2:00 PM to 11:00 PM IST (overlap with U.S. Pacific Time required)

• 8+ years of experience in cybersecurity programs, audits, risk management, compliance, or remediation

• Experience working with cloud platforms such as AWS, Azure, or Google Cloud

• Proven ability to negotiate and prioritize risk remediation with internal stakeholders

• Bachelor’s degree in Information Systems, Computer Science, Information Security, or a related field

• Strong understanding of security controls, including cloud environments, firewalls, IDS/IPS, and vulnerability management

• Familiarity with NIST 800-171 and NIST Risk Management Framework (NIST 800-53)

• Experience auditing frameworks such as PCI-DSS, SOC 2, and ISO 27001/27701

• Relevant certifications (CISSP, CISA, PCI ISA, ISO, or similar) are preferred

• Ability to manage multiple priorities independently with minimal supervision

Soft Skills / Personal Characteristics

• Strong communication skills with the ability to translate compliance requirements into technical actions

• High energy and adaptability in a fast-paced environment

• Strong collaboration and a knowledge-sharing mindset

• Excellent time management and organizational skills

• High attention to detail, integrity, and ethical standards

• Willingness to learn and take on new challenges

Additional requirements

• May involve some international travel

• This position requires overlap with U.S. Pacific Time (PST) working hours. Candidates should be available and flexible to work from 2:00 PM to 11:00 PM IST.

• Strong hands-on experience with PCI audits, ISO 27001, NIST 800-171, FedRamp, SOC 2, and potentially IRAP is required.

To help your application stand out, please take time to answer the Job Application Questions below clearly and concisely. All submissions are reviewed by our Hiring Team, not evaluated by AI.

(REQ ID: 2760)

Responsibilities

We are looking for an exceptional Senior GRC Analyst to join our growing team. In this role, you will lead compliance assessments for frameworks such as NIST 800-171, ISO 27001, NIST 800-53 (FedRAMP), PCI, MLPS and IRAP, while also driving broader security compliance efforts. The ideal candidate will use strong analytical, communication, and problem-solving skills to evaluate controls, identify gaps, and recommend improvements across security domains. You will also be responsible for:

• Lead and participate in both internal and external audits for frameworks including ISO 27001/27701, PCI-DSS, NIST 800-171, NIST 800-53 (FedRamp), and IRAP

• Experience using or exploring AI/automation tools to enhance, streamline, or scale Governance, Risk, and Compliance (GRC) processes and workflows

• Manage and oversee risk, compliance, and governance initiatives across teams

• Coordinate with process owners, control owners, auditors, and consultants to ensure findings are tracked and addressed

• Conduct risk assessments, security audits, and third-party/vendor risk reviews

• Review contracts to ensure security and compliance requirements are met

• Identify process gaps and recommend improvements to enhance the organization’s security posture

• Communicate risks and compliance requirements clearly to both technical and non-technical stakeholders

• Perform regular user access reviews

• Develop and track remediation plans for identified risks and issues

• Maintain and update the risk register

• Oversee vendor security assurance processes

• Collaborate with stakeholders to design and implement effective internal controls aligned with regulatory standards

• Support risk and security discussions across cross-functional teams

• Build strong working relationships across departments

• Take on additional responsibilities as needed

Requirements

Qualifications / Experience / Technical Skills

Please note that the working hours for this position are from 2:00 PM to 11:00 PM IST (overlap with U.S. Pacific Time required)

• 8+ years of experience in cybersecurity programs, audits, risk management, compliance, or remediation

• Experience working with cloud platforms such as AWS, Azure, or Google Cloud

• Proven ability to negotiate and prioritize risk remediation with internal stakeholders

• Bachelor’s degree in Information Systems, Computer Science, Information Security, or a related field

• Strong understanding of security controls, including cloud environments, firewalls, IDS/IPS, and vulnerability management

• Familiarity with NIST 800-171 and NIST Risk Management Framework (NIST 800-53)

• Experience auditing frameworks such as PCI-DSS, SOC 2, and ISO 27001/27701

• Relevant certifications (CISSP, CISA, PCI ISA, ISO, or similar) are preferred

• Ability to manage multiple priorities independently with minimal supervision

Soft Skills / Personal Characteristics

• Strong communication skills with the ability to translate compliance requirements into technical actions

• High energy and adaptability in a fast-paced environment

• Strong collaboration and a knowledge-sharing mindset

• Excellent time management and organizational skills

• High attention to detail, integrity, and ethical standards

• Willingness to learn and take on new challenges

Additional requirements

• May involve some international travel

• This position requires overlap with U.S. Pacific Time (PST) working hours. Candidates should be available and flexible to work from 2:00 PM to 11:00 PM IST.

• Strong hands-on experience with PCI audits, ISO 27001, NIST 800-171, FedRamp, SOC 2, and potentially IRAP is required.

To help your application stand out, please take time to answer the Job Application Questions below clearly and concisely. All submissions are reviewed by our Hiring Team, not evaluated by AI.

(REQ ID: 2760)

Responsibilities

We are looking for an exceptional Senior GRC Analyst to join our growing team. In this role, you will lead compliance assessments for frameworks such as NIST 800-171, ISO 27001, NIST 800-53 (FedRAMP), PCI, MLPS and IRAP, while also driving broader security compliance efforts. The ideal candidate will use strong analytical, communication, and problem-solving skills to evaluate controls, identify gaps, and recommend improvements across security domains. You will also be responsible for:

• Lead and participate in both internal and external audits for frameworks including ISO 27001/27701, PCI-DSS, NIST 800-171, NIST 800-53 (FedRamp), and IRAP

• Experience using or exploring AI/automation tools to enhance, streamline, or scale Governance, Risk, and Compliance (GRC) processes and workflows

• Manage and oversee risk, compliance, and governance initiatives across teams

• Coordinate with process owners, control owners, auditors, and consultants to ensure findings are tracked and addressed

• Conduct risk assessments, security audits, and third-party/vendor risk reviews

• Review contracts to ensure security and compliance requirements are met

• Identify process gaps and recommend improvements to enhance the organization’s security posture

• Communicate risks and compliance requirements clearly to both technical and non-technical stakeholders

• Perform regular user access reviews

• Develop and track remediation plans for identified risks and issues

• Maintain and update the risk register

• Oversee vendor security assurance processes

• Collaborate with stakeholders to design and implement effective internal controls aligned with regulatory standards

• Support risk and security discussions across cross-functional teams

• Build strong working relationships across departments

• Take on additional responsibilities as needed

Requirements

Qualifications / Experience / Technical Skills

Please note that the working hours for this position are from 2:00 PM to 11:00 PM IST (overlap with U.S. Pacific Time required)

• 8+ years of experience in cybersecurity programs, audits, risk management, compliance, or remediation

• Experience working with cloud platforms such as AWS, Azure, or Google Cloud

• Proven ability to negotiate and prioritize risk remediation with internal stakeholders

• Bachelor’s degree in Information Systems, Computer Science, Information Security, or a related field

• Strong understanding of security controls, including cloud environments, firewalls, IDS/IPS, and vulnerability management

• Familiarity with NIST 800-171 and NIST Risk Management Framework (NIST 800-53)

• Experience auditing frameworks such as PCI-DSS, SOC 2, and ISO 27001/27701

• Relevant certifications (CISSP, CISA, PCI ISA, ISO, or similar) are preferred

• Ability to manage multiple priorities independently with minimal supervision

Soft Skills / Personal Characteristics

• Strong communication skills with the ability to translate compliance requirements into technical actions

• High energy and adaptability in a fast-paced environment

• Strong collaboration and a knowledge-sharing mindset

• Excellent time management and organizational skills

• High attention to detail, integrity, and ethical standards

• Willingness to learn and take on new challenges

Additional requirements

• May involve some international travel

• This position requires overlap with U.S. Pacific Time (PST) working hours. Candidates should be available and flexible to work from 2:00 PM to 11:00 PM IST.

• Strong hands-on experience with PCI audits, ISO 27001, NIST 800-171, FedRamp, SOC 2, and potentially IRAP is required.

To help your application stand out, please take time to answer the Job Application Questions below clearly and concisely. All submissions are reviewed by our Hiring Team, not evaluated by AI.

(REQ ID: 2760)

As Network & Security Operations Analyst, you’ll oversee both network and security operations for the Network Operations and Security Center. This role ensures the continuous availability, performance, and security of enterprise IT systems by leading a team responsible for network monitoring, incident management, and security threat response.

We know that you can’t have great technology services without amazing people. At MetroStar, we are obsessed with our people and have led a two-decade legacy of building the best and brightest teams. Because we know our future relies on our deep understanding and relentless focus on our people, we live by our mission: A passion for our people. Value for our customers.

If you think you can see yourself delivering our mission and pursuing our goals with us, then check out the job description below!

What you’ll do:

• 1st Shift: (7:00 AM - 4:00PM)
• Develop, document, and enforce standard operating procedures (SOPs) for network and security incidents.
• Act as the primary escalation point for major network outages and security incidents.
• Identify areas for incident responses to be automated and tools to be optimized.
• Collaborate with Operations and engineering teams to maintain optimal service levels.

What you’ll need to succeed:

• An active TS/SCI clearance
• 5+ years of experience in a NOSC, NOC, or SOC environment.
• Strong knowledge and configuration experience of network monitoring (e.g. SolarWinds, PRTG, Nagios) and SIEM tools (e.g. Splunk, QRadar, ArcSight).
• Experience managing network incidents, security events, and cyber threat response.
• Familiarity with ITIL frameworks, incident management, and service desk operations.
• Strong troubleshooting experience with firewalls, VPNs, IDS/IPS, and cloud security (AWS, Azure, GCP).

SALARY RANGE: $128,000 - $168,000

The salary range for this position is determined based on qualifications, skills, and relevant experience. The final salary offered will be determined based on several factors including: 

• The candidate's professional background and relevant work experience
• The specific responsibilities of the role and organizational needs
• Internal equity and alignment with current team compensation
• This role is also eligible for additional compensation, subject to the terms and policies of MetroStar, which may include:
• Performance-based bonuses
• Company-paid training and/or certifications
• Referral bonuses

We are looking for a versatile SOC analyst to join the team and write, tune and respond to alerts covering the entire environment from endpoints to cloud infrastructure. This exciting opportunity empowers you to ensure the right alerts come in and you don’t burn out on false positives. We are a forward thinking organization that leverages AI. Your work would take place during regular business hours. Weekend coverage will be necessary. From time to time evenings as well. The expectation is that we build for 24x7 coverage but you will be asked to step in to assist the team.

Responsibilities:

• Review and triage security alerts from a wide variety of sources across the organization
• Carefully tune rules to reduce false positives
• Write new rules to ensure appropriate MITRE ATT&CK framework coverage
• Escalate potential incidents
• Assist in any incident response activities
• Ability to run projects from beginning to end
• Work with Engineering and IT on visibility coverage and detection       

Qualifications:

• 2+ years responding to alerts
• Familiar with MITRE ATT&CK framework
• Comfortable writing and tuning detection rules
• Experience triaging alerts and establishing if an event rises to an incident
• Varied exposure to a variety of application, SaaS, cloud and end point logs
• Strong communication skills towards technical and non-technical people
• Preference for people who have experienced a real life security incident that they detected                   

If you are interested in this opportunity, please apply with your resume and cover letter. We are an equal opportunity employer and welcome all qualified candidates to apply.

Why Join BitGo?

Disrupting an industry takes vision, innovation, passion, technical chops, drive to deliver, collaboration, and execution. Join a team of great people who strive for excellence and personify our corporate values of ownership, craftsmanship, and open communication. We are looking for new colleagues who bring innovative ways of thinking and problem solving, and who want risks to be part of the team that changes the world’s financial markets.

Here are some of the benefits* of working at BitGo:

• Competitive base salary, bonus and stock options
• 100% company paid health insurance for employee, partner and dependents
• Up to 4% 401k company match
• Paid parental leave, Paid vacation
• Free commuter/parking pass; 5 min from Caltrain
• Free custom lunches, dinners and snacks 
• Computer equipment and workplace furniture to suit your needs
• Great colleagues and inspiring startup environment
• *Benefits may vary based on location 

Cryptocurrencies are the most disruptive change the financial services industry has seen in years. Join us and you’ll be able to look back and say you were part of the team that transformed investing.

Pay Transparency Notice: Depending upon your leveling and location, the compensation for this role averages between $115,000 - $145,000 USD base salary. Equity, an annual performance bonus and the benefits outlined below are also a part of this role's package.

We are looking for a versatile SOC analyst to join the team and write, tune and respond to alerts covering the entire environment from endpoints to cloud infrastructure. This exciting opportunity empowers you to ensure the right alerts come in and you don’t burn out on false positives. We are a forward thinking organization that leverages AI. Your work would take place during regular business hours. Weekend coverage will be necessary. From time to time evenings as well. The expectation is that we build for 24x7 coverage but you will be asked to step in to assist the team.

Responsibilities:

• Review and triage security alerts from a wide variety of sources across the organization
• Carefully tune rules to reduce false positives
• Write new rules to ensure appropriate MITRE ATT&CK framework coverage
• Escalate potential incidents
• Assist in any incident response activities
• Ability to run projects from beginning to end
• Work with Engineering and IT on visibility coverage and detection       

Qualifications:

• 2+ years responding to alerts
• Familiar with MITRE ATT&CK framework
• Comfortable writing and tuning detection rules
• Experience triaging alerts and establishing if an event rises to an incident
• Varied exposure to a variety of application, SaaS, cloud and end point logs
• Strong communication skills towards technical and non-technical people
• Preference for people who have experienced a real life security incident that they detected                   

If you are interested in this opportunity, please apply with your resume and cover letter. We are an equal opportunity employer and welcome all qualified candidates to apply.

Why Join BitGo?

Disrupting an industry takes vision, innovation, passion, technical chops, drive to deliver, collaboration, and execution. Join a team of great people who strive for excellence and personify our corporate values of ownership, craftsmanship, and open communication. We are looking for new colleagues who bring innovative ways of thinking and problem solving, and who want risks to be part of the team that changes the world’s financial markets.

Here are some of the benefits* of working at BitGo:

• Competitive base salary, bonus and stock options
• 100% company paid health insurance for employee, partner and dependents
• Up to 4% 401k company match
• Paid parental leave, Paid vacation
• Free commuter/parking pass; 5 min from Caltrain
• Free custom lunches, dinners and snacks 
• Computer equipment and workplace furniture to suit your needs
• Great colleagues and inspiring startup environment
• *Benefits may vary based on location 

Cryptocurrencies are the most disruptive change the financial services industry has seen in years. Join us and you’ll be able to look back and say you were part of the team that transformed investing.

Pay Transparency Notice: Depending upon your leveling and location, the compensation for this role averages between $115,000 - $145,000 USD base salary. Equity, an annual performance bonus and the benefits outlined below are also a part of this role's package.

Role Overview

The Information Security Analyst will support a wide range of information security, vendor management, procurement, audit, and technical security activities across the business. The role involves working closely with teams such as Legal, Procurement, IT, and Engineering to ensure security best practices are embedded in company processes and supplier relationships.

This position would suit someone with experience in roles such as IT Helpdesk, IT Operations, Risk & Compliance, Internal Audit, or Security Operations who is looking to develop a career in Information Security.

Key Responsibilities:

Commercial Support

• Assist with RFP responses and client security questionnaires.
• Support client annual security audits and due diligence requests.
• Respond to internal and external queries relating to information security controls.
• Review and interpret security-related contractual clauses, including data protection, data retention, and audit requirements.

Procurement & Supplier Due Diligence

• Support the supplier security due diligence process for new vendors.
• Participate in procurement and supplier onboarding discussions.
• Collaborate with teams to ensure suppliers meet company security standards.

Vendor Risk Management

• Maintain annual vendor due diligence reviews and documentation.
• Track supplier inventories and criticality ratings.
• Monitor performance and risk indicators for key suppliers (SLA breaches, downtime, incidents, and news).
• Support projects such as fourth-party risk assessments and information gathering.
• Monitor scope changes in vendor products and services as they become available.
• Work closely with Legal, IT, and Security teams on emerging topics such as AI usage and third-party tools.

IT & Technical Security

• Work with IT and Security teams to research new technologies and integrations.
• Support technical security initiatives and projects.
• Conduct data flow mapping and architecture documentation.
• Assist in evaluating system integrations (for example applications connected to CRM platforms).
  
  

Audit & Compliance

• Support ongoing security and compliance programmes including ISO/IEC 27001 and SOC 2.
• Assist with internal audit activities and control checks.
• Help maintain documentation and evidence required for audits and certifications.

Required Skills:

• Experience working with similar roles, ideally in IT support, security operations, compliance, or internal audit.
• Good understanding of core IT and security concepts such as:
  
  
• Endpoint management
• Identity and access management
• APIs and integrations
  
  
• Ability to work across multiple teams and communicate effectively with both technical and non-technical stakeholders.
• Strong organisational skills and ability to manage projects and documentation.
• Comfortable handling both operational tasks and more complex security projects.
• Ability to build strong internal relationships and collaborate across departments.
• Pragmatic and solution-oriented approach to information security.
• Experience working with or evaluating AI tools and products

Candidates should ideally have:

• A relevant qualification in Information Security, IT, Cybersecurity, or Computer Science, or
• Relevant professional certifications (or working toward them), such as:
• ISO 27001 Lead Implementer / Lead Auditor
• CISA or similar
• Equivalent hands-on experience in IT, security, or audit roles will also be considered.

Nice to Have:

• Experience with security audits or compliance frameworks such as ISO 27001, SOC 2, FedRAMP & ISO 42001
• Familiarity with ticketing or workflow tools such as Jira.
• Exposure to vendor risk management or supplier due diligence.

Benefits:

• Equity as we want you to have a part of what we are building 
• Unlimited Time Off Policy- A work-life balance and focus on our well-being are critical 
• Budget to set up your home office upon joining
• Annual learning budget to drive your performance and career development
• Comprehensive Private Health Insurance through Advancecare
• Work from anywhere policy up to 90 days during the year
• Team events across the year, from board games in the office to a team building in a different location

The role 

The role will involve working across a range of areas to support the information security needs of a busy, high-profile website, as well as an administrative IT environment that supports nearly 1,000 people across 3 office locations with many remote workers. As well as working closely with the other members of the Information Security team, the role will also require extensive engagement across other teams across Rightmove (including IT, Engineering etc.) to ensure security objectives are being met, incidents are being responded to effectively, and our security stance remains strong.  

What you’ll be doing 

• Providing technical leadership and acting as a subject matter expert on information security best-practice. 

• Planning and delivering projects to achieve our information security objectives. 

• Collaborating with the IT Infrastructure team on the security elements of migrating Windows estate into Azure.  

• Advising our website platforms teams on security considerations impacting our website hosting environment in Google Cloud Platform & GKE. 

• Working with team members and service providers on SIEM and XDR tooling and establishing processes and playbooks to support incident response and SOC activities.  

• Playing a leading role in managing incident response activities and engaging with third party DFIR specialists where necessary.  

• Leading threat hunts to proactively discover potential compromises before they lead to bad security outcomes. 

• Working with team members and external partners on penetration tests and red team engagements to assess our security posture, along with our detection and recovery capabilities. 

• Helping to evaluate our response to regulatory/legislative requirements and recommending improvement actions where necessary (e.g. FCA compliance, ISO27001, PCI-DSS, GDPR etc). 

• Keeping up to date with cyber threat intelligence and emerging attack vectors, always evaluating the materiality of the threat to Rightmove and helping shape our response. 

• Coaching and developing your people, with regular 1-to-1s and continuous feedback. 

• Supporting your team members by actively removing blockers

We’re looking for someone who 

• Has a passion for Information Security and understands how this is embedded into an organisation. 

• Can manage their own workload, making decisions on what tasks need to be prioritised. 

• Is confident to communicate and collaborate with internal and external stakeholders, either individually or in group settings, and across a variety of levels of seniority and technical understanding. 

• Can reach decisions, even if they are difficult, and is able to provide a clear explanation of the rationale and approach taken. 

• Can be trusted to keep confidences, and displays a high level of professional integrity. 

• Follows through on commitments and can be relied upon to get things done. 

• Is proactive, hands-on and wants to make things better. 

What you’ll bring to the role 

• Minimum of five years working in a technical security-based role.  

• A high-level Security qualification such as a CISSP, SANS Cyber Defence, EC-Council Certified Security Analyst, OSCP etc. 

• Professional experience in three or more of the following areas (and a willingness to learn about the others): 

• Securing Windows, Active Directory and M365 environments 

• Linux security 

• Container security 

• Cloud security (ideally in GCP and / or Azure environments) 

• Microsoft 365 security (including Defender, Purview etc.) 

• SIEM, SOAR and EDR / XDR systems  

• Incident Response. 

• Strong understanding of networking principles including TCP/IP, DNS etc. and commonly used Internet protocols such as SMTP, HTTP etc. 

• Experience working in IT security in a cloud hosted environment.  

• Good data processing skills – experience with Google SecOps, ELK, Splunk or similar would be beneficial  

• Report writing and note taking skills.  

• Ability to prioritize both operational and project demands. 

• Line management experience. 

• Ability to handle high pressure situations in a productive and professional manner.

See yourself at Twilio

Join the team as Twilio’s next Security Compliance & Regulatory Affairs Analyst 

About the job

We are actively recruiting for this role to support Twilio’s global security regulatory program and directly support the SCRA Lead in executing and scaling the company’s regulatory strategy.

This position is responsible for independently owning delegated components of regulatory analysis, triage, normalization, and operationalization of global cybersecurity and telecom regulatory obligations (e.g., NIS 2, TSA UK, Singapore IMDA), while contributing to broader program-level initiatives led by the SCRA Lead.

The role operates with high autonomy and is expected to take ownership of assigned workstreams end-to-end, requiring strong critical thinking, defensible regulatory interpretation, designing and executing cross-functional initiatives, and the ability to operate without detailed instruction.

Responsibilities

In this role, you’ll:

• Support the SCRA Lead in executing Twilio’s global security regulatory strategy, including contributing to program design, prioritization, and long-term regulatory planning
• Independently interpret complex and ambiguous regulatory frameworks (e.g., NIS 2, EU transpositions, TSA UK) and provide structured outputs that support Lead-level strategy and decision-making
• Support the development and maintenance of regulatory repositories and systems of record, ensuring accuracy, traceability, and audit readiness
• Execute and continuously improve the Cyber Regulation Intake & Triage process in partnership with Legal, ensuring consistent classification, routing, and lifecycle tracking of regulatory obligations
• Map regulatory requirements to internal control frameworks (e.g., UCF, ISO 27001, internal standards), identifying gaps and supporting Lead-driven control strategy decisions
• Develop regulator-ready and high-quality artifacts, including evidence mappings, control narratives, risk statements, and audit support documentation
• Identify, analyze, and escalate regulatory risks and audit obligations, supporting proactive planning and risk visibility at the program level
• Partner cross-functionally with Legal, Public Policy, R&D, Security, Product, Sales, and Risk teams, supporting the Lead in aligning regulatory interpretation with technical and business implementation
• Drive execution of process improvements, tooling enhancements, and automation initiatives defined by the SCRA program
• Operate with high ownership and accountability, executing work independently while aligning to strategic direction set by the SCRA Lead

Qualifications 

Twilio values diverse experiences from all kinds of industries, and we encourage everyone who meets the required qualifications to apply. If your career is just starting or hasn't followed a traditional path, don't let that stop you from considering Twilio. We are always looking for people who will bring something new to the table!

*Required 

• Experience: 5–8+ years of experience in security compliance, telecom compliance, regulatory affairs, GRC, or related domain within a global technology, cloud, or telecom environment
• Experience: Experience interpreting and operationalizing security frameworks and regulations (e.g., NIS 2, ISO 27001, SOC 2, telecom regulatory regimes)
• Experience: Experience mapping regulatory requirements to control frameworks, policies, and technical implementations
• Technical Domain Expertise: Broad understanding of security architecture, networking, access control, software development, cryptography, and operations. You should be fluent in how security controls are implemented across applications, systems, and cloud platforms to reduce inherent risk.
• Technical Domain Expertise: Ability to analyze ambiguous regulations / regulatory requirements and produce defensible interpretations to support leadership decision-making
• Communication: Strong written communication skills with ability to produce audit-ready and regulator-defensible documentation
• Stakeholder Partnership: Proven ability to collaborate across Legal, Engineering, Security, Product, Sales, and Risk teams in support of program objectives
• Strategic Mindset: High level of self-sufficiency, critical thinking, and ownership, with ability to execute without detailed instruction
• Adaptability: Demonstrated ability to independently execute and deliver complex workstreams end-to-end, while operating under high-level guidance
• Adaptability: Ability to manage multiple concurrent priorities in a global, fast-evolving regulatory landscape

*Desired:

• Technical Domain Expertise: Deep understanding of hybrid cloud environments (AWS/GCP), on-premise infrastructure, APIs, and microservices architectures. Experience in the Telecommunications sector (e.g. telecommunications or CPaaS environments involving messaging, voice, network security) highly preferred.
• Familiarity with primary global regulatory regimes (EU, UK, APAC, LATAM)
• Experience working with regulatory repositories, intake/triage workflows, or compliance automation systems
• Experience supporting external audits or regulator engagements
• High-Octane Individual Contributor: You are a self-starter who takes pride in being a "force multiplier." You have a proven ability to produce high-quality, audit-ready deliverables with minimal oversight.
• Master of Multi-Tasking: Exceptional organizational skills with the ability to context-switch effectively, managing a high volume of concurrent projects and emerging regulations without sacrificing depth or accuracy.
• Collaborative Partner: You don't work in a silo. You are skilled at building bridges across Legal, R&D, Security, and IT, ensuring that Security Regulatory Affairs is integrated as a seamless partner
• Efficiency Expert: You are constantly looking for ways to optimize your own output and team processes, turning manual, repetitive tasks into streamlined, automated successes.
• Executive Presence: Ability to distill granular technical findings into concise, high-level summaries that drive decision-making at the leadership level.

Location

This role will be remote and based in Ontario, British Columbia or Alberta, Canada. 

Travel

We prioritize connection and opportunities to build relationships with our customers and each other. For this role, you may be required to travel occasionally to participate in project or team in-person meetings.

What We Offer

Working at Twilio offers many benefits, including competitive pay, generous time off, ample parental and wellness leave, healthcare, a retirement savings program, and much more. Offerings vary by location. Based on role, employees may also be eligible for additional compensation and benefits, including but not limited to incentive programs, commissions, equity grants, health and wellness benefits, retirement contributions, and paid time off.

The estimated pay ranges for this role are as follows:

• $120,640 - 150,800 CAD
• Target Bonus Percentage: 15% 

The successful candidate’s starting salary will be determined based on permissible, non-discriminatory factors such as skills, experience, and geographic location.

The Compliance team at MongoDB manages the strategy, execution, and maintenance of our global security certifications and regulatory requirements. We ensure that our cloud database products meet the rigorous security standards required by our customers in the most highly regulated industries worldwide.

We act as the primary interface between external auditors and our internal Product, Engineering, and Legal teams. Our goal is to translate complex regulatory requirements into scalable operational processes, maintaining a compliant and audit-ready posture across our diverse portfolio.

The Program Manager / Senior Analyst is a mid-to-senior level individual contributor role responsible for leading high-stakes audits and specialized compliance workstreams. Unlike the Analyst level, this role takes full ownership of complex international frameworks—such as IRAP and ENS High—and manages the relationship with our Financial Services customers during audit deep-dives. You will lead internal audit cadences and perform gap analyses for new market expansions.

Responsibilities:

• Lead the end-to-end execution of specialized external audits (e.g., ENS High, IRAP, ISO 22301) and coordinate all phases from initial scoping to final certification
• Serve as the lead point of contact for Financial Services customer audits, facilitating meetings, responding to security questionnaires, and defending our control environment to external stakeholders
• Lead internal audit cadences and drive the POA&M tracking process, ensuring technical teams remediate findings within required SLAs
• Map new regulatory requirements to our central control framework, performing gap analyses to identify where existing controls can be leveraged for new certifications
• Conduct NIST CSF or similar maturity assessments to monitor the effectiveness of the Compliance Program and report findings to team leads
• Author and review customer-facing security documentation, ensuring it accurately reflects our technical controls and architectural guardrails
• Partner with Engineering and Product leads to implement compliance-by-design, ensuring future product roadmaps align with global regulatory shifts

Requirements:

• 7+ years in GRC, Information Security, or IT Audit, specifically within a high-growth SaaS/Cloud environment
• Deep understanding of cloud security principles (AWS/GCP/Azure) and a proven track record leading technical audits for ISO 27001, SOC 2, or ENS High
• Solid grasp of audit processes, terminology, and risk assessment standards. Certifications such as CISA, CRISC, CISSP, or ISO Lead Implementer are highly preferred
• Exceptional ability to lead meetings with external customers and auditors, translating technical complexities into business risk and compliance assurance
• Advanced proficiency in Jira for tracking control performance data and managing high-volume remediation workflows
• Practical experience performing gap analyses and maturity assessments at an enterprise level

Responsibilities & Expectations

• You are expected to be a subject matter expert who can operate with minimal supervision
• You don't just track tasks; you own the success of the program
• You are expected to navigate complex audit negotiations with external parties and drive internal technical teams toward compliance milestones without disrupting innovation

Scope & Complexity

• The scope is international and technically diverse. You will manage overlapping audit cycles across different global jurisdictions (e.g., Spain, Australia, US) and complex industry sectors
• You are responsible for identifying how a single technical control can satisfy multiple global regulatory requirements simultaneously

Authority & Impact

• You have the authority to lead audit engagements and represent MongoDB’s security posture to sophisticated Financial Services customers
• Your impact is direct: by securing and maintaining these certifications, you enable our sales organization to close enterprise-level deals in highly regulated markets

Expertise

• You will be recognized as an expert in implementing our Common Controls Framework
• You move beyond general compliance to become a specialist in how MongoDB’s architecture satisfies specific, high-bar standards like IRAP and ENS High. You are the go-to for mapping technical evidence to regulatory intent

Leadership

• Leadership in this role is demonstrated through influence and mentorship. While you may not have direct reports, you lead cross-functional project teams through intense audit cycles and mentor junior analysts on audit methodology, documentation standards, and professional communication

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB, Inc. provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type and makes all hiring decisions without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

REQ ID: 1273402295

The Information Security Risk Team at MongoDB is the operational engine of the internal and third-party risk programs. Situated within the Assurance, Risk, and Compliance (ARC) organization, the team is responsible for the "Reduction of Uncertainty" across the enterprise. We view this team as the "Operational Commander" of the risk function. The team oversees the entire lifecycle of risk identification, assessment, and treatment, ensuring that MongoDB’s leadership has a clear, quantified view of the top risks facing the organization. We are not just a compliance function; we are a "Risk Intelligence" unit that empowers the business to "Think Big" while keeping our eyes wide open to the risks we accept.

As the Senior Information Risk Analyst, you will serve as the subject matter expert and primary executor of our risk function. Reporting directly to the Risk Director, you will be responsible for conducting and owning the lifecycle of internal security assessments (annual + ad-hoc), applying risk methodology, producing risk memos and working with asset/risk owners across the business that powers MongoDB’s growth. This is a pivotal moment for our Risk function as we scale operations to meet the demands of a $100B+ database market while navigating an increasingly rigorous regulatory landscape (DORA, FedRAMP, NIS2).

This role can be based out of our Dublin office or remotely in Ireland. 

Responsibilities

Program Maturity

• Risk Assessment Methodology Implementation: Lead the strategic roadmap to integrate the risk matrix into the risk framework
• Regulatory Governance: Ensure the risk program complies with global regulations, specifically DORA (EU) regarding ICT registers and FedRAMP Rev 5 supply chain controls Maintain the Supply Chain Risk Management (SCRM) plan and oversee strict boundary protections for the "Atlas for Government" environment
• Policy & Procedure Ownership: Maintain the Information Risk Management Procedure (ISQMS), ensuring that risk identification, assessment, and treatment processes are documented, updated annually, and followed consistently across the organization

Operational Execution

• Experience conducting technical security risk assessments (infrastructure, cloud, application-level). Including experience in evaluating control effectiveness through technical evidence (configurations, logs, architecture diagrams)
• Workflow Orchestration: Own the end-to-end risk assessment process
• Inherent Risk Scoring: Validate the team’s application of the Risk Scoring formula.   Apply the risk scoring formula for baseline scores based on breach history (last 12 months) and weighted impact
• Ensure the risk acceptance process has the right level of information and the appropriate stakeholders
• Ticket Hygiene: Actively manage the Jira backlog to prevent "frozen tickets”

Monitoring and Reporting

• Conduct annual enterprise security risk assessments and ad-hoc assessments as triggered by material changes, incidents, or new initiatives
• Identify risk scenarios for the in-scope assets by working with the asset and risk owners
• Assess the inherent risk and residual risk based on established risk assessment methodology and control assessments
• Synthesize the analysis into high-quality, Risk Assessment Memos. These documents must tell a cohesive story, moving from the "Risk Statement" to the "Calculation Logic" to the final "Risk Rating"
• Manage the risk acceptance process in JIRA, review for appropriateness and accuracy
• Maintain the Risk Management Dashboard and report on accurate risk metrics

Requirements

• Professional Experience: 10+ years of experience in Information Security, Governance, Risk & Compliance (GRC)
• Hands-on experience conducting enterprise-level security risk assessments end-to-end, including scoping, threat modeling, control evaluation, and executive reporting
• Evaluate control effectiveness using technical evidence (configs, logs, architecture diagrams)
• Perform threat modeling using established methodologies (STRIDE, MITRE ATT&CK)
• Deep operational understanding of risk assessment methodologies (NIST SP 800-30) and standard control frameworks (NIST CSF, NIST SP 800-53, ISO 27001, SOC 2, SIG Core/Lite, CAIQ)
• Regulatory Knowledge: Comprehensive knowledge of DORA, NIS2, FedRAMP Rev 5 (specifically Supply Chain/SCRM), GDPR, and PCI-DSS requirements
• Ability to write executive-level risk reports that translate technical flaws into business risks
• A strong track record of collaborating effectively across teams and levels to influence change
• Education: Bachelor’s degree in a relevant field (Cybersecurity, Business, Information Systems)
• Certifications: CRISC, CCSP, CISSP, CISA, relevant cloud certifications

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB is an equal opportunities employer.

Req ID: 1273387742

Description:

The Information Security Risk Analyst is the operational engine of the internal risk program. While the Senior IRM Analyst and Risk Director define the strategic roadmap, the Analyst ensures the daily execution of that strategy. They are responsible for the "production line" of risk assessment: taking raw signals from the business, processing them through the established methodology, and outputting actionable risk decisions (Remediation or Acceptance).

The ultimate objective of this role is Reduction of Uncertainty. By managing the program effectively, the IRM Analyst ensures that MongoDB’s leadership has a clear, quantified view of the top risks facing the enterprise. They transform the Risk Register from a static spreadsheet into a dynamic governance tool that drives accountability.

The IRM Analyst must not be afraid to be in the trenches with the Engineering and Product teams. They are the primary face of the "Risk Intake Process," guiding stakeholders through the methodology. They are the gatekeeper of quality, ensuring that no risk enters the register until it has been properly scoped and quantified.

Responsibilities:

Risk Identification & Assessment

• Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology
• Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register
• Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals
• Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories
• Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes
• Monitor and flag emerging risk signals , including AI-related risks (model integrity, data poisoning, shadow AI, third-party AI dependencies) , and escalate with documented analysis for integration into the risk framework

Control Identification, Mapping & Assessment

• Identify and document controls that mitigate assessed risks , map controls to specific risk scenarios and applicable framework requirements (NIST SP 800-53, ISO 27001, SOC 2)
• Assess the design adequacy of controls , evaluate whether each control is appropriately designed to address the risk it is mapped to, and document findings with supporting rationale
• Assess the operating effectiveness of controls , collect and evaluate evidence to determine whether controls are functioning as designed over the assessment period, and document results
• Document control gaps and support remediation tracking , maintain clear records of where controls are missing, partially effective, or require compensating controls. Track remediation progress
• Maintain control-to-framework mappings to ensure risk assessment outputs directly support audit and certification evidence packages (FedRAMP, SOC 2, ISO 27001, PCI-DSS)

Risk Categorization & Governance

• Apply the established risk taxonomy and categorization methodology consistently across all assessed risks
• Process risk acceptance requests in Jira , validate completeness, ensure documented context and stakeholder sign-off, confirm time-bound conditions, and flag concerns to the Senior lead
• Maintain the Risk Register, risk inventory, and supporting trackers with obsessive attention to data integrity, no missing dates, undefined owners, or stale entries. A Risk Register with governance gaps is a program failure

Reporting & Stakeholder Engagement

• Contribute to KRI data collection and dashboard inputs , support accurate, timely reporting that feeds executive risk dashboards and governance forum materials
• Engage directly with technical stakeholders (engineering, product, infrastructure teams) during risk assessments , ask informed questions, gather evidence, and document findings
• Progressively build the technical fluency to lead stakeholder conversations independently , develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)
• Translate technical findings into clear, business-relevant risk language in all written work products

Policy, Process & Governance Hygiene

• Support drafting and maintaining risk procedures, guidelines, and assessment templates across the IRM program scope
• Execute governance hygiene , data quality, tracker maintenance, workflow adherence, evidence organization, and documentation standards
• Manage the risk assessment pipeline in Jira, create and maintain workflows, dashboards, and use JQL to track the assessment ticket lifecycle

Requirements:

Experience & Education:

• 3–5 years of experience in Information Security, Governance, Risk, and Compliance (GRC), or Enterprise Risk Management
• Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
• Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
• Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
• Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
• Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
• Ability to write clear, concise, and defensible Risk Assessment Memos
• Obsessive attention to detail regarding data integrity and documentation quality
• Foundational understanding of cloud-native architectures and common technical controls (IAM, encryption, logging/monitoring, network segmentation) — with a commitment to building deeper technical fluency
• Awareness of AI risk concepts and willingness to develop expertise in emerging AI risk and regulatory landscape
• A strong track record of collaborating effectively across teams and levels
• Bachelor's degree in Cybersecurity, Information Systems, Business Administration, or a related field
• Certifications: At least, one of the following certifications is required - CRISC, CISM, CISSP, or CISA

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB, Inc. provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type and makes all hiring decisions without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

Req ID: 1273425625

Description:

The Information Security Risk Analyst is the operational engine of the internal risk program. While the Senior IRM Analyst and Risk Director define the strategic roadmap, the Analyst ensures the daily execution of that strategy. They are responsible for the "production line" of risk assessment: taking raw signals from the business, processing them through the established methodology, and outputting actionable risk decisions (Remediation or Acceptance).

The ultimate objective of this role is Reduction of Uncertainty. By managing the program effectively, the IRM Analyst ensures that MongoDB’s leadership has a clear, quantified view of the top risks facing the enterprise. They transform the Risk Register from a static spreadsheet into a dynamic governance tool that drives accountability.

The IRM Analyst must not be afraid to be in the trenches with the Engineering and Product teams. They are the primary face of the "Risk Intake Process," guiding stakeholders through the methodology. They are the gatekeeper of quality, ensuring that no risk enters the register until it has been properly scoped and quantified.

Responsibilities:

Risk Identification & Assessment

• Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology
• Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register
• Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals
• Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories
• Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes
• Monitor and flag emerging risk signals , including AI-related risks (model integrity, data poisoning, shadow AI, third-party AI dependencies) , and escalate with documented analysis for integration into the risk framework

Control Identification, Mapping & Assessment

• Identify and document controls that mitigate assessed risks , map controls to specific risk scenarios and applicable framework requirements (NIST SP 800-53, ISO 27001, SOC 2)
• Assess the design adequacy of controls , evaluate whether each control is appropriately designed to address the risk it is mapped to, and document findings with supporting rationale
• Assess the operating effectiveness of controls , collect and evaluate evidence to determine whether controls are functioning as designed over the assessment period, and document results
• Document control gaps and support remediation tracking , maintain clear records of where controls are missing, partially effective, or require compensating controls. Track remediation progress
• Maintain control-to-framework mappings to ensure risk assessment outputs directly support audit and certification evidence packages (FedRAMP, SOC 2, ISO 27001, PCI-DSS)

Risk Categorization & Governance

• Apply the established risk taxonomy and categorization methodology consistently across all assessed risks
• Process risk acceptance requests in Jira , validate completeness, ensure documented context and stakeholder sign-off, confirm time-bound conditions, and flag concerns to the Senior lead
• Maintain the Risk Register, risk inventory, and supporting trackers with obsessive attention to data integrity, no missing dates, undefined owners, or stale entries. A Risk Register with governance gaps is a program failure

Reporting & Stakeholder Engagement

• Contribute to KRI data collection and dashboard inputs , support accurate, timely reporting that feeds executive risk dashboards and governance forum materials
• Engage directly with technical stakeholders (engineering, product, infrastructure teams) during risk assessments , ask informed questions, gather evidence, and document findings
• Progressively build the technical fluency to lead stakeholder conversations independently , develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)
• Translate technical findings into clear, business-relevant risk language in all written work products

Policy, Process & Governance Hygiene

• Support drafting and maintaining risk procedures, guidelines, and assessment templates across the IRM program scope
• Execute governance hygiene , data quality, tracker maintenance, workflow adherence, evidence organization, and documentation standards
• Manage the risk assessment pipeline in Jira, create and maintain workflows, dashboards, and use JQL to track the assessment ticket lifecycle

Requirements:

Experience & Education:

• 3–5 years of experience in Information Security, Governance, Risk, and Compliance (GRC), or Enterprise Risk Management
• Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
• Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
• Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
• Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
• Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
• Ability to write clear, concise, and defensible Risk Assessment Memos
• Obsessive attention to detail regarding data integrity and documentation quality
• Foundational understanding of cloud-native architectures and common technical controls (IAM, encryption, logging/monitoring, network segmentation) — with a commitment to building deeper technical fluency
• Awareness of AI risk concepts and willingness to develop expertise in emerging AI risk and regulatory landscape
• A strong track record of collaborating effectively across teams and levels
• Bachelor's degree in Cybersecurity, Information Systems, Business Administration, or a related field
• Certifications: At least, one of the following certifications is required - CRISC, CISM, CISSP, or CISA

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB is an equal opportunities employer.

Req ID: 1273425625

The Information Security Risk Team at MongoDB is the operational engine of the internal and third-party risk programs. Situated within the Assurance, Risk, and Compliance (ARC) organization, the team is responsible for the "Reduction of Uncertainty" across the enterprise. We view this team as the "Operational Commander" of the risk function. The team oversees the entire lifecycle of risk identification, assessment, and treatment, ensuring that MongoDB’s leadership has a clear, quantified view of the top risks facing the organization. We are not just a compliance function; we are a "Risk Intelligence" unit that empowers the business to "Think Big" while keeping our eyes wide open to the risks we accept.

As the Senior Information Risk Analyst, you will serve as the subject matter expert and primary executor of our risk function. Reporting directly to the Risk Director, you will be responsible for conducting and owning the lifecycle of internal security assessments (annual + ad-hoc), applying risk methodology, producing risk memos and working with asset/risk owners across the business that powers MongoDB’s growth. This is a pivotal moment for our Risk function as we scale operations to meet the demands of a $100B+ database market while navigating an increasingly rigorous regulatory landscape (DORA, FedRAMP, NIS2).

This role can be based remotely in the United States.

Responsibilities

Program Maturity

• Risk Assessment Methodology Implementation: Lead the strategic roadmap to integrate the risk matrix into the risk framework
• Regulatory Governance: Ensure the risk program complies with global regulations, specifically DORA (EU) regarding ICT registers and FedRAMP Rev 5 supply chain controls. Maintain the Supply Chain Risk Management (SCRM) plan and oversee strict boundary protections for the "Atlas for Government" environment
• Policy & Procedure Ownership: Maintain the Information Risk Management Procedure (ISQMS), ensuring that risk identification, assessment, and treatment processes are documented, updated annually, and followed consistently across the organization

Operational Execution

• Experience conducting technical security risk assessments (infrastructure, cloud, application-level). Including experience in evaluating control effectiveness through technical evidence (configurations, logs, architecture diagrams)
• Workflow Orchestration: Own the end-to-end risk assessment process
• Inherent Risk Scoring: Validate the team’s application of the Risk Scoring formula.   Apply the risk scoring formula for baseline scores based on breach history (last 12 months) and weighted impact
• Ensure the risk acceptance process has the right level of information and the appropriate stakeholders
• Ticket Hygiene: Actively manage the Jira backlog to prevent "frozen tickets”

Monitoring and Reporting

• Conduct annual enterprise security risk assessments and ad-hoc assessments as triggered by material changes, incidents, or new initiatives
• Identify risk scenarios for the in-scope assets by working with the asset and risk owners
• Assess the inherent risk and residual risk based on established risk assessment methodology and control assessments
• Synthesize the analysis into high-quality, Risk Assessment Memos. These documents must tell a cohesive story, moving from the "Risk Statement" to the "Calculation Logic" to the final "Risk Rating"
• Manage the risk acceptance process in JIRA, review for appropriateness and accuracy
• Maintain the Risk Management Dashboard and report on accurate risk metrics

Requirements

• Professional Experience: 10+ years of experience in Information Security, Governance, Risk & Compliance (GRC)
• Hands-on experience conducting enterprise-level security risk assessments end-to-end, including scoping, threat modeling, control evaluation, and executive reporting
• Evaluate control effectiveness using technical evidence (configs, logs, architecture diagrams)
• Perform threat modeling using established methodologies (STRIDE, MITRE ATT&CK)
• Deep operational understanding of risk assessment methodologies (NIST SP 800-30) and standard control frameworks (NIST CSF, NIST SP 800-53, ISO 27001, SOC 2, SIG Core/Lite, CAIQ)
• Regulatory Knowledge: Comprehensive knowledge of DORA, NIS2, FedRAMP Rev 5 (specifically Supply Chain/SCRM), GDPR, and PCI-DSS requirements
• Ability to write executive-level risk reports that translate technical flaws into business risks
• A strong track record of collaborating effectively across teams and levels to influence change
• Education: Bachelor’s degree in a relevant field (Cybersecurity, Business, Information Systems)
• Certifications: CRISC, CCSP, CISSP, CISA, relevant cloud certifications

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB, Inc. provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type and makes all hiring decisions without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

Req ID: 1273387742

Position Overview: 

We are seeking a dedicated SOC Analyst to join our dynamic security team. The SOC Analyst will be responsible for monitoring, detecting, and responding to security incidents across our corporate infrastructure, SaaS platforms, data centers, and customer services. This role involves close collaboration with our MSSP partners to maintain a robust security posture as well as working with Product, R&D, IT and the different Datacentres.

Key Responsibilities:

• Security Monitoring: Continuously monitor security alerts and events across various platforms, including Office 365, corporate SaaS applications, and data centers.
• Incident Detection and Response: Identify potential security incidents, conduct initial triage, and coordinate with internal teams and MSSPs for effective response.
• Threat Analysis: Analyze security threats and vulnerabilities to assess potential impact on the organization.
• Collaboration: Work closely with MSSP partners and internal stakeholders to enhance detection capabilities and improve incident response processes.
• Documentation: Maintain detailed records of security incidents, including analysis, response actions, and lessons learned.
• Continuous Improvement: Participate in the development and refinement of SOC processes, playbooks, and procedures to enhance operational efficiency.

Qualifications:

• Education: Bachelor’s degree in Computer Science, Information Security, or a related field.
• Experience: Minimum of 2 years of experience in a SOC or similar security-focused environment.
• Technical Skills:
• Proficiency in using Security Information and Event Management (SIEM) tools.
• Familiarity with cloud security principles and experience with platforms such as Office 365 and other SaaS applications.
• Understanding of network protocols, intrusion detection systems, and incident response methodologies.
• Certifications: Relevant certifications such as CompTIA Security+, Certified Information Systems Security Professional (CISSP), or Certified Ethical Hacker (CEH) are preferred.

• Soft Skills:
• Strong analytical and problem-solving abilities.
• Excellent communication skills, both written and verbal.
• Ability to work collaboratively in a team environment.
• Attention to detail and a proactive approach to identifying and mitigating security threats.
• Fluent in English.

You’ll be the hands-on security engineer embedded with the Institutional Trading and Financial Operations (FinOps) team. Your focus is the secure operation of off-chain trading processes and infrastructure that empowers our institutional business: integrations, signing flows, key custody interfaces, middle-office workflows, order routing and settle pipelines that handle significant capital. You will support risk assessments, operating controls, automation to detect operational anomalies and remediation coordination. This is a high-visibility role where you will focus on operational security engineering - ensuring that the tools and processes our traders use are resilient against both external threats and internal errors. This role does not require smart-contract auditing.

WHAT YOU WILL DO

• Partner with Trading, Middle Office and Quant (Institutional FinOps) teams to map out inventory trading systems, data flows, third-party integrations and custody/settlement touchpoints.
• Conduct deep-dive assessments mapping critical assets and workflows to identify structural vulnerabilities. You will be responsible for defining the Target State and drafting the strategic Risk Treatment Plans (RTP) required to meet institutional-grade standards (e.g., CCSS, NIST, DORA).
• Act as the primary security liaison for Senior Management and third-party vendors. You will translate complex technical gaps into actionable business risk summaries, drive vendor evaluations for core security infrastructure, and manage the project lifecycle for high-impact posture uplifts.
• Implement and maintain monitoring for FinOps-specific security signals such as abnormal order patterns, signature misuse, unusual settlements. You will integrate these signals into our SIEM/SOAR for real-time response.
• Support secrets and key-management hygiene. You will ensure app/service keys are stored in KMS/Vault, scoped to least privilege and rotated automatically to prevent credential leakage.
• Assist product security in triage of SAST/SCA findings for FinOps-related repositories. You will help implement CI checks and remediation playbooks.
• Participate in incident exercises, post-incident reviews and remediation tracking for trading incidents.
• Document controls and produce concise risk summaries for FinOps leads and the Security.

WHAT YOU WILL NEED

• 5+ years in security engineering, platform security, or application security experience.
• Proven expertise in Threat Modeling. Ability to perform structured reviews (e.g., STRIDE) of complex data flows and operational processes.
• Experience with observability and detection tooling (SIEM, logs, metrics) and ability to write basic detection rules.
• Practical experience with KMS/HSM, secrets management platforms (Vault, 1Password, AWS/GCP KMS), IAM patterns and least-privilege.
• Exceptional ability to translate "Technical Debt" into Business Risk for C-suite stakeholders (CFO, CTO, Head of Trading).
• Ability to raise, read and audit Pull Requests in at least one language used in our stack (TypeScript, Java/Kotlin, Python).
• Experience conducting technical due diligence and scoping for third-party security integrations.

NICE TO HAVE

• Familiarity with trading systems or financial operations (market-making, execution, settlement) or close collaboration background with trading/quant teams.
• Exposure to blockchain on-chain concepts (wallets, addresses, transactions) but no requirement to audit contracts.
• Familiarity with SOC operations, and post-incident forensic analysis.
• Familiarity with SOC2, ISO 27001, or financial audit requirements
• Any relevant industry certification

COMPENSATION & PERKS

• Full-time salary based on experience and meaningful equity in an industry-leading company
• This is a role based in our London office, with a mandatory in-office presence four days per week.
• Work from Anywhere Policy: You can work remotely from anywhere in the world for up to 20 days per year.
• ClassPass 
• Unlimited vacation policy; work hard and take time when you need it
• Apple equipment
• The opportunity to be a key player and build your career at a rapidly expanding, global technology company in an emerging field
• Flexible work culture 

About the Role

At Fivetran, we're on a mission to make access to data as simple and reliable as electricity. Our fully automated platform moves data from 700+ sources to any destination reliably and securely — powering the analytics, AI, and decision-making that drives modern businesses forward.

This role will be part of the GRC team. The Fivetran GRC team is responsible for ensuring the continuous integrity, confidentiality, and availability of customer data. Our customers trust us with their most sensitive information, and maintaining that trust is a critical, core component of both our product and our business.

We are seeking a motivated and detail-oriented Senior GRC Analyst to join our Security team. This role is ideal for a control-focused audit professional with a solid understanding of IT systems and infrastructure. Strong communication skills are essential, as is the ability to collaborate and influence across functions and levels of the organization. The position reports to the Director of GRC and will provide broad cross-functional exposure, working closely with teams across Security, Engineering, Operations, IT, and HR.

This is a full-time position based in our Bangalore office. We offer a hybrid work model that blends remote flexibility with in-person collaboration, with two days per week in office.

Technologies You’ll Use

• GRC platform for organizing, tracking, and managing controls, testing activities, and audit evidence
• Cloud platforms, including AWS, Azure, and GCP, for understanding and evaluating cloud-hosted environments and associated controls
• Jira for ticket management, workflow tracking, and cross-functional collaboration
• GitHub for version control and collaboration on security documentation and policy management
• Google Workspace for day-to-day productivity, documentation, and internal communication

What You’ll Do

• Conduct control walkthroughs, testing, and evaluation of IT general controls and application controls across a complex systems landscape, with coverage spanning ISO 27001, PCI-DSS, SOC 1, SOC 2, and other applicable frameworks
• Partner with cross-functional teams to design, implement, and continuously improve control processes and related documentation
• Support third-party vendor assessments, evaluating vendors against established security and privacy standards and requirements
• Develop, maintain, and update Information Security Policies and Standards in alignment with industry best practices and regulatory obligations
• Participate in IT SOX scoping, risk assessment, and control design activities, contributing to the organization's overall internal control environment
• Prepare and deliver clear, accurate internal status reports to communicate control findings, remediation progress, and program updates to relevant stakeholders

Skills We’re Looking For

• Demonstrated experience in security audit, IT audit, and risk management, with a strong understanding of control frameworks and audit methodologies. 
• Working knowledge of industry compliance frameworks, including NIST, ISO 27001, SOC 1, SOC 2, and PCI-DSS
• Familiarity with cloud technologies and environments, including one or more of GCP, AWS, and Azure, with an understanding of cloud-specific security and control considerations
• Strong analytical and technical problem-solving skills, with the ability to assess complex control environments and draw well-supported conclusions
• Proven ability to work collaboratively across functions, taking initiative and contributing constructively to shared team objectives
• Effective at managing multiple concurrent workstreams, with strong organizational skills and the ability to prioritize in a fast-paced environment
• Excellent written, verbal, and interpersonal communication skills, with the ability to present complex information clearly to both technical and non-technical audiences

Bonus Skills​

• Familiarity with FedRAMP compliance requirements and the associated authorization process and control framework
• Professional certifications in audit or information security, such as CISA, CISSP, AWS, or SANS GIAC designations, are strongly preferred
• Prior experience working at or directly with a Big 4 public accounting firm, with exposure to large-scale audit and advisory engagements
• Experience leveraging AI tools to build workflow automations and drive operational efficiencies within a GRC or security context

#LI-HYBRID

#LI-VM1

Who we are

Moniepoint Inc. is Africa’s all-in-one financial ecosystem, helping 10 million businesses and individuals access seamless payments, banking, credit, and business management tools since 2019.

As Nigeria’s largest merchant acquirer, it powers most of the country’s Point of Sale (POS) transactions. Through its subsidiaries, Moniepoint Inc. processes $22 billion monthly for its customers while operating profitably.

Curious about what makes Moniepoint an incredible place to work? Check out posts on how we cultivate a culture of innovation, teamwork, and growth.

Role Overview:

The Threat Intelligence Analyst will support Moniepoint’s security operations by monitoring, analyzing, and reporting on emerging cyber threats targeting the financial sector. This role is ideal for early-career cybersecurity professionals looking to build hands-on experience in threat intelligence, OSINT, and adversary analysis within a fast-paced fintech environment.

The analyst will work closely with SOC, Fraud Operations, Product Security and other relevant stakeholders to translate threat data into actionable intelligence.

Key Responsibilities

Threat Monitoring & Collection

• Monitor open-source, dark web, and underground forums for threats relevant to Moniepoint and the financial sector
• Track ransomware groups, stealer malware, phishing campaigns, brand impersonation, and fraud-related threats
• Collect Indicators of Compromise (IOCs) including domains, IPs, URLs, hashes, and malicious infrastructure

Analysis & Intelligence Production

• Perform basic triage and analysis of threat data to determine relevance and risk
• Assist in identifying adversary tactics, techniques, and procedures (TTPs)
• Support mapping of threats to MITRE ATT&CK where applicable
• Contribute to daily, weekly, and ad-hoc threat intelligence reports

Stakeholder Support

• Share relevant intelligence with relevant stakeholders
• Assist in validating alerts and external threat reports
• Support investigations related to phishing, account takeover, and third-party risks

Documentation & Continuous Improvement

• Maintain threat logs, actor profiles, and intelligence repositories
• Document analytical findings clearly and concisely
• Learn and apply CTI frameworks, tools, and best practices

Support Incident Response & Vulnerability Management Units

• Assist in Incident Response tasks and post-incident analysis when needed.
• Assist in Threat Intelligence tasks from internal and external sources when needed.
• Conduct regular vulnerability scans and assessments on networks, systems, and applications.
• Analyze scan results to identify vulnerabilities, potential risks and ensure timely remediation.

Required Qualifications

• Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, or related field
• Good understanding of cybersecurity concepts (malware, phishing, ransomware, fraud)
• Familiarity with OSINT concepts and publicly available intelligence sources
• Strong analytical and critical-thinking skills
• Good written communication skills with attention to detail

Preferred / Nice-to-Have

• 3 - 5 years of Experience in SOC, IR or Threat Intelligence
• Familiarity with MITRE ATT&CK, Pyramid of Pain, or Diamond Model
• Good knowledge of SIEM, EDR, Threat Intelligence Tools, OSINT Tools.
• Exposure to fintech or financial-sector threats is a good advantage.
• Certifications such as Security+,EC-Council CTIA

What we can offer you

• Culture -We put our people first and prioritize the well-being of every team member. We’ve built a company where all opinions carry weight and where all voices are heard. We value and respect each other and always look out for one another. Above all, we are human.
• Learning - We have a learning and development-focused environment with an emphasis on knowledge sharing, training, and regular internal technical talks.
• Compensation - You’ll receive an attractive salary, pension, health insurance,, Employee Stock Options, annual bonus, plus other benefits.
  

What to expect in the hiring process

• A preliminary phone call with the recruiter
• A technical interview with a Team Lead
• A behavioural and technical interview with a member of the Executive team. 

Join the Bloomreach GIST (Global Information Security & Technology) team as an Associate Security Analyst and help protect our e-commerce environment from threats, vulnerabilities, and sophisticated attackers. Your work will have a significant impact on numerous customers across various e-commerce verticals and hundreds of millions of online users. As a core member of our globally distributed 24/7 Security Operations Team, you can work full-time from our India offices or from home.

Your job will be (but not limited to)

● To Monitor, analyze & interpret security/system/application/infrastructure logs for events, configuration irregularities & potential incidents
● To leverage security tools, custom built dashboards and/or proactive identification approaches to detect anomalous activities
● Monitoring Cloud infrastructure for security-related events
● Monitoring threat/vulnerability landscape and security advisories, coordinate and escalate as appropriate
●To work with application security teams, product specialists, GRC, legal teams on active incidents and/or investigations
● To participate in a major incident call, document incident report summaries
● To document, follow and execute standard operating procedures (SOPs)
● Documenting/Managing/maintaining & following use cases, playbooks and/or knowledge base articles
● To work on incidents, requests related to security
● Owning responsibilities within a shift with a positive mindset towards growth & upskilling

Professional experience, skills & requirements

● 2+ years of hands on experience as part of a 24*7 Security Operations team OR a starter with equivalent degree/specialization in the area of Cyber Security with a proven project dealing in the new age landscape (SaaS platform Security, SecOps, API/Container Security, Threat Intel/Hunting, Vulnerability Management).
● Hands on experience or deep knowledge on usage of SIEM, SOAR, EDR ( modules like TI, VM, DLP)
● Exposure or experience in using any of CSPM tools (SentinelOne, Falcon Horizon, Wiz,Sysdig,Prisma cloud,MS Defender)
● Exposure or experience in assessing, interpreting & managing vulnerabilities using relevant tools.
● Knowledge of either AWS or GCP is must
● Should possess positive attitude to participate, own & drive tasks for POCs for various tools
● Understanding of risk framework
● Ability to assess emerging trends & threats in cyber security space
● Should possess good analytical, problem-solving, and interpersonal skills. Should be able to apply & provide logical reasoning
● Knowledge of NIST framework, OSINT standards, MITRE ATT&CK framework & cybersecurity incident lifecycle is an advantage. Beginner level of understanding is mandatory
● Mandatory to work in a 24/7 rotation shift & weekends
● Possess excellent command on communication in English being a good listener, speaker & reader 

Your success story will be:

In the first 30 days you will

● Understand the roles & responsibilities of SOC team, in-scope vs out of scope tasks
● Read & understand SOPs, Policies & working procedures of the team
● Shadow peers in day to day work, overlook tickets, alerts, incidents, understand the current state of ongoing projects/enhancements etc

In the next 30 days you will (60 days from start)

● Start owning incidents, tasks as independent contributor with a peer shadowing you
● Participate in incident related calls, cross team/department meetings
● Handle SIEM/SOAR/EDR events

In the next 30 days you will(90 days from start)

● You will start documenting or tweaking existing SOPs, process document
● You will bear responsibilities of representing team in forums/meetings/discussions
● You will start managing shift alone when needed
● You will adapt yourself to service improvement mindset and contribute to overall success of the team

Position Overview:
Seeking a Security Analyst to join our Security Operations Center (SOC), focusing on incident response and threat detection. This role involves working with enterprise SIEM platforms, EDR solutions, and incident management tools to protect IBKR's global trading infrastructure.

Key Responsibilities:

• Triage and investigate security alerts using SIEM/EDR tools
• Execute incident response playbooks
• Perform malware analysis and IOC identification
• Create incident tickets and maintain documentation
• Conduct initial forensic data collection
• Support security event correlation and analysis
• Monitor suspicious endpoint activities
• Participate in 24x7 incident response coverage

Required Technical Skills:

• Experience with SIEM (Splunk/QRadar)
• EDR platforms (CrowdStrike/Carbon Black)
• Incident ticketing systems (ServiceNow/JIRA)
• Windows/Linux log analysis
• Network traffic analysis
• Malware detection tools
• IOC collection and analysis
• Basic forensic tools

Required Experience:

• 5+ years SOC/IR experience
• L1/L2 alert analysis background
• Experience with incident playbooks
• Exposure to MITRE ATT&CK framework
• Understanding of kill chain methodology
• Basic threat intelligence usage

Technical Environment:

• SIEM platforms
• EDR solutions
• TIP platforms
• Forensic tools
• Network monitoring tools
• Vulnerability scanners
• Incident management systems

Work Requirements:

• Rotating shifts (24x7 SOC)
• Incident response handling
• Alert triage and escalation
• Documentation and reporting
• Team collaboration

Growth Path:

• Advanced IR certification support
• Threat hunting training
• Digital forensics exposure
• Technical skill development
• Senior analyst progression

Company Benefits & Perks: 

• Competitive salary package.
• Performance-based annual bonus (cash and stocks).
• Hybrid working model (4 days office/week).
• Group Medical & Life Insurance.
• Modern offices with free amenities & fully stocked cafeterias.
• Monthly food card & company-paid snacks.
• Hardship/shift allowance with company-provided pickup & drop facility*
• Attractive employee referral bonus.
• Frequent company-sponsored team-building events and outings.

* Depending upon the shifts.

**The benefits package is subject to change at the management's discretion.

Catapult is building the future of sports performance technology, with a mission to Unleash the Potential of every athlete and team on earth. We don't just work in the sporting industry; we are actively changing it.  Since 2006, our solutions have been leading the way in sports performance software, science, and data, in a world where 1% can literally mean the difference between winning and losing.

We work with over 5,000+ teams around the world, empowering coaches, managers and trainers in premier teams in the NFL, NBA, NHL, MLS, EPL, AFL, NRL, NCAA and more. We provide the information they need to optimize athletes’ health, game-day readiness, and performance, as well as in-game tactics.  

Catapult is a sports technology company that empowers professional teams to make data-driven decisions. We deliver health, performance, video, and AI insights from the locker room to competitive environments, ensuring every decision is an opportunity to gain an advantage, sharpen performance, and build lasting success. 

WE WANT PEOPLE WHO ARE PASSIONATE ABOUT SECURITY AND COMPLIANCE 

We are seeking a talented and inquisitive Security & Compliance Analyst whose drive for excellence and continuous improvement aligns with our mission to transform the future of elite performance. In this role, you will be a strategic architect of our trust framework, responsible for maturing a security and compliance program that safeguards our enterprise operations and our next-generation cloud platform. You will play a pivotal role in protecting a complex ecosystem that integrates high-value digital video assets, real-time wearable data, and sensitive athlete biometrics.

WHAT YOU’LL DO 

• Orchestrate Program Maturity: Drive the continuous evolution of the Catapult Sports security and compliance framework, leveraging the ISO 27001 standard to strengthen our global posture across risk management and vendor security workstreams.
• Lead Assessment & Remediation: Facilitate internal audits and partner with third-party assessors to proactively identify compliance gaps, transforming findings into actionable, high-priority remediation plans.
• Modernize Governance & Policy: Collaborate with key stakeholders to architect and maintain robust policies and procedures, ensuring our control environment remains resilient and compliant with ISO 27001, GDPR, and HIPAA requirements.
• Strengthen Ecosystem Trust: Partner with cross-functional teams to mature our Third-Party Risk Management (TPRM) program, ensuring that our vendor landscape meets the same rigorous security standards we apply to our own products.
• Enable Global Growth: Support our commercial and partnership teams by responding to sophisticated security questionnaires, demonstrating Catapult’s commitment to data integrity and building trust with our most elite customers.

WHAT YOU’LL NEED

• BA/BS degree and 3+ Years in Cyber GRC: Proven experience in a Security Analyst, Compliance, or Audit role within a fast-paced SaaS or Cloud-native environment.
• Deep expertise in ISO 27001 is essential, including demonstrated success in managing an Information Security Management System (ISMS) and leading the full audit lifecycle. This requires a thorough knowledge of mapping technical security controls directly to the ISO 27001 standard.
• Third-Party Risk Proficiency: Experience in managing vendor security programs, including the ability to analyze SOC 2 reports and security questionnaires to identify and mitigate supply chain risks.
• Familiarity with cloud security concepts and standards. 
• Collaborative Problem Solving: The ability to act as a bridge-builder between technical teams (TechOps/Engineering) and business stakeholders, translating complex compliance requirements into clear, actionable tasks.

WHAT YOUR SUCCESS WILL LOOK LIKE

In 6 Months Time…

• Operational Rhythm: You have seamlessly integrated into our ISO 27001 cycle, ensuring our newly achieved certification is supported by a consistent, documented rhythm of internal audits and control evidence collection.
• Cross-Functional Trust: You are recognized by the TechOps and Engineering teams as a collaborative partner who provides clear, actionable compliance guidance rather than just "compliance hurdles."
• Third-Party Confidence: Our Vendor Risk Management process is significantly more mature; you have standardized how we assess new partners, clearing the backlog of security questionnaires and reducing our supply chain risk.

In 12 months time…

• Managed Maturity: You have moved the security program from "Point-in-Time" compliance to a Continuous Compliance model, utilizing automation to monitor our control environment in real-time.
• Audit Excellence: Our annual ISO 27001 Surveillance Audit is completed with zero major non-conformities, directly attributed to the robust internal assessment framework you’ve helped restructure.
• Commercial Enablement: You have optimized the "Security Sales Support" process, drastically reducing the turnaround time for customer security assessments, which has helped the business win and retain elite global clients.
• Culture of Security: You have successfully elevated the company’s "Security IQ" through an engaging awareness program, making security and privacy a natural part of the Catapult product development lifecycle.

WHY CATAPULT? 

• We have amazing people. We can promise you will work with some of the most ambitious and intelligent people in an exciting industry, and you will do some of the best work of your life.
• We encourage our people to have constructive, open and honest communication to make Catapult extraordinary; innovate and create smart solutions; establish a collaborative, yet challenging, environment to develop our performance and the performance of our customers.
• Our workforce spans more than 20 countries, you'll have the opportunity to work across multiple nationalities and cultures, and build your global awareness and capability 
• We value improvement and development. We are challenging ourselves to continuously grow and become a high-performance company. That means we maintain a growth mindset in everything we do, and our people are always looking for ways to do things better.  There is an unlimited opportunity to grow, do more, and do better.

Whether you’re interested in sports or not, you’ll have the satisfaction of knowing your work is supporting some of the most successful teams and athletes on the planet! 

Research shows that while men apply for jobs when they meet an average of 60% of the criteria, women and other marginalized groups tend to only apply when they check every box. So if you think you have what it takes, but don't meet every single point in our job ad, please still get in touch! We would love to have a chat and see if you could be a great addition to our team. We are building the future of sports performance. Our priority is to find the brightest talent that can add to our team culture, those who actively contribute and who are excited about what they do.

All offers of employment are subject to Catapult's positive prehire check. To find out more, please contact the Talent Partner for this role

Smartsheet is seeking a dedicated, experienced Third Party Risk Management (TPRM) Senior Analyst to join our Risk team. This is a high-visibility, cross-functional role that requires sustained focus and ownership; you will be a primary point of contact for vendor risk across the organization, interfacing regularly with cross-functional teams (Legal, Procurement, Privacy, and Information Security) as well as system owners.

This role is a meaningful commitment. You will own a portfolio of vendor assessments and help drive program maturity. We are looking for someone who brings deep focus and genuine investment to this work, the kind of professional who sees TPRM not as a checkbox function but as a critical enabler of trust for a global SaaS platform.

You will report to the Third Party Risk Integration Manager located in the US. This role is eligible for remote work within Costa Rica. You  must reside in Costa Rica.

^{You Will}

• Lead end-to-end Third Party Risk Assessments for new and existing vendors, including vendor tiering, scoping, questionnaire management, and findings documentation.
• Own the ongoing monitoring and tracking of vendor risk across Smartsheet's third-party portfolio, ensuring timely follow-up on remediation activities and risk acceptance decisions.
• Evaluate vendor security documentation including SOC 2 reports, penetration testing results, ISO certifications, and other control attestations — and translate findings into clear, actionable risk summaries for stakeholders.
• Drive process improvement initiatives within the TPRM program, identifying opportunities to scale and mature the program through better tooling, automation, and workflow design.
• Collaborate cross-functionally with Legal, Procurement, Information Security, Privacy, and business stakeholders to ensure vendor risk considerations are embedded in sourcing and renewal decisions.
• Leverage AI tools (including Claude and Microsoft Copilot) to increase efficiency in vendor reviews and documentation — while applying sound judgment to review, validate, and take accountability for AI-generated outputs.
• Contribute to broader risk program activities including risk reporting, policy review, and program documentation as part of a lean, high-performing Risk team.
• Support the development of TPRM metrics and reporting to provide leadership with meaningful visibility into the organization's third-party risk exposure.
• Other job duties as assigned

You have

• 5+ years of experience in third party risk management, vendor risk, GRC, information security, audit, or compliance — with direct experience conducting vendor or third-party risk assessments.
• Practical knowledge of one or more risk or regulatory frameworks such as NIST, ISO 27001, COSO, COBIT, AICPA SOC/TSP, PCI DSS, or similar.
• Familiarity with vendor security questionnaire frameworks, including SIG (Shared Assessments) and/or CSA CAIQ.
• Demonstrated ability to review and interpret SOC 2 reports, penetration testing summaries, and other vendor security attestations.
• Experience working in cross-functional environments involving Legal, Procurement, and/or Engineering stakeholders.
• Strong written and verbal communication skills in English, with the ability to translate technical risk findings into clear business language.
• Effective critical thinking and judgment — able to assess risk materiality, prioritize competing demands, and escalate appropriately.
• Comfort working with and evaluating AI-generated content, with a clear understanding of the need to verify outputs before relying on them in risk decisions.
• Adaptability to evolving regulatory requirements and a genuine interest in staying current on the third-party risk landscape.

Nice to have

• Experience with vendor risk management platforms such as AuditBoard, Archer, OneTrust, ServiceNow GRC, Vanta, or Coupa.
• Background in SaaS, cloud, or technology company environments.
• Familiarity with AI-assisted workflows in a GRC or compliance context.
• Experience supporting or contributing to audit processes (e.g., SOC 2, ISO 27001, BARR).
• Relevant certifications such as CISA, CRISC, CTPRP, or equivalent.
• Experience with operational risk across multiple business units, legal entities, or jurisdictions.

Teleworking options from any registered location in Costa Rica (role specific)

High-Level Overview

Benevity is seeking a Governance, Risk & Compliance (GRC) Analyst to support and grow our security governance, risk, privacy, and regulatory program. In this role, you will contribute to the execution of Benevity’s GRC program by supporting compliance activities, assisting with risk assessments, contributing to third-party risk management, responding to client due diligence requests, and helping maintain the policies and controls that strengthen trust with our clients, partners, and stakeholders.

Working alongside experienced GRC professionals, you will build your skills in information security, compliance, and risk management while helping ensure Benevity aligns with leading standards, privacy laws, and regulatory requirements. This is a hands-on role with significant learning and growth opportunities across governance, risk, audit, and privacy domains.

What you'll do:

Governance & Policy

• Assist in maintaining and rolling out security and privacy policies, standards, and control frameworks aligned to ISO 27001, SOC 2, NIST, PCI DSS, GDPR, PIPEDA, FINTRAC, and other global regulations.
• Support policy exception management, attestation processes, and identify opportunities for process improvement.

Risk Management

• Assist with enterprise risk assessments, including vendor and process-level reviews.
• Support maintenance of the risk register, track remediation activities, and assist with risk treatment planning.
• Contribute to Benevity’s Third-Party Risk Management (TPRM) program, including vendor onboarding assessments, ongoing monitoring, and remediation tracking.

Compliance & Audit

• Support audit readiness and response efforts for ISO 27001, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and other frameworks.
• Assist with evidence gathering, control validation, and auditor engagement.
• Leverage GRC platforms to support audit, privacy, and compliance workflows.

Client Support & Sales Enablement

• Support the sales process by responding to client inquiries related to security, privacy, and compliance.
• Complete customer security questionnaires, RFPs, and third-party risk management (TPRM) requests.
• Partner with sales and client success teams to provide timely, accurate responses that build client trust.

Privacy and Regulatory

• Support privacy-related initiatives across jurisdictions (GDPR, PIPEDA, CCPA/CPRA, and others).
• Collaborate with legal and data governance teams to help ensure compliance with data protection and financial crime regulations.
• Assist with FINTRAC-related compliance requirements, including reporting and risk assessments related to AML/ATF obligations.
• Monitor regulatory changes (privacy, AML, financial crime) and help align internal processes accordingly.

Advisory & Awareness

• Partner with business and technical teams to support the embedding of risk and compliance into projects and initiatives.
• Assist in delivering reporting and insights (dashboards, risk metrics, summaries) for leadership.
• Contribute to Benevity’s Security Awareness & Training program, including awareness campaigns, training modules, and phishing simulations.
• Contribute to training, documentation, and awareness activities that strengthen Benevity’s security, privacy, and compliance culture.

What you'll bring:

• 2–4 years of experience in cybersecurity, governance, risk, compliance, or privacy, ideally in a SaaS or technology-driven environment. (For a Junior GRC Analyst, we welcome candidates with 0–2 years of experience, including relevant internship, co-op, or academic project experience.)
• Working knowledge of security, privacy, and regulatory frameworks including ISO 27001, NIST, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and/or CCPA/CPRA.
• Exposure to or experience with GRC tooling (e.g., OneTrust, Hyperproof, SecurityPal, AuditBoard, Drata) to support policy, risk, audit, privacy, and vendor risk workflows.
• Familiarity with risk assessment methodologies, vendor risk concepts, and compliance evidence gathering.
• Experience or willingness to support client due diligence processes (security questionnaires, RFPs, TPRM).
• Ability to communicate risk, security, privacy, and regulatory concepts clearly to both technical and non-technical stakeholders.
• Strong organizational skills, attention to detail, and a proactive approach to learning and problem-solving.
• An interest in leveraging automation and AI to streamline GRC processes and enhance efficiency is a plus.
• Certifications such as Security+, CISM, CISA, CRISC, or CIPM/CIPP are valued; candidates actively pursuing certification are encouraged to apply.

High-Level Overview

Benevity is seeking a Governance, Risk & Compliance (GRC) Analyst to support and grow our security governance, risk, privacy, and regulatory program. In this role, you will contribute to the execution of Benevity’s GRC program by supporting compliance activities, assisting with risk assessments, contributing to third-party risk management, responding to client due diligence requests, and helping maintain the policies and controls that strengthen trust with our clients, partners, and stakeholders.

Working alongside experienced GRC professionals, you will build your skills in information security, compliance, and risk management while helping ensure Benevity aligns with leading standards, privacy laws, and regulatory requirements. This is a hands-on role with significant learning and growth opportunities across governance, risk, audit, and privacy domains.

What you'll do:

Governance & Policy

• Assist in maintaining and rolling out security and privacy policies, standards, and control frameworks aligned to ISO 27001, SOC 2, NIST, PCI DSS, GDPR, PIPEDA, FINTRAC, and other global regulations.
• Support policy exception management, attestation processes, and identify opportunities for process improvement.

Risk Management

• Assist with enterprise risk assessments, including vendor and process-level reviews.
• Support maintenance of the risk register, track remediation activities, and assist with risk treatment planning.
• Contribute to Benevity’s Third-Party Risk Management (TPRM) program, including vendor onboarding assessments, ongoing monitoring, and remediation tracking.

Compliance & Audit

• Support audit readiness and response efforts for ISO 27001, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and other frameworks.
• Assist with evidence gathering, control validation, and auditor engagement.
• Leverage GRC platforms to support audit, privacy, and compliance workflows.

Client Support & Sales Enablement

• Support the sales process by responding to client inquiries related to security, privacy, and compliance.
• Complete customer security questionnaires, RFPs, and third-party risk management (TPRM) requests.
• Partner with sales and client success teams to provide timely, accurate responses that build client trust.

Privacy and Regulatory

• Support privacy-related initiatives across jurisdictions (GDPR, PIPEDA, CCPA/CPRA, and others).
• Collaborate with legal and data governance teams to help ensure compliance with data protection and financial crime regulations.
• Assist with FINTRAC-related compliance requirements, including reporting and risk assessments related to AML/ATF obligations.
• Monitor regulatory changes (privacy, AML, financial crime) and help align internal processes accordingly.

Advisory & Awareness

• Partner with business and technical teams to support the embedding of risk and compliance into projects and initiatives.
• Assist in delivering reporting and insights (dashboards, risk metrics, summaries) for leadership.
• Contribute to Benevity’s Security Awareness & Training program, including awareness campaigns, training modules, and phishing simulations.
• Contribute to training, documentation, and awareness activities that strengthen Benevity’s security, privacy, and compliance culture.

What you'll bring:

• 2–4 years of experience in cybersecurity, governance, risk, compliance, or privacy, ideally in a SaaS or technology-driven environment. (For a Junior GRC Analyst, we welcome candidates with 0–2 years of experience, including relevant internship, co-op, or academic project experience.)
• Working knowledge of security, privacy, and regulatory frameworks including ISO 27001, NIST, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and/or CCPA/CPRA.
• Exposure to or experience with GRC tooling (e.g., OneTrust, Hyperproof, SecurityPal, AuditBoard, Drata) to support policy, risk, audit, privacy, and vendor risk workflows.
• Familiarity with risk assessment methodologies, vendor risk concepts, and compliance evidence gathering.
• Experience or willingness to support client due diligence processes (security questionnaires, RFPs, TPRM).
• Ability to communicate risk, security, privacy, and regulatory concepts clearly to both technical and non-technical stakeholders.
• Strong organizational skills, attention to detail, and a proactive approach to learning and problem-solving.
• An interest in leveraging automation and AI to streamline GRC processes and enhance efficiency is a plus.
• Certifications such as Security+, CISM, CISA, CRISC, or CIPM/CIPP are valued; candidates actively pursuing certification are encouraged to apply.

High-Level Overview

Benevity is seeking a Governance, Risk & Compliance (GRC) Analyst to support and grow our security governance, risk, privacy, and regulatory program. In this role, you will contribute to the execution of Benevity’s GRC program by supporting compliance activities, assisting with risk assessments, contributing to third-party risk management, responding to client due diligence requests, and helping maintain the policies and controls that strengthen trust with our clients, partners, and stakeholders.

Working alongside experienced GRC professionals, you will build your skills in information security, compliance, and risk management while helping ensure Benevity aligns with leading standards, privacy laws, and regulatory requirements. This is a hands-on role with significant learning and growth opportunities across governance, risk, audit, and privacy domains.

What you'll do:

Governance & Policy

• Assist in maintaining and rolling out security and privacy policies, standards, and control frameworks aligned to ISO 27001, SOC 2, NIST, PCI DSS, GDPR, PIPEDA, FINTRAC, and other global regulations.
• Support policy exception management, attestation processes, and identify opportunities for process improvement.

Risk Management

• Assist with enterprise risk assessments, including vendor and process-level reviews.
• Support maintenance of the risk register, track remediation activities, and assist with risk treatment planning.
• Contribute to Benevity’s Third-Party Risk Management (TPRM) program, including vendor onboarding assessments, ongoing monitoring, and remediation tracking.

Compliance & Audit

• Support audit readiness and response efforts for ISO 27001, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and other frameworks.
• Assist with evidence gathering, control validation, and auditor engagement.
• Leverage GRC platforms to support audit, privacy, and compliance workflows.

Client Support & Sales Enablement

• Support the sales process by responding to client inquiries related to security, privacy, and compliance.
• Complete customer security questionnaires, RFPs, and third-party risk management (TPRM) requests.
• Partner with sales and client success teams to provide timely, accurate responses that build client trust.

Privacy and Regulatory

• Support privacy-related initiatives across jurisdictions (GDPR, PIPEDA, CCPA/CPRA, and others).
• Collaborate with legal and data governance teams to help ensure compliance with data protection and financial crime regulations.
• Assist with FINTRAC-related compliance requirements, including reporting and risk assessments related to AML/ATF obligations.
• Monitor regulatory changes (privacy, AML, financial crime) and help align internal processes accordingly.

Advisory & Awareness

• Partner with business and technical teams to support the embedding of risk and compliance into projects and initiatives.
• Assist in delivering reporting and insights (dashboards, risk metrics, summaries) for leadership.
• Contribute to Benevity’s Security Awareness & Training program, including awareness campaigns, training modules, and phishing simulations.
• Contribute to training, documentation, and awareness activities that strengthen Benevity’s security, privacy, and compliance culture.

What you'll bring:

• 2–4 years of experience in cybersecurity, governance, risk, compliance, or privacy, ideally in a SaaS or technology-driven environment. (For a Junior GRC Analyst, we welcome candidates with 0–2 years of experience, including relevant internship, co-op, or academic project experience.)
• Working knowledge of security, privacy, and regulatory frameworks including ISO 27001, NIST, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and/or CCPA/CPRA.
• Exposure to or experience with GRC tooling (e.g., OneTrust, Hyperproof, SecurityPal, AuditBoard, Drata) to support policy, risk, audit, privacy, and vendor risk workflows.
• Familiarity with risk assessment methodologies, vendor risk concepts, and compliance evidence gathering.
• Experience or willingness to support client due diligence processes (security questionnaires, RFPs, TPRM).
• Ability to communicate risk, security, privacy, and regulatory concepts clearly to both technical and non-technical stakeholders.
• Strong organizational skills, attention to detail, and a proactive approach to learning and problem-solving.
• An interest in leveraging automation and AI to streamline GRC processes and enhance efficiency is a plus.
• Certifications such as Security+, CISM, CISA, CRISC, or CIPM/CIPP are valued; candidates actively pursuing certification are encouraged to apply.

High-Level Overview

Benevity is seeking a Governance, Risk & Compliance (GRC) Analyst to support and grow our security governance, risk, privacy, and regulatory program. In this role, you will contribute to the execution of Benevity’s GRC program by supporting compliance activities, assisting with risk assessments, contributing to third-party risk management, responding to client due diligence requests, and helping maintain the policies and controls that strengthen trust with our clients, partners, and stakeholders.

Working alongside experienced GRC professionals, you will build your skills in information security, compliance, and risk management while helping ensure Benevity aligns with leading standards, privacy laws, and regulatory requirements. This is a hands-on role with significant learning and growth opportunities across governance, risk, audit, and privacy domains.

What you'll do:

Governance & Policy

• Assist in maintaining and rolling out security and privacy policies, standards, and control frameworks aligned to ISO 27001, SOC 2, NIST, PCI DSS, GDPR, PIPEDA, FINTRAC, and other global regulations.
• Support policy exception management, attestation processes, and identify opportunities for process improvement.

Risk Management

• Assist with enterprise risk assessments, including vendor and process-level reviews.
• Support maintenance of the risk register, track remediation activities, and assist with risk treatment planning.
• Contribute to Benevity’s Third-Party Risk Management (TPRM) program, including vendor onboarding assessments, ongoing monitoring, and remediation tracking.

Compliance & Audit

• Support audit readiness and response efforts for ISO 27001, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and other frameworks.
• Assist with evidence gathering, control validation, and auditor engagement.
• Leverage GRC platforms to support audit, privacy, and compliance workflows.

Client Support & Sales Enablement

• Support the sales process by responding to client inquiries related to security, privacy, and compliance.
• Complete customer security questionnaires, RFPs, and third-party risk management (TPRM) requests.
• Partner with sales and client success teams to provide timely, accurate responses that build client trust.

Privacy and Regulatory

• Support privacy-related initiatives across jurisdictions (GDPR, PIPEDA, CCPA/CPRA, and others).
• Collaborate with legal and data governance teams to help ensure compliance with data protection and financial crime regulations.
• Assist with FINTRAC-related compliance requirements, including reporting and risk assessments related to AML/ATF obligations.
• Monitor regulatory changes (privacy, AML, financial crime) and help align internal processes accordingly.

Advisory & Awareness

• Partner with business and technical teams to support the embedding of risk and compliance into projects and initiatives.
• Assist in delivering reporting and insights (dashboards, risk metrics, summaries) for leadership.
• Contribute to Benevity’s Security Awareness & Training program, including awareness campaigns, training modules, and phishing simulations.
• Contribute to training, documentation, and awareness activities that strengthen Benevity’s security, privacy, and compliance culture.

What you'll bring:

• 2–4 years of experience in cybersecurity, governance, risk, compliance, or privacy, ideally in a SaaS or technology-driven environment. (For a Junior GRC Analyst, we welcome candidates with 0–2 years of experience, including relevant internship, co-op, or academic project experience.)
• Working knowledge of security, privacy, and regulatory frameworks including ISO 27001, NIST, SOC 2, PCI DSS, GDPR, PIPEDA, FINTRAC, and/or CCPA/CPRA.
• Exposure to or experience with GRC tooling (e.g., OneTrust, Hyperproof, SecurityPal, AuditBoard, Drata) to support policy, risk, audit, privacy, and vendor risk workflows.
• Familiarity with risk assessment methodologies, vendor risk concepts, and compliance evidence gathering.
• Experience or willingness to support client due diligence processes (security questionnaires, RFPs, TPRM).
• Ability to communicate risk, security, privacy, and regulatory concepts clearly to both technical and non-technical stakeholders.
• Strong organizational skills, attention to detail, and a proactive approach to learning and problem-solving.
• An interest in leveraging automation and AI to streamline GRC processes and enhance efficiency is a plus.
• Certifications such as Security+, CISM, CISA, CRISC, or CIPM/CIPP are valued; candidates actively pursuing certification are encouraged to apply.

About AppDirect

Become a digital, global citizen and enable the new generation of digital entrepreneurs around the world. AppDirect offers a subscription commerce platform to sell any product, through any channel, on any device - as a service. We power millions of subscriptions worldwide for organizations. We do this by our values-driven culture - one that enables you to Be Seen, Be Yourself, and Do Your Best Work.

About You

We’re looking for talented yet humble individuals who are smart, passionate, and want to drive disruption in the Information security industry. If you thrive in a fast-paced, collaborative workplace, AppDirect provides an environment where you will be challenged and inspired every day. If you relish the freedom to bring creative, thoughtful solutions to the table that reflect your experience and personality, there's no limit to what you can accomplish here.

What you'll do and how you'll have an impact

You will be a member of the Compliance team (part of the Infosec team) as a Tech Risk Management Analyst. You will join the team primarily responsible for continuous compliance monitoring, risk management, vendor management, and maintaining our various certifications, such as ISO 27001, PCI-DSS, SOC 2, and SOC 1.

You have both soft skills and technical potential and you think that the security team must be an ally and a facilitator for the company and all its members. Below is what we expect from you:

• Provide overall oversight for continued compliance and ongoing certifications (e.g. SOC 1 and 2, PCI DSS, ISO 27001, NIST CSF, GDPR, HIPAA, ISO 42001, NIST AI RMF, etc.).
• Collaborate with internal staff to ensure that appropriate controls are implemented, operating properly, in accordance with the corporate policies.
• Conduct audit readiness assessments and coordinate with internal and external functions and audit resources.
• Serve as the primary point of contact during external audits, including coordinating evidence requests, facilitating auditor walkthroughs, and managing audit timelines to closure.
• Improve and maintain the Privacy practice at AppDirect.
• Develop and implement in collaboration with Engineering and architects mechanisms to automate the generation of evidence.
• Support security and compliance due diligence and integration activities for M&A transactions.
• Oversee customers questionnaires by liaising with internal staff and delivering expected results
• Develop and maintain organization information security policies based on applicable standards, information security requirements, business requirements and legal requirements.
• Communicate compliance requirements and risk posture to technical and non-technical stakeholders, including executive leadership.
• Expertise in US certifications, such as GovRAMP or FedRAMP, is considered a strong asset.
• Demonstrated ability to use AI-assisted workflows to improve efficiency in compliance operation
• Facilitate discussions and reach decisions that can have a good balance between security and usability.

What we're looking for

• A degree or comparable experience (~5+ years) in Information Security or a related field.
• Prior experience in IT compliance and Audit support (SOC2, ISO 27001 and PCI-DSS).
• Prior experience with risk management and GRC Tools.
• Good experience with Privacy frameworks and what needs to be implemented to meet customer/internal needs.
• Successful in cross-functional team collaboration to drive early security adoption 
• Good understanding of networking, cloud computing, operating systems concepts.
• Experience on cloud adoption strategies including design and implementation of security controls and compliance monitoring.
• Experience with project management (planning, organizing, and managing resources to successfully achieve audits).
• Strong verbal, written and presentations skills with the ability to find innovative solutions to complex problems (compliance vs risk vs security vs usability).
• Nice to have, any Information Security Certification (CISA, CDPSE, ISO implementer , Security+, CISSP).
• Demonstrated technical experience in development, networking, IT support, system administrations, etc.

At AppDirect, we believe that innovation thrives in an environment that houses diversity of excellence, experience and thought. We respect each AppDirector as their own fingerprint; unique with no one alike. We foster an environment of inclusion without regard to race, religion, age, sexual orientation, or gender identity enabling AppDirectors to embrace their uniqueness to do their best work. As such, we strongly encourage applications from Indigenous peoples, racialized people, people with disabilities, people from gender and sexually diverse communities, and/or people with intersectional identities.

At AppDirect we take privacy very seriously. For more information about our use and handling of personal data from job applicants, please read our Candidate Privacy Policy. For more information of our general privacy practices, please see AppDirect Privacy Notice: https://www.appdirect.com/about/privacy-notice

About VulnCheck

VulnCheck is transforming vulnerability intelligence by helping security teams act faster and with more confidence. Our platform delivers early, high-quality exploit intelligence, deep asset correlation, and contextual insights to help organizations stay ahead of emerging threats.

About the Role

Customer Success Engineers at VulnCheck are dedicated to empowering customers to automate their security operations, streamline analyst workflows, and maximize the value of the VulnCheck Platform. As a key member of the team, you will partner closely with customers, partners, and internal teams to deliver exceptional technical guidance and ensure successful adoption of VulnCheck’s intelligence data.

In this role, you will support strategic Government customers as they implement and customize VulnCheck data to enrich their mission. You will serve as a trusted technical advisor and primary point of contact, helping customers integrate VulnCheck into their security operations while building strong relationships with technical stakeholders including red-team and blue-team security engineers. Although this is a 100% remote role, candidates must be located in Maryland for occasional onsite meetings with our federal and pub sector customers. 

What You’ll Do

• Partner with Government customers to implement and customize VulnCheck intelligence data within their platforms and security workflows to meet their objectives.
• Guide customers through integrations and automation of using VulnCheck APIs, CLI/SDK, and other platform components.
• Provide technical onboarding, training, and best-practice guidance to help customers successfully adopt and optimize VulnCheck intelligence.
• Write custom scripts and troubleshoot technical issues related to APIs, data fidelity, integrations, and platform performance.
• Act as the primary technical contact for customers, resolving issues, answering product questions, and supporting ongoing success.
• Build strong relationships with security leaders and technical teams and security engineers.
• Advocate for customers internally by providing product feedback and identifying opportunities to improve integrations, workflows, and user experience.
• Support escalations and provide deep product expertise across setup, deployment, adoption, and optimization.

What You’ll Bring

• Deep understanding of the Cybersecurity product landscape with a focus in vulnerability exploitation lifecycle and Cyber Kill Chain
• A comprehensive understanding of the roles, interactions, and challenges in incident response, vulnerability management, and SOC analysis/management, including how each can leverage vulnerability intelligence for support.
• Ability to develop and maintain scripts in Python.
• Ability to understand and compile Golang
• Ability to work with APIs and JSON.
• Strong understanding of red-team/offensive techniques

Preferred Qualifications

• Experience in customer-facing roles with familiarity with Customer Success processes and metrics is highly preferred

*IMPORTANT NOTE: This position may involve access to technology subject to U.S. export control regulations. Employment is contingent upon the company's ability to authorize access under applicable export control, sanctions, and any other applicable legal or contractual requirements. The company does not guarantee and is under no obligation to seek such authorization if it would be necessary.

What We Offer

We believe people do their best work when they feel supported, trusted, and valued. VulnCheck offers benefits designed to meet a wide range of needs and lifestyles:

Benefits and Perks

• Unlimited PTO
• 401k plan with 100% match on first 3%, then 50% of the next 3-5% of compensation
• Comprehensive healthcare coverage
• Generous paid parental leave
• Remote friendly environment with flexibility
• Expense reimbursement for Cell Phone & Internet 
• Ongoing professional development, coaching, and learning resources

Why Join Us

Built on over two decades of cybersecurity experience, our team of experts understands the intricacies of vulnerabilities, their exploitation in the wild, and how to leverage this data to build more effective cybersecurity products that produce better outcomes for organizations.

VulnCheck gives organizations a tactical advantage by providing best-in-class exploit & vulnerability intelligence information. We have a sense of duty to protect the critical infrastructure we rely on including medical devices, power grids and telecommunication networks. We were founded in 2021 in Lexington, Massachusetts.

VulnCheck has a transparent, collaborative, and supportive culture - we are looking for people who have a growth mindset, are curious and innovative. Our team is smart, but humble, hardworking, and supportive.

VulnCheck is proud to be an Equal Employer Opportunity employer. We do not discriminate based upon race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics. VulnCheck is committed to working with and providing reasonable accommodations to applicants with physical and mental disabilities.

What You’ll Do:

The Supply Chain Strategy and Transformation team is responsible for designing and scaling the operating model for how CoreWeave plans, sources, builds, and delivers data center capacity for our customers. We partner closely with Supply Chain, Product Engineering, Data Center Operations, and Enterprise Engineering to turn strategy into execution and measurable impact.

About the Role: 

As the Senior Supply Chain Compliance Analyst (SOX), you will be the owner of all supply chain related SOX and internal control activities within this team. You will map our operational processes to financial controls, coordinate with corporate SOX, and make sure our supply chain organization is audit-ready as a newly public company. Your work will sit at the intersection of operations, finance, and systems, with high visibility into how CoreWeave’s GPU and data center supply chain actually runs.

In This Role You Will:

• Own the inventory of supply chain SOX controls (e.g., procure-to-pay, inventory, asset lifecycle, logistics) and keep process maps, control narratives, and RACI up to date.
• Partner with Finance SOX, Internal Audit, IT, and supply chain process owners to design and operate effective controls in NetSuite and Coupa (approvals, reconciliations, 3-way match, SoD, access).
• Coordinate and support walkthroughs, evidence collection, and audit requests for supply chain, tracking issues and remediation plans to closure.
• Develop and maintain policies and SOPs for key supply chain processes (indirect procurement, inventory management, asset tagging, vendor onboarding and commitments).
• Monitor control health metrics (e.g., approval timeliness, exception rates, inventory variances) and use them to surface risks and drive continuous improvement.
• Create training materials and job aids and run targeted training sessions so supply chain teams understand and consistently execute their control responsibilities.

Who You Are:

• Bachelor’s degree in Supply Chain Management, Business, Accounting, Finance, Information Systems, Engineering, or a related field.
• Approximately 3–6 years of experience in one or more of the following:
• Supply chain or operations (planning, procurement, logistics, inventory, data center or hardware operations),
• SOX / internal controls, internal audit, or risk & compliance,
• Process improvement / transformation within an operations or finance function.
• Working knowledge of SOX 404 and internal control concepts (ICFR, control design vs. operating effectiveness, testing, remediation, documentation).
• Experience with at least one major ERP or procurement platform (e.g., NetSuite, SAP, Oracle, Coupa, Ariba) in a process, controls, or power-user capacity.
• Demonstrated ability to document processes and controls (process maps, SOPs, RACI, control matrices) and keep them current through change.
• Comfort working with data and reports (e.g., approval logs, exception reports, inventory variance reports) using Excel/Sheets and/or BI tools to identify issues and trends.
• Experience supporting internal or external audits (evidence requests, walkthroughs, remediation tracking).
• Strong organizational skills, high attention to detail, and the ability to manage multiple workstreams against deadlines in a high-growth environment.

Preferred:

• Experience in cloud infrastructure, data centers, semiconductor, networking, hardware manufacturing, or other capital-intensive environments where inventory and assets are financially material.
• Direct involvement with a public-company SOX program (initial SOX implementation, ICFR scaling, or remediating identified deficiencies).
• Hands-on experience with NetSuite (financials, inventory, fixed assets, MRP) and/or Coupa (indirect procurement, supplier management).
• Familiarity with broader governance and compliance frameworks (e.g., SOC 2, ISO 27001, NIST) and how operational controls support them.
• Professional certifications such as CPA, CIA, CISA, CISM, CSCP/CSCA, or other supply chain / audit / compliance credentials.
• Experience facilitating workshops or training for cross-functional teams.

Wondering if you’re a good fit? We believe in investing in our people, and value candidates who can bring their own diversified experiences to our teams – even if you aren't a 100% skill or experience match. Here are a few qualities we’ve found compatible with our team. If some of this describes you, we’d love to talk.

• You love turning ambiguous, messy operational flows into clear, documented, and well-controlled processes.
• You’re curious about how supply chain transactions show up in the financial statements and enjoy connecting operational detail to business impact.
• You’re skilled at spotting gaps, edge cases, and control weaknesses, and you like solving them in pragmatic, collaborative ways.
• You’re comfortable working across Operations, Finance, and IT, translating between different perspectives and keeping everyone aligned on risk and requirements.
• You take real satisfaction in knowing that when auditors show up, your area is organized, consistent, and boring (in a good way).

Why CoreWeave?

At CoreWeave, we work hard, have fun, and move fast!  We’re in an exciting stage of hyper-growth that you will not want to miss out on. We’re not afraid of a little chaos, and we’re constantly learning. Our team cares deeply about how we build our product and how we work together, which is represented through our core values: 

• Be Curious at Your Core
• Act Like an Owner
• Empower Employees
• Deliver Best-in-Class Client Experiences
• Achieve More Together

We support and encourage an entrepreneurial outlook and independent thinking. We foster an environment that encourages collaboration and provides the opportunity to develop innovative solutions to complex problems. As we get set for take off, the growth opportunities within the organization are constantly expanding. You will be surrounded by some of the best talent in the industry, who will want to learn from you, too. Come join us!

The base salary range for this role is $143,000 to $210,000. The starting salary will be determined based on job-related knowledge, skills, experience, and market location. We strive for both market alignment and internal equity when determining compensation. In addition to base salary, our total rewards package includes a discretionary bonus, equity awards, and a comprehensive benefits program (all based on eligibility).

As the Cybersecurity Analyst Tier 2, you are responsible for overseeing and managing Tier 2 level threat response in our client’s Security Operations Center. Your role involves working with a team of security analysts and engineers who monitor, detect, analyze, and respond to security incidents and threats in an organization's IT environment at the Tier 2 Level. Additionally, you play a critical role in analyzing and resolving cyber threats or escalating incidents for Tier 3 response as necessary.  Technical expertise, and a deep understanding of cybersecurity concepts are essential for success in this role. This role is ONSITE in our SOC located in Rockville, MD.  US Citizenship is required for consideration.

Role and Responsibilities 

• Respond promptly and effectively to security incidents and threats discovered by CSOC Analyst Level I and carry out effective Level II analysis of incidents.
• Remediation of incidents and escalation when necessary to Tier 3 support
• Initial assessment of the scope of the attack and affected systems
• Accurately document cases during investigations and effectively communicate findings to Level I Analyst or escalation team to ensure complete handover of work streams.
• Continuously improve incident management processes through periodic threat hunting exercises, knowledge optimization effort building, and by comprehensive diagnosis and analysis of incident trends.
• Follow the issue tracking, escalation policies and work effectively across all CSOC tiers as the technical competence requires.
• Dedicated monitoring and analysis of cyber security events by use of SOC tools
• Incident Response generation and reporting IAW established procedures.
• Provide Level II technical support in CSOC operations and activities.
• Provide daily/weekly updates on CSOC operations and developments.
• Conduct Forensic analysis and respond to data call activities.
• Generate quality technical reports containing methodologies, findings, and recommendations.
• Work with external stakeholders to understand operational needs and develop effective processes.
• Maintain a current understanding of industry trends, emerging cyber threats, and new solutions which may impact CSOC activities.
• Collaborate with CSOC SME to ensure optimal performance using CSOC technology.
• Identify, reverse engineering and de-obfuscating digital content related to an incident.

 Qualifications:

3-5+ years of experience within a Level Tier 2 cybersecurity environment; experience in a leadership role is preferred.

Bachelor’s in information technology, Computer Science, or a related field; or relevant, commensurate work experience

Robust Certification Portfolio including Security+ and one or more of the following preferred: Network+, CEH, Azure or Cloud Certification, and Splunk Core Certified Power User.

Vulnerability/cyber incident management framework

Experience with advanced technologies such as: Splunk SaaS, Splunk Enterprise Security, Splunk SaaS UBA, Crowdstrike, Tenable, Forescout, zScaler, Bigfix, MaaS-360 (IBM MaaS-360), and Encase for forensic investigations, Fireeye, Cortex XSOAR, Cortex XDR, and Prisma-Access

Prior HHS experience a plus

Compensation: The salary range for this position is $115,000 to $120,000 per year based and is based on experience and certifications levels.

Benefits: Health, dental, and vision insurance; 401(k) with employer match; paid time off; professional development opportunities.

#LI-OnSite

As the Cybersecurity Analyst Tier 2, you are responsible for overseeing and managing Tier 2 level threat response in our client’s Security Operations Center. Your role involves working with a team of security analysts and engineers who monitor, detect, analyze, and respond to security incidents and threats in an organization's IT environment at the Tier 2 Level. Additionally, you play a critical role in analyzing and resolving cyber threats or escalating incidents for Tier 3 response as necessary.  Technical expertise, and a deep understanding of cybersecurity concepts are essential for success in this role. This role is ONSITE in our SOC located in Rockville, MD.  US Citizenship is required for consideration.

This role is full-time and requires the ability to work 6 PM to 6 AM on weekends and 2 fixed shifts during the work week.

Role and Responsibilities 

• Respond promptly and effectively to security incidents and threats discovered by CSOC Analyst Level I and carry out effective Level II analysis of incidents.
• Remediation of incidents and escalation when necessary to Tier 3 support
• Initial assessment of the scope of the attack and affected systems
• Accurately document cases during investigations and effectively communicate findings to Level I Analyst or escalation team to ensure complete handover of work streams.
• Continuously improve incident management processes through periodic threat hunting exercises, knowledge optimization effort building, and by comprehensive diagnosis and analysis of incident trends.
• Follow the issue tracking, escalation policies and work effectively across all CSOC tiers as the technical competence requires.
• Dedicated monitoring and analysis of cyber security events by use of SOC tools
• Incident Response generation and reporting IAW established procedures.
• Provide Level II technical support in CSOC operations and activities.
• Provide daily/weekly updates on CSOC operations and developments.
• Conduct Forensic analysis and respond to data call activities.
• Generate quality technical reports containing methodologies, findings, and recommendations.
• Work with external stakeholders to understand operational needs and develop effective processes.
• Maintain a current understanding of industry trends, emerging cyber threats, and new solutions which may impact CSOC activities.
• Collaborate with CSOC SME to ensure optimal performance using CSOC technology.
• Identify, reverse engineering and de-obfuscating digital content related to an incident.

 Qualifications:

3-5+ years of experience within a Level Tier 2 cybersecurity environment; experience in a leadership role is preferred.

Bachelor’s in information technology, Computer Science, or a related field; or relevant, commensurate work experience

Robust Certification Portfolio including Security+ and one or more of the following preferred: Network+, CEH, Azure or Cloud Certification, and Splunk Core Certified Power User.

Vulnerability/cyber incident management framework

Experience with advanced technologies such as: Splunk SaaS, Splunk Enterprise Security, Splunk SaaS UBA, Crowdstrike, Tenable, Forescout, zScaler, Bigfix, MaaS-360 (IBM MaaS-360), and Encase for forensic investigations, Fireeye, Cortex XSOAR, Cortex XDR, and Prisma-Access

Prior HHS experience a plus

Compensation: The salary range for this position is $115,000 to $120,000 per year based and is based on experience and certifications levels.

Benefits: Health, dental, and vision insurance; 401(k) with employer match; paid time off; professional development opportunities.

#LI-OnSite

As the Cybersecurity Analyst Tier 3, you are responsible for overseeing and managing the daily activities of the Security Operations Center for our federal customer. Your role involves helping to lead a team of security analysts and engineers who monitor, detect, analyze, and respond to security incidents and threats in an organization's IT environment. As a Cybersecurity Analyst T3, you play a critical role in safeguarding the organization's assets, data, and reputation from cyber threats. Leadership skills, technical expertise, and a deep understanding of cybersecurity concepts are essential for success in this role. The physical worksite for this position is located in Rockville, MD.  This position requires that ability to obtain and retain a public trust level security clearance. An active CISSP, CISM, or CISA is required for consideration for this position.  US Citizenship is required for this role.

Role and Responsibilities

• Team Management: You are managing highly complex cybersecurity issue resolution while training and mentoring Tier 1 and Tier 2 Analysts. This involves hiring, training, and mentoring security analysts, engineers, and other team members. You will help ensure that each team member understands their roles, responsibilities, and goals within the SOC.
• Effectively communicate information to stakeholders of all levels.
• Incident Response: Coordinating the response to security incidents is a crucial aspect of your role. When a security incident occurs, you will help guide the team in analyzing and containing the threat, mitigating the impact, and initiating recovery procedures.
• Security Monitoring and Detection: Overseeing the continuous monitoring of security events and alerts to identify potential security breaches or threats. This includes analyzing logs, network traffic, and security tools to detect anomalous behavior and suspicious activities.
• Threat Intelligence: Keeping abreast of the latest security threats, vulnerabilities, and attack techniques is essential. You will be responsible for integrating threat intelligence into your SOC's processes and ensuring the team is well-informed about emerging risks.
• Incident Analysis and Reporting: The Tier 3 team will investigate and analyze security incidents to understand their root cause and potential impact. You will generate incident reports for both technical and non-technical stakeholders, including management and relevant authorities.
• Security Tooling and Technology: Evaluating and implementing security technologies, such as SIEM (Security Information and Event Management) systems, intrusion detection/prevention systems, and other security tools that enhance the SOC's capabilities.
• Process Improvement: Continuously improving SOC procedures, workflows, and playbooks to streamline incident response and enhance overall security operations.
• Collaboration: Working closely with other teams in the organization, such as IT, network operations, compliance, and legal, to ensure effective communication and coordination during security incidents.
• Compliance and Regulations: Ensuring that the SOC operates in compliance with relevant security standards, regulations, and policies.
• Training and Awareness: Conducting regular security awareness training for employees to enhance the overall security posture of the organization.

Qualifications:

• 5+ years of experience within a cybersecurity environment; including 3+ years of experience in a cybersecurity SOC leadership role is required.
• Bachelor’s degree in computer science, or a related field; or 5+ years of commensurate work experience in lieu of a degree.
• Endpoint and network security experience required.
• Experience in a security operations center, or similar environment, and identifying indications of compromise or attack and responding to incidents.
• Robust certification credentials such as: CISSP, CISM, CISA, required, additional certifications such as Network+, CEH, SANS FOR578: Cyber Threat Intelligence, SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics, Splunk Core Certified Advanced Power User, Splunk Administrator, and Splunk SOAR administrator are preferred.
• Knowledge of MITRA attached framework.
• Vulnerability/cyber incident management framework
• Experience in SOC Tier 3, mentoring a team of cybersecurity professionals.
• Experience with digital forensics and process
• Knowledge of Splunk, Crowdstrike, tenable, forescout, Xscalar, BigFix, MS360, Encase, Fireeye, Cortex SOAR XDR, Prisma

Preferred Skills and Experience:

• IDS, IPS, EDR, ATP, Malware defenses and monitoring experience.
• Threat hunting experience preferred.
• Knowledge of common adversary tactics and techniques, e.g., obfuscation, persistence, defense evasion, etc.
• Working knowledge of incident response procedures.
• Experience with SQL query construction preferred.
• Experience administering and supporting Windows OS (both workstations and server) and one of the following: Apple or Linux-based operating systems.
• Fundamental understanding of network traffic analysis including TCP/IP, routing, switching, protocols, etc.
• Strong understanding of Windows event log analysis
• Experience with enterprise information security data management - SIEM experience a plus.
• Programming and scripting skills a plus.
• Excellent troubleshooting and analytical thinking skills
• Strong documentation and communication skills
• Advanced Cyber Security certifications preferred but not required.
• Excellent customer service skills

Compensation: The salary range for this position is $130,000 to $140,000 per year based and is based on experience and certifications levels.

Benefits: Health, dental, and vision insurance; 401(k) with employer match; paid time off; professional development opportunities.

#LI-OnSite

About the Role

The GRC analyst helps maintain A-LIGN’s management system as it relates to information security standards. In this role, you will be responsible for the coordination, maintenance, and improvement of A-LIGN’s corporate compliance program, including internal and external audits.

Reports to

Director of Compliance and Program Management

Pay Classification

Full-Time

Responsibilities 

• Support information security compliance programs across applicable frameworks, including SOC 2, ISO 27001, ISO 42001, FedRAMP, CMMC, and NIST 800-53/171
• Coordinate audit, assessment and testing activities with internal and external stakeholders
• Validate identified findings and nonconformities, manage remediation tracking, monitor resolution progress, and report status to stakeholders
• Review, update, and maintain information security documentation in accordance with applicable standards and organizational objectives
• Maintain and update the GRC platform (Optro) current with risk, control, and compliance data
• Assist with the implementation and ongoing management of data loss prevention (DLP) programs, including false positive identification, policy violations, incident monitoring and response coordination
• Support third-party risk management activities, including contractor oversight and vendor due diligence reviews
• Assist with client-issued security questionnaires and assessments
• Assist with risk management, vulnerability management, incident reviews, data disposal reviews, and BC/DR planning and testing
• Monitor and track employee completion of security training and awareness programs

Minimum Qualifications

EDUCATION

• Bachelor’s degree in management information systems, Information Security, Cybersecurity, Business or a related field or an equivalent combination of education and experience

EXPERIENCE

• At least 1 year of IT security, governance, risk, or compliance-related experience
• Knowledge of security and risk frameworks
  • Preferred knowledge of SOC 2, ISO 27001, ISO 42001, FedRAMP, CMMC, NIST 800-53, NIST 800-171
• Preferred: Knowledge of GRC tools (Optro, OneTrust, etc.)

CERTIFICATIONS         

• Preferred: CISA, CISM, Security+, CCSK, ISO Lead Auditor

SKILLS

• Ability to meet deadlines with a high degree of motivation
• Excellent critical thinking and problem-solving skills
• Strong communication and organizational skills
• Thrives in a fast-paced environment
• Ability to work individually as well as collaboratively

Benefits

• Employer Paid Life & Health Insurance
• Competitive Bonus Structure
• Home Office Reimbursement
• Technology Allowance
• Certification Reimbursement
• BeneficiaT Discount Loyalty Program
• Personalized Career Coaching
• Generous Paid Time Off
• Paid Office Closure December 25-January 1
• Summer Hours

About A-LIGN 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and HITRUST and a top three FedRAMP assessor. To learn more, visit a-lign.com. 

Come Work for A-LIGN! 

Apply online today at A-LIGN.com and learn about life at A-LIGN by following us on LinkedIn.  

A-LIGN is an Equal Opportunity Employer. 

About the Role

The GRC analyst helps maintain A-LIGN’s management system as it relates to information security standards. In this role, you will be responsible for the coordination, maintenance, and improvement of A-LIGN’s corporate compliance program, including internal and external audits.

Reports to

Director of Compliance and Program Management

Pay Classification

Full-Time

Responsibilities 

• Support information security compliance programs across applicable frameworks, including SOC 2, ISO 27001, ISO 42001, FedRAMP, CMMC, and NIST 800-53/171
• Coordinate audit, assessment and testing activities with internal and external stakeholders
• Validate identified findings and nonconformities, manage remediation tracking, monitor resolution progress, and report status to stakeholders
• Review, update, and maintain information security documentation in accordance with applicable standards and organizational objectives
• Maintain and update the GRC platform (Optro) current with risk, control, and compliance data
• Assist with the implementation and ongoing management of data loss prevention (DLP) programs, including false positive identification, policy violations, incident monitoring and response coordination
• Support third-party risk management activities, including contractor oversight and vendor due diligence reviews
• Assist with client-issued security questionnaires and assessments
• Assist with risk management, vulnerability management, incident reviews, data disposal reviews, and BC/DR planning and testing
• Monitor and track employee completion of security training and awareness programs

Minimum Qualifications

EDUCATION

• Bachelor’s degree in management information systems, Information Security, Cybersecurity, Business or a related field or an equivalent combination of education and experience

EXPERIENCE

• At least 1 year of IT security, governance, risk, or compliance-related experience
• Knowledge of security and risk frameworks
  • Preferred knowledge of SOC 2, ISO 27001, ISO 42001, FedRAMP, CMMC, NIST 800-53, NIST 800-171
• Preferred: Knowledge of GRC tools (Optro, OneTrust, etc.)

CERTIFICATIONS         

• Preferred: CISA, CISM, Security+, CCSK, ISO Lead Auditor

SKILLS

• Ability to meet deadlines with a high degree of motivation
• Excellent critical thinking and problem-solving skills
• Strong communication and organizational skills
• Thrives in a fast-paced environment
• Ability to work individually as well as collaboratively

Benefits

• Healthcare, Dental, and Vision Benefits
• EAP - Employee Assistance Program
• Competitive Bonus Structure
• Home Office Reimbursement
• Technology Allowance
• Certification Reimbursement
• Public Transportation Card
• Multisport Card
• Personalized Career Coaching
• Generous Paid Time Off
• Paid Office Closure December 24-January 1
• Summer Hours

About A-LIGN 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and HITRUST and a top three FedRAMP assessor. To learn more, visit a-lign.com. 

Come Work for A-LIGN! 

Apply online today at A-LIGN.com and learn about life at A-LIGN by following us on LinkedIn.  

A-LIGN is an Equal Opportunity Employer. 

The personal data you provide to us is processed by A-LIGN Bulgaria. Your personal data is shared with employees of A-LIGN, and the candidate data retention period is 6 months. You have the right to obtain information about the processing of your personal data. In addition, you have the right to correct, to block, and to delete your data in accordance with the local laws and regulations. For more information you can visit A-LIGN’s Job Ads Privacy Policy.

The role

We’re looking for a new teammate who will support the implementation and ongoing maintenance of information security compliance and certification programs, working with cross-functional internal teams and external auditing agencies. The person will also support data protection, data privacy, and third-party vendor risk management functions.

The position will be part of the Governance, Risk & Compliance (GRC) team at HelloFresh that is responsible for creating, maintaining and improving HelloFresh’s security risk management program and remediation activities; information security and data privacy related processes, policies, and guidelines; supporting compliance and certification related activities; and driving security awareness and education.

Above all, we are looking for people who will make HelloFresh better. We believe there are many different ways of developing skills and we love diverse experiences! So even if you don’t “tick all the boxes” but think you’d thrive in this role, we would really like to learn more about you.

What you’ll do

• Lead end-to-end compliance readiness for NIS2 and support alignment across other key frameworks (e.g., PCI DSS, CSRD, ISO/SOC and EU AI Act).
• Plan and execute internal control assessments and coordinate external compliance audits on a defined cadence.
• Translate regulatory requirements into practical controls; drive cross-functional implementation across international teams.
• Own remediation management: track findings, evidence, owners, deadlines, and report status to stakeholders.
• Improve GRC maturity through continuous monitoring, clear documentation, and mentoring junior team members.
• Lead internal assessments and coordinate external compliance audits at planned intervals
• Evaluate and validate the design and operational effectiveness of security policies, standards, and internal controls to help reduce compliance risk in the company
• Develop comprehensive and accurate reports and presentations on the compliance landscape for both technical and executive audiences

What you’ll bring

• 3+ years' experience in performing compliance activities in a corporate environment related to IT General Controls (ITGC), SOC 2, ISO 27001, PCI DSS, EU NIS2, and various data privacy directives (GDPR, CCPA/CPRA, etc.)
• Ability to interpret compliance regulations and map them to the actual implementation of systems, whilst referencing various security frameworks
• Experience supporting data privacy regulations (GDPR, CCPA) and third-party risk management programs
• Experience with developing and executing security awareness programs and trainings
• Highly organized and detail-oriented, with an ability to work independently
• Industry compliance certifications (CISA, CISM, CISSP) are a plus
• Prior experience working in a SaaS environment, mainly Cloud and AWS-based

What we offer

Elevate your lifestyle! Join one of Europe's fastest-growing tech powerhouses in a dynamic phase of expansion.

• Immerse yourself in a diverse global community of 90+ nationalities.
• Enjoy a competitive compensation package that goes beyond the norm, with perks like a HelloFresh- subsidized Pension Scheme, Berlin relocation support, and a Hybrid working model.
• Elevate your lifestyle with exclusive discounts on your weekly HelloFresh box and office meals.
• Invest in your growth with a German language learning budget, and access to the HelloFresh Academy.
• Plus, we've got your well-being covered with mental health support, transportation perks, and working-parent-friendly benefits. From our 24/7 gym access,wellbeing platforms like Headspace and Spill, to sabbatical leave options, HelloFresh is not just a workplace; it's a lifestyle of perks and possibilities!

Work with HelloFresh in Warsaw and its HelloTech organisation, HelloFresh’s global technology backbone with more than 1000 people, building the digital products that power our end-to-end food experience. From meal kits and ready-to-eat meals to specialty offerings like pet food and premium meat & seafood, HelloTech creates the platforms that bring tailored food solutions to millions of customers every month.

Our subscription-based, direct-to-consumer model relies on technology at every step, from customer-facing apps and personalization logic to pricing, forecasting, supply chain optimization, and initiatives that help reduce food waste. While our brands operate independently to serve distinct customer needs, they are united by shared platforms, data, and operational excellence built by HelloTech.

HelloTech works in autonomous, cross-functional alliances, each owning a specific product or domain end to end. By working with our Warsaw office, you will help shape scalable, data-driven products used across our markets, working with a modern tech stack and international teams to continuously improve how people discover, order, and enjoy HelloFresh’s products, today and in the future.

About the role: What's in the Box

The service provider will contribute to the Governance, Risk & Compliance (GRC) function within HelloTech, focusing on the implementation and maintenance of information security compliance and certification programs. This engagement involves providing specialized services to ensure alignment between technical systems and global regulatory frameworks, supporting data protection initiatives, and managing third-party vendor risk assessments to safeguard the HelloFresh ecosystem.

What you’ll do: The Recipe

• Lead end-to-end compliance readiness for NIS2 and provide alignment services across key frameworks including PCI DSS, CSRD, ISO/SOC, and the EU AI Act.

• Plan and execute internal control assessments and coordinate external compliance audits on a defined cadence.

• Translate regulatory requirements into practical controls and drive cross-functional implementation across international technical units.

• Manage remediation processes by tracking findings, evidence, and deadlines, providing regular status reports to primary stakeholders.

• Enhance GRC maturity through continuous monitoring, comprehensive documentation, and technical guidance for other contributors.

• Evaluate and validate the design and operational effectiveness of security policies, standards, and internal controls to mitigate compliance risk.

• Develop accurate technical reports and presentations regarding the compliance landscape for executive and technical stakeholders.

What you’ll bring: The Ingredients

• 3+ years of experience delivering compliance services in a corporate environment focused on IT General Controls (ITGC), SOC 2, ISO 27001, PCI DSS, and EU NIS2.

• Profound knowledge of data privacy directives including GDPR and CCPA/CPRA.

• Proven ability to interpret complex compliance regulations and map them to specific system implementations and security frameworks.

• Experience supporting third-party risk management programs and data privacy operations.

• Expertise in developing and executing security awareness initiatives and technical training modules.

• Strong organizational skills with the ability to provide services independently in a high-growth environment.

• Prior experience providing services within SaaS environments, specifically involving Cloud and AWS infrastructure.

• Industry certifications such as CISA, CISM, or CISSP are highly regarded.

Above all, we are looking for individuals who will make HelloFresh better. We believe there are many different ways of developing skills and we love diverse experiences! So even if you don’t “tick all the boxes” but think you’d thrive in this role, we would really like to learn more about you.

What we offer: The Toppings

• Global collaboration at scale: Collaborate with experienced engineers and product partners across HelloTech’s international teams, in a culture of active knowledge sharing.
• Technology with real-world impact: Build and operate modern systems at global scale, supporting 6+ millions of customers and complex supply chain operations.
• Technical/Product/Design leadership: Drive best practices and influence architecture/design, quality, and ways of working in an autonomous, product-led setup.
• End-to-end development/delivery: Drive decisions from problem definition to production, improving systems and enabling long-term scalability.
• Access to workspace at Warsaw Centre Point. The hub offers modern facilities including showers, breakout zones, outdoor space, cycle parking, and refreshments (coffee, soft drinks, and fruit).

Are you the missing ingredient? If this sounds like a tasty opportunity, we’d be excited to hear from you.  We aim to review your profile and respond within 5 business days.

Here's a summary of the role:

If you're a compliance professional who believes that the best controls are the ones that run themselves — this one's for you.

As a Compliance Engineer on our Continuous Controls Assurance team, you'll sit at the intersection of compliance, engineering, and business process — your mission being to make compliance a living, automated reality rather than a periodic exercise. You'll inject compliance directly into how the business operates, building the evidence, signals, and automation that lets us prove we do what we say we do.

This role is particularly suited to candidates who have worked across compliance frameworks and technical environments — whether in SaaS companies, cloud-native organisations, or forward-thinking internal audit and GRC functions — and who are comfortable translating control requirements into code, pipelines, and data.

You'll play a central role in maturing our controls assurance program, moving us from point-in-time testing toward continuous, automated monitoring that scales with the business.

Here's a breakdown of what you'll do:

• Design and build automated controls — translate control objectives across frameworks such as SOC 2, ISO 27001, and PCI DSS into automated tests, scripts, and monitoring logic embedded in business and technical processes
• Own continuous controls monitoring — develop and maintain pipelines that continuously collect, evaluate, and surface control evidence, flagging exceptions and deviations in near real-time
• Embed compliance into the SDLC and business operations — partner with Engineering, DevOps, and business teams to integrate compliance checkpoints, policy-as-code, and configuration validation into CI/CD pipelines and operational workflows
• Bridge GRC and Engineering — translate compliance requirements into technical specifications, and translate system behaviour back into auditable evidence — acting as the connective tissue between the two disciplines
• Maintain the controls evidence repository — ensure control evidence is automatically captured, timestamped, and stored in a format that supports internal review and external audit
• Support audit and assurance activities — provide automated evidence packages for external audits, reducing manual effort and improving audit quality and speed
• Identify and close assurance gaps — conduct control gap assessments, recommend improvements, and own the remediation pipeline through to closure
• Collaborate on policy and standard development — ensure that policies are written in a way that can be operationalised and tested, feeding back where policy language creates ambiguity in controls design

These are the essentials you'll need to get an interview:

• Experience in a compliance, GRC, or information security role within a SaaS or cloud-native organisation
• Hands-on experience with one or more compliance frameworks — SOC 2, ISO 27001, PCI DSS, or similar
• Demonstrated ability to automate compliance processes — using scripting (Python, Bash, or similar), APIs, or tooling such as Drata, Vanta, Tugboat Logic, or equivalent
• Familiarity with cloud environments (AWS, GCP, or Azure) and the controls that govern them
• Strong analytical skills — able to decompose a control objective into testable, measurable components
• Excellent written communication — able to produce clear control narratives, test procedures, and evidence documentation

It would be great if you had these too, but we'll support you if you don't:

• Experience with policy-as-code tools (e.g. Open Policy Agent, Conftest, Checkov, or AWS Config Rules)
• Exposure to CI/CD platforms (e.g. GitHub Actions, GitLab CI, Jenkins) and how compliance gates can be embedded within them
• Familiarity with SIEM, log management, or observability tooling in a controls assurance context
• A background that spans both technical and compliance disciplines — e.g. a developer who moved into GRC, or a compliance analyst who learned to code
• Relevant certifications such as CISA, CISSP, CCSP, AWS Security Specialty, or equivalent

THE ROLE 

As an AI Governance Analyst within Everpure’s Global Information Security Office (GISO), you will be the primary guardian of our safe and innovative AI adoption. You’ll bridge the gap between cutting-edge technology and enterprise safety by managing the end-to-end lifecycle of AI tooling requests and risk assessments. Partnering closely with Legal, Privacy, and Engineering, you ensure our teams move fast while remaining within our security guardrails. Your mission is to transform governance from a "no" to a "how-to" for the entire organization.

WHAT YOU’LL DO

• Accelerate Secure Innovation: Manage the end-to-end intake and risk assessment lifecycle for new AI tools and use cases, ensuring every service deployed on the Everpure Platform aligns with our security, privacy, and data handling standards.
• Proactive Risk Management: Safeguard the enterprise by identifying and remediating unapproved AI usage through proactive monitoring and stakeholder collaboration, successfully converting "shadow AI" into governed, secure business assets.
• Global Enablement & Literacy: Drive organizational AI literacy by developing self-service documentation, FAQs, and high-impact training programs that translate complex security requirements into actionable guidance for both technical and non-technical teams.
• Operational Excellence: Optimize the AI Governance program’s efficiency by maintaining a comprehensive inventory of approved vendors and tracking key performance indicators—such as time-to-approval and exception trends—to drive continuous process improvement.

WHAT YOU BRING

• Security & AI Domain Expertise: A strong professional background in information security, risk management, or data governance within a SaaS environment, paired with a functional understanding of Large Language Models (LLMs) and their associated security risks.
• Analytical Framework Proficiency: Proven ability to apply security and privacy frameworks (such as NIST, ISO 27001, or SOC 2) to evaluate third-party AI vendors and internal data flows for potential vulnerabilities.
• Strategic Communication & Partnership: Exceptional ability to distill complex policy into clear, persuasive communications for diverse stakeholders, demonstrating a partnership-first mindset that enables business units to achieve their goals safely.
• Organizational Agility: Exceptional program management skills with the capacity to prioritize high-volume requests and maintain meticulous documentation in a fast-paced, rapidly evolving regulatory and technological landscape.
• Bonus Skills: A blend of technical and policy expertise, including experience with AI governance frameworks (e.g., EU AI Act, sectoral AI, or data protection guidance)  and SaaS risk assessments. Working knowledge of DLP/CASB tools and a passion for building security awareness content that empowers teams to innovate safely.
• Location: We are primarily an in-office environment and therefore, you will be expected to work from the Lehi, UT office in compliance with Everpure’s policies, unless you are on PTO, or work travel, or other approved leave.

#LI-ONSITE #LI-KQ1

THE ROLE

At Everpure, Information Security is a foundational business priority. The Security team is a core engineering-focused group deeply embedded in ensuring the security of our corporate environment and Everpure services. We are dedicated to staying on the cutting edge of security technology and proactively addressing the evolving threat landscape.

We are seeking a proactive, detail-oriented Security Analyst, Compliance to independently run compliance certification programs with minimal supervision and actively support the broader compliance efforts of the team.

WHAT YOU'LL DO

• Lead a security certification program vertical  (e.g., SOC 2, ISO 27001, FedRAMP, Common Criteria) end to end with minimal supervision ensuring a successful outcome.
• Support other certification program verticals to streamline audit certification cycles.
• Collaborate and maintain communication with cross-functional teams (e.g., Engineering, Legal, Product) and external auditors/stakeholders to ensure smooth project execution and successful outcomes.
• Assist and support internal teams through independent assessments and audits. Translate complex security and compliance controls into actionable technical solutions and implementation strategies.
• Develop, track, and report on key compliance metrics (KCMs), continuously driving process improvements to align with evolving industry standards and best practices.
• Author and maintain comprehensive compliance documentation, including control narratives, audit evidence, and supporting materials, ensuring they are accurate, up-to-date, and audit-ready.
• Independently drive on recurring tasks and events such as access reviews and vulnerability scanning across multiple business units with differing scopes.
• We are primarily an in-office environment and therefore, you will be expected to work from the Lehi, UT office in compliance with Pure’s policies, unless you are on PTO, or work travel, or other approved leave.

WHAT YOU BRING

• 5+ years of experience in IT audit, risk management, or IT compliance roles, with demonstrated experience running compliance certification programs and previous audit experience.
• In-depth understanding of security controls and key compliance frameworks (e.g., NIST, SOC2, ISO 27001, FedRAMP, FIPS, Common Criteria) as well as cloud platforms (e.g. AWS, Azure, GCP, etc.)
• Proven experience in designing technical controls to satisfy compliance requirements.
• Strong written and verbal communication skills, with the ability to engage effectively with both internal teams and external auditors.
• Ability to identify and recommend tools, processes, and software to improve and automate compliance practices.
• Security Operations or Engineering background preferred but not required
• Relevant certifications such as CISSP, CISA, or CISM, ISO/IEC 27001 Lead Implementer or Lead Auditor  are preferred but not required.

#LI-ONSITE

#LI-TH3