InfoSec Governance Risk and Compliance Lead

Lead GRC Strategy: Drive the development, maturity, and execution of Up Guard’s Info Sec Governance, Risk, and Compliance function, with primary ownership over technology and cybersecurity risk.

Optimize Procurement & Vendor Security: Partner closely with procurement, legal, and business stakeholders to embed security reviews into the purchasing lifecycle. Lead Third-Party Risk Management (TPRM) evaluations for new and existing vendors.

Contract & Legal Support: Review security exhibits, Data Processing Agreements, and security questionnaires during procurement negotiations to safeguard Up Guard and its customers.

Enterprise Collaboration: Partner with the CISO to contribute expert analysis on broader enterprise and operational risk matters, ensuring a unified approach to risk management.

Own the Risk Management Process: Architect and run the technology and security components of the Risk Management process. You will maintain, continually improve, and deliver executive-ready reporting on trends, vulnerabilities, and strategic insights.

Champion SOC 2 & Security Compliance: Formally own the technology and security control components of Up Guard’s annual SOC 2 Type II audit cycle. Design, manage, and coordinate remediations and improvements stemming from prior cycles, incident post-mortems, and internal assessments.

Build Trust & Product Alignment: Work cross-functionally with the Product team to develop public-facing trust documentation, while identifying security control gaps and improvement opportunities within the Product Development Life Cycle (PDLC).

Policy Governance: Draft, implement, and maintain a robust framework of Info Sec policies, standards, processes, and guidelines tailored to an evolving threat landscape.

Security Culture: Design and implement comprehensive, company-wide security awareness and compliance training programs utilizing the Mind Tickle platform.

Core Experience: 4+ years of dedicated experience in Information Security, IT Audit, or GRC within a technical, cloud-based landscape.

Risk & GRC Tooling Expertise: Deep familiarity and hands-on experience with modern technology risk management frameworks, GRC platforms, and Third-Party Risk Management (TPRM) tools.

Procurement & Legal Acumen: Experience partnering with procurement, legal, and privacy teams across diverse geographic areas (e.g., GDPR/CCPA, anti-corruption) to review vendor contracts, technical agreements, and security exhibits.

Strategic Communication: A clear, collaborative communicator capable of translating complex technical risks into clear business impacts for stakeholders, customers, and vendors.

Autonomy & Ownership: The ability to work independently, take swift initiative, and manage the fine details while never losing sight of long-term strategic goals.

Problem-Solving Mindset: A skillful issue-spotter and adaptive learner who can confidently navigate ambiguity and evaluate legal/business risk trade-offs.

Collaborative Nature: High ethical standards, meticulous attention to detail, a team-first attitude, and a dual passion for teaching and learning.

Advanced Experience: 6+ years of experience, including at least 2 years in a dedicated lead or senior-level capacity within a fast-growing B2B Saa S environment.

Audit Mastery: A proven track record of successfully owning and leading complex, multi-stakeholder security audits from scratch (specifically SOC 2 Type II, ISO 27001, or NIST frameworks).

Industry Certifications: Relevant professional certifications such as CISA, CRISC, CISM, or CISSP.

Scalability Mindset: Demonstrated experience scaling a GRC and vendor security function alongside a rapidly expanding global startup.