Director / Senior Director of Compliance
ID.me · San Francisco Bay Area · 2 wk ago
On-siteLegal$230k–$320k/yrFull-time
Full compliance portfolio
- FedRAMP (Moderate), SOC 2 Type II, ISO 27001, IRS Pub 4812, and NIST 800-63 Rev 3/Rev 4 (Kantara)
People leadership
You are accountable for your team's development, career growth, and well-being — not just their output.
Automation strategy
Drive control consolidation and evidence automation. Reduce the total number of operated controls. Leverage AI and tooling to eliminate repetitive manual work.
Cross-functional partnership
Serve as the compliance interface to Engineering, Product, Legal, and Privacy. Build trust through partnership, clear communication, and pragmatic risk decisions.
Audit management
Maintain continuous audit readiness across all programs. Own assessor relationships and agency engagements.
Risk integration
Partner with the Risk team to feed compliance findings into a unified cyber risk register — one evaluation loop, not fragmented reviews.
What You'll Own
- Full compliance portfolio: FedRAMP (Moderate), SOC 2 Type II, ISO 27001, IRS Pub 4812, NIST 800-63 Rev 3/Rev 4 (Kantara), and emerging frameworks as they apply.
- People leadership: Build, grow, and lead a compliance team.
- Automation strategy: Drive control consolidation and evidence automation. Reduce the total number of operated controls. Leverage AI and tooling to eliminate repetitive manual work.
- Cross-functional partnership: Serve as the compliance interface to Engineering, Product, Legal, and Privacy. Build trust through partnership, clear communication, and pragmatic risk decisions.
- Audit management: Maintain continuous audit readiness across all programs. Own assessor relationships and agency engagements.
- Risk integration: Partner with the Risk team to feed compliance findings into a unified cyber risk register — one evaluation loop, not fragmented reviews.
Must Have
- People-first leadership. You have built and grown compliance teams. You hold regular 1:1s, create career development plans, and invest in making your people better. You delegate effectively and build systems where knowledge is shared, documented, and survives individual absence.
- Communication clarity. You give crisp, direct answers to strategic questions. You write clearly. You adjust your communication to your audience — board members, engineers, auditors, PMs — without losing precision.
- Partnership orientation. Engineering and Product are your customers. You default to "how do we make this work safely?" and when you say no, you explain why in terms the other person values and offer an alternative path. You build relationships proactively.
- Automation conviction. You believe compliance should be engineered. You champion tooling that automates evidence collection, continuous monitoring, and control validation. You think more like an engineering director than a traditional compliance director — systems, leverage, elimination of toil.
- Self-directing execution. You operate with minimal management. You identify what needs to happen, build a plan, execute it, and communicate upward proactively — your leadership always knows where things stand without having to ask.
- Audit management experience. You have led or been deeply involved in external audits — managing assessor relationships, preparing evidence packages, coordinating across teams to maintain readiness. The specific frameworks matter less than the rigor and judgment you bring to the process.
- AI fluency. You are comfortable using AI tools in your daily work and see them as force multipliers for compliance operations. We use Claude, Gemini, and custom integrations extensively. You will be expected to embrace and champion AI-augmented compliance workflows.
- Experience with FedRAMP (Moderate or High), NIST 800-53, or equivalent federal compliance frameworks.
- Experience building or significantly improving compliance automation (evidence pipelines, GRC platform integrations, continuous monitoring).
- Familiarity with GRC platforms (LogicGate, Drata, Vanta, or similar) as a power user.
- Experience managing 3PAO and external assessor relationships.
- Experience operating in a growth-stage or mid-stage tech company where you had to build, not just maintain.
Strong Preference
- Experience with Kantara / NIST 800-63 identity assurance frameworks.
- SOC 2 Type II or ISO 27001 program ownership.
Nice to Have
- CISA, CISSP, CRISC, CISM, or similar certifications.
- Experience with FedRAMP (Moderate or High), NIST 800-53, or equivalent federal compliance frameworks.
- Experience building or significantly improving compliance automation (evidence pipelines, GRC platform integrations, continuous monitoring).
- Familiarity with GRC platforms (LogicGate, Drata, Vanta, or similar) as a power user.
- Experience managing 3PAO and external assessor relationships.
- Experience operating in a growth-stage or mid-stage tech company where you had to build, not just maintain.