GRC Engineer
ButterflyMX · United States · 5 days ago
RemoteRemoteEngineeringFull-time
Responsibilities
- Own and continuously mature the company risk register;
- Design a risk management workflow that uses AI tooling to surface, score, and route emerging risks with minimal manual intervention, ensuring the register reflects real-time posture, not a quarterly snapshot.
- Lead external audit management (SOC 2 Type II); automate evidence collection pipelines in Vanta so that audit cycles are driven by continuous monitoring rather than evidence sprints, and begin scoping a readiness path for ISO 42001 (AI management systems).
- Engineer the Trust and Assurance program for scale: build automated intake and triage workflows for security questionnaire requests, deploy AI-assisted response generation against a curated knowledge base, and expand the trust portal so that partner due diligence is largely self-service.
- Build a vendor and supply chain risk program that goes beyond static spreadsheets. Design automated vendor intake, tiered risk scoring, and continuous monitoring triggers (news alerts, rating service integrations, release notes, expiration tracking) that surface risk without requiring manual sweeps.
- Redesign and maintain security and privacy policies; use AI to draft, version, and track policy updates, and build a lightweight workflow for owner review, approval, and attestation that doesn't require a ticketing system to chase people down.
- Own common controls monitoring in Vanta. Configure and tune integrations, checks, and alerting so that control failures surface automatically to the right owners, not just to a GRC inbox.
- Drive the organization toward an always-on compliance posture.
- Modernize the security awareness and training program.
- Operationalize an integrated compliance calendar covering SOC 2, security and IT systems licensing renewals, applicable state privacy regulations, and any other active frameworks with automated reminders and status tracking rather than manual coordination.
- Support the CISO and General Counsel on operational privacy practices: administer cookie consent management tooling, handle or route data subject requests (DSRs) through a documented and auditable workflow, and help maintain the company's privacy notice and data mapping inventory.
- Monitor the regulatory and compliance landscape, including AI governance developments (EU AI Act, NIST AI RMF, ISO 42001). Proactively surface changes that require a policy, control, or product response.
- Leverage AI tools across every GRC workflow; this role is expected to demonstrate measurable efficiency gains through automation and tooling, not simply to own a portfolio of manual processes.
Requirements
- 3+ years of experience in GRC, information security compliance, or risk management.
- Familiarity with additional frameworks is a strong plus: CIS Controls v8, NIST CSF, NIST AI RMF, NIST Privacy Framework, NIST SP 1800 series, NIST 800-53 r5, ISO 42001, ISO 27701, ISO 27001, OWASP Top 10 for Agentic Applications, MITRE D3FEND, MITRE SoT, MITRE ALTAS.
- Experience conducting rapid third-party/vendor risk assessments and managing a supply chain risk program.
- Strong organizational skills with the ability to manage multiple concurrent workstreams and deadlines.
- Excellent written communication, capable of drafting clear, audience-appropriate policy documents and executive risk summaries.
- Experience with Vanta platform (or equivalent).
- Relevant certifications a plus: CISA, CRISC, CISSP, CIPP, or equivalent.
- Proven experience with leveraging AI tools in both professional and personal settings.
Benefits
- Comprehensive Medical, Dental and Vision plans (ButterflyMX covers 80% of the cost)
- 10 paid holidays, 20 vacation days, 5 sick days, 3 floating holidays
- Basic Life and Accidental Death and Dismemberment Insurance (ButterflyMX covers 100% of the cost)
- Short and Long Term Disability (ButterflyMX covers 100% of the cost)
- Quarterly self-care stipends
- Access to optional benefits including pre-tax flexible healthcare spending accounts (FSA and HSA), Dependent Care FSA, and Commuter Benefits, as well as optional Supplemental Life, AD&D, Hospital Indemnity, Legal, Accident, Critical Illness, Pet, and Personal Liability Insurance
Company Culture
- Fantastic people are the key to our success.
- We are a distributed, primarily remote workforce.
- We are driven by a shared commitment to excellence and innovation, grounded in our core values:
- We delight our customers,
- We take ownership,
- We are a community of collaborators,
- We speak up,
- We think big and do small,
- We are tenacious.