Jobs · Business Development

Product GRC SME

Vanta · United States · 3 wk ago
RemoteRemoteBusiness DevelopmentFull-time

About the role

Vanta is a company dedicated to helping businesses earn and prove trust in their security practices. We are currently seeking a GRC Subject Matter Expert to join our growing team. This role plays a crucial part in delivering high-quality, scalable content and product guidance to help our customers effectively manage their GRC programs.

Responsibilities

  • Build and maintain compliance frameworks - Develop and enhance controls, evidence requirements, and implementation guidance for standards such as SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, and regional regulations (e.g., GDPR/CCPA).
  • Author clear control rationales, acceptance criteria, and customer-facing guidance.
  • Create and steward an internal common-control approach informed by industry catalogs (e.g., SCF, UCF, or similar).
  • Define standards for control wording, evidence specificity, testing method, and reviewer guidance.
  • Establish content QA processes, audits, and metrics (e.g., adoption, time-to-evidence, completion rates) to continually improve outcomes.
  • Drive end-to-end GRC product enablement - Build modular content, guidance, and templates for risk management, issue & corrective action management, policy management, access reviews, customer trust / Trust Center artifacts, and third-party risk management (due diligence, monitoring, contract clauses).
  • Partner with Product to drive roadmap - Translate customer and market needs into GRC requirements, propose experiments, and validate solutions through discovery with Design/UX Research. Influence prioritization using data and field insights; own a backlog for framework/content improvements.
  • Partner with Engineering to operationalize mappings in-product (integrations, automated tests, exceptions/exemptions, continuous monitoring workflows).
  • Translate controls/compliance knowledge and infrastructure contexts (cloud services, SaaS apps, on-prem, endpoints, networks, CI/CD) into spec-level automated tests and detectors in Vanta.
  • Instrument features to monitor accuracy and drift in production.
  • Synthesize feedback loops - Analyze input from customers, auditors/assessors, partners, and internal teams to identify gaps, resolve issues, and deliver iterative updates quickly and safely.

Requirements

  • Experience - 5-7+ years in GRC and/or Information Security with hands-on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800-53).
  • Education (preferred) - Bachelor’s degree in Computer Science; advanced degree a plus.
  • GRC craft - Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring).
  • Product mindset - Ability to translate requirements into productizable capabilities; comfort with experimentation and data-driven prioritization.
  • Technical & automation (AI-augmented) - Build leverage with lightweight tools, LLMs, and automation workflows: Use AI pair-programming tools (e.g., GitHub Copilot, Cursor) to accelerate drafting of specs, mappings, queries, and test logic. Own simple automations that stitch together Sheets/Airtable, APIs, and webhooks to remove toil (e.g., mapping QA, evidence normalization, exception routing). Design AI-assisted workflows across teams (e.g., LLM-assisted control guidance, assessor Q&A triage, remediation suggestions) and measure outcomes (precision/recall, time-to-evidence, FP/FN rates). Establish safe-use guidelines and reusable patterns for prompts/agents (versioning, evaluation, privacy) and enable adoption with playbooks and templates. Analytical & detail-oriented - Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets (lookups, pivots).
  • Communication & collaboration - Excellent written and verbal skills; able to partner effectively with engineers, designers, GTM teams, auditors, and customers.
  • Self-motivated and independent - Able to work autonomously while contributing to team success.
  • Helpful and resourceful - Willing & excited to support cross-functional teams and improve compliance content.
  • Adaptable in a fast-paced environment - Skilled at managing change, solving problems proactively, and taking initiative.
  • Nice-to-have - Experience with privacy regulations (GDPR/CCPA), risk quantification (e.g., FAIR), audit/assessor background, or B2B SaaS content/enablement.
  • Certifications (preferred, not required) - One or more of: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI-ISA/QSA.

Qualifications

  • Experience with cloud environments and SaaS is strongly preferred.
  • Federal experience (e.g., FedRAMP) is a plus but not required.

Skills

  • Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring).
  • Ability to translate requirements into productizable capabilities; comfort with experimentation and data-driven prioritization.
  • Build leverage with lightweight tools, LLMs, and automation workflows: Use AI pair-programming tools (e.g., GitHub Copilot, Cursor) to accelerate drafting of specs, mappings, queries, and test logic. Own simple automations that stitch together Sheets/Airtable, APIs, and webhooks to remove toil (e.g., mapping QA, evidence normalization, exception routing). Design AI-assisted workflows across teams (e.g., LLM-assisted control guidance, assessor Q&A triage, remediation suggestions) and measure outcomes (precision/recall, time-to-evidence, FP/FN rates). Establish safe-use guidelines and reusable patterns for prompts/agents (versioning, evaluation, privacy) and enable adoption with playbooks and templates.
  • Analytical & detail-oriented - Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets (lookups, pivots).
  • Excellent written and verbal skills; able to partner effectively with engineers, designers, GTM teams, auditors, and customers.
  • Skilled at managing change, solving problems proactively, and taking initiative.
  • Willing & excited to support cross-functional teams and improve compliance content.
  • Curiosity, willingness to learn, and sound judgment in applying AI responsibly to improve efficiency and impact.

Benefits

  • Industry-competitive salary and equity.
  • Comprehensive medical, dental, and vision coverage, with 100% of employee-only benefit premiums covered for most medical plans.
  • 16 weeks paid Parental Leave for all new parents.
  • Health & wellness stipend.
  • Remote workspace, internet, and cellphone stipend.
  • Commuter benefits for team members who report to the SF and NYC office.
  • Family planning benefits.
  • Matching 401(k) contribution with immediate vesting.
  • Flexible PTO policy, plus 80 hours of Sick Time.
  • 11 company-paid holidays.
  • Virtual team building activities, lunch and learns, and other company-wide events!
  • Offices in SF, NYC, London, Dublin, Tel Aviv, and Sydney.

Pay

Industry-competitive salary and equity.

Schedule

Full-time.

Similar jobs

Materials SME

JabilFlorence, KY· 5 days ago
Managementapply on jabil.wd5.myworkdayjobs.com

Functional SME

Amyx, Inc.O'Fallon, IL· 3 mo ago
Business Developmentapply on careers-amyx.icims.com

GRC Engineer

CloudflareAustin, TX· 6 days ago
Engineeringapply on boards.greenhouse.io