Product GRC SME
Vanta · United States · 3 wk ago
RemoteRemoteBusiness DevelopmentFull-time
About the role
Vanta is a company dedicated to helping businesses earn and prove trust in their security practices. We are currently seeking a GRC Subject Matter Expert to join our growing team. This role plays a crucial part in delivering high-quality, scalable content and product guidance to help our customers effectively manage their GRC programs.
Responsibilities
- Build and maintain compliance frameworks - Develop and enhance controls, evidence requirements, and implementation guidance for standards such as SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, and regional regulations (e.g., GDPR/CCPA).
- Author clear control rationales, acceptance criteria, and customer-facing guidance.
- Create and steward an internal common-control approach informed by industry catalogs (e.g., SCF, UCF, or similar).
- Define standards for control wording, evidence specificity, testing method, and reviewer guidance.
- Establish content QA processes, audits, and metrics (e.g., adoption, time-to-evidence, completion rates) to continually improve outcomes.
- Drive end-to-end GRC product enablement - Build modular content, guidance, and templates for risk management, issue & corrective action management, policy management, access reviews, customer trust / Trust Center artifacts, and third-party risk management (due diligence, monitoring, contract clauses).
- Partner with Product to drive roadmap - Translate customer and market needs into GRC requirements, propose experiments, and validate solutions through discovery with Design/UX Research. Influence prioritization using data and field insights; own a backlog for framework/content improvements.
- Partner with Engineering to operationalize mappings in-product (integrations, automated tests, exceptions/exemptions, continuous monitoring workflows).
- Translate controls/compliance knowledge and infrastructure contexts (cloud services, SaaS apps, on-prem, endpoints, networks, CI/CD) into spec-level automated tests and detectors in Vanta.
- Instrument features to monitor accuracy and drift in production.
- Synthesize feedback loops - Analyze input from customers, auditors/assessors, partners, and internal teams to identify gaps, resolve issues, and deliver iterative updates quickly and safely.
Requirements
- Experience - 5-7+ years in GRC and/or Information Security with hands-on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800-53).
- Education (preferred) - Bachelor’s degree in Computer Science; advanced degree a plus.
- GRC craft - Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring).
- Product mindset - Ability to translate requirements into productizable capabilities; comfort with experimentation and data-driven prioritization.
- Technical & automation (AI-augmented) - Build leverage with lightweight tools, LLMs, and automation workflows: Use AI pair-programming tools (e.g., GitHub Copilot, Cursor) to accelerate drafting of specs, mappings, queries, and test logic. Own simple automations that stitch together Sheets/Airtable, APIs, and webhooks to remove toil (e.g., mapping QA, evidence normalization, exception routing). Design AI-assisted workflows across teams (e.g., LLM-assisted control guidance, assessor Q&A triage, remediation suggestions) and measure outcomes (precision/recall, time-to-evidence, FP/FN rates). Establish safe-use guidelines and reusable patterns for prompts/agents (versioning, evaluation, privacy) and enable adoption with playbooks and templates. Analytical & detail-oriented - Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets (lookups, pivots).
- Communication & collaboration - Excellent written and verbal skills; able to partner effectively with engineers, designers, GTM teams, auditors, and customers.
- Self-motivated and independent - Able to work autonomously while contributing to team success.
- Helpful and resourceful - Willing & excited to support cross-functional teams and improve compliance content.
- Adaptable in a fast-paced environment - Skilled at managing change, solving problems proactively, and taking initiative.
- Nice-to-have - Experience with privacy regulations (GDPR/CCPA), risk quantification (e.g., FAIR), audit/assessor background, or B2B SaaS content/enablement.
- Certifications (preferred, not required) - One or more of: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI-ISA/QSA.
Qualifications
- Experience with cloud environments and SaaS is strongly preferred.
- Federal experience (e.g., FedRAMP) is a plus but not required.
Skills
- Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring).
- Ability to translate requirements into productizable capabilities; comfort with experimentation and data-driven prioritization.
- Build leverage with lightweight tools, LLMs, and automation workflows: Use AI pair-programming tools (e.g., GitHub Copilot, Cursor) to accelerate drafting of specs, mappings, queries, and test logic. Own simple automations that stitch together Sheets/Airtable, APIs, and webhooks to remove toil (e.g., mapping QA, evidence normalization, exception routing). Design AI-assisted workflows across teams (e.g., LLM-assisted control guidance, assessor Q&A triage, remediation suggestions) and measure outcomes (precision/recall, time-to-evidence, FP/FN rates). Establish safe-use guidelines and reusable patterns for prompts/agents (versioning, evaluation, privacy) and enable adoption with playbooks and templates.
- Analytical & detail-oriented - Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets (lookups, pivots).
- Excellent written and verbal skills; able to partner effectively with engineers, designers, GTM teams, auditors, and customers.
- Skilled at managing change, solving problems proactively, and taking initiative.
- Willing & excited to support cross-functional teams and improve compliance content.
- Curiosity, willingness to learn, and sound judgment in applying AI responsibly to improve efficiency and impact.
Benefits
- Industry-competitive salary and equity.
- Comprehensive medical, dental, and vision coverage, with 100% of employee-only benefit premiums covered for most medical plans.
- 16 weeks paid Parental Leave for all new parents.
- Health & wellness stipend.
- Remote workspace, internet, and cellphone stipend.
- Commuter benefits for team members who report to the SF and NYC office.
- Family planning benefits.
- Matching 401(k) contribution with immediate vesting.
- Flexible PTO policy, plus 80 hours of Sick Time.
- 11 company-paid holidays.
- Virtual team building activities, lunch and learns, and other company-wide events!
- Offices in SF, NYC, London, Dublin, Tel Aviv, and Sydney.
Pay
Industry-competitive salary and equity.
Schedule
Full-time.