Senior Manager, GRC Subject Matter Experts, Product
About the role
Vanta is a company dedicated to helping businesses earn and prove trust in their security practices. We specialize in providing continuous security monitoring and verification, and we empower companies to improve and prove their security with ease. Our mission is to support businesses in maintaining robust security measures and meeting regulatory requirements.
Responsibilities
- Hire, mentor, and develop a team of GRC Subject Matter Experts (SMEs) covering commercial frameworks, government frameworks, test authoring, framework quality uplift, and framework maintenance.
- Create a stable, motivated team environment with clear operating rhythms, delegating effectively to grow ownership and capability, and partnering with your leader and People Business Partner to spot and address team health issues early.
- Connect the team's roadmap and content priorities to Vanta's broader product and company strategy, anticipating near-term shifts in customer needs, regulatory landscape, and product direction, and adjusting focus to keep the team aligned.
- Lead the team through change with steadiness while holding yourself and them accountable for commitments, communicating progress and risks proactively, addressing misses directly, and creating an environment where mistakes are treated as learning opportunities rather than blame.
- Own and govern Vanta's framework release process end-to-end, partnering with Product and Engineering to define the playbook for how new frameworks, framework updates, automated tests, crosswalks, and content are scoped, built, reviewed, and shipped.
- Drive the program management work that surrounds GRC content, including new framework launches, framework updates, update notes, customer escalations, content and test requests, PMM material reviews, and licensing and pricing input.
- Track team performance and report KPIs and metrics to security and product leadership, including framework release velocity, content quality, adoption, time-to-evidence, and customer impact.
- Break down ambiguous and competing priorities across framework launches, framework updates, test authoring, and quality uplift into clear, actionable decisions, balancing customer demand, market opportunity, and engineering capacity, and escalating complex tradeoffs with context and a recommended path forward.
- Set direction for the team's work on crosswalks and mappings across security and privacy frameworks, including canonical control IDs, mapping confidence, and evidence data dictionaries, and partner with Engineering to operationalize them in-product.
- Steer the team's contribution to the broader GRC product surface, including risk management, issue and corrective action management (POA&M), policy management, access reviews, Trust Center, and third-party risk management.
- Partner with Product Management and Design to ensure SMEs are effective product advisors across discovery, PRD authoring, UI/UX review, and usability testing.
- Champion AI-assisted compliance on the team, coaching SMEs to translate domain knowledge into machine-readable specs, evaluation sets, and guardrails, and partnering with Engineering and ML to ship LLM-powered guidance and automation.
- Partner with Sales, Customer Success, and Product Marketing to represent the framework portfolio externally and contribute to pricing, packaging, and licensing conversations (including frameworks such as HITRUST).
- Serve as a senior escalation point for customer issues related to framework content, scoping, and interpretation.
- Provide input and feedback on the development of GRC product features that depend on the team's content and expertise.
Requirements
- 10+ years of GRC and/or Information Security experience, with hands-on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800-53); experience with cloud environments and SaaS strongly preferred.
- 5+ years of experience managing technical or subject matter expert teams, with a passion for developing people and building a culture of quality and accountability.
- Experience owning or heavily contributing to programs that span Product, Engineering, and GTM — ideally including content lifecycle, framework release, or compliance product work.
- Strong program management instincts: comfortable defining process, driving prioritization, and holding cross-functional partners accountable to release plans and quality bars.
- Deep GRC craft — controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, POA&M, vendor risk, continuous monitoring).
- Product mindset — able to coach the team on translating customer and regulatory needs into productizable capabilities, with comfort using data to prioritize.
- Technical and automation fluency (AI-augmented) — comfortable using AI pair-programming and LLM tools to accelerate drafting of specs, mappings, and test logic, and able to set safe-use guidelines, evaluation practices, and reusable patterns for the team.
- Analytical and detail-oriented — skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working with spreadsheets and large data sets.
- Excellent written and verbal communication; able to partner effectively with engineers, designers, GTM teams, auditors, and customers, and to represent the team's work to executives.
- Self-motivated and adaptable in a fast-paced environment, with a track record of leading teams through change.
Qualifications
- Federal experience (e.g., FedRAMP, CMMC, StateRAMP) a plus but not required.
- Privacy regulation experience (GDPR/CCPA), audit/assessor background experience a plus.
- Certifications preferred but not required — one or more of: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI-ISA/QSA.
Skills
- Deep GRC craft — controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, POA&M, vendor risk, continuous monitoring).
- Product mindset — able to coach the team on translating customer and regulatory needs into productizable capabilities, with comfort using data to prioritize.
- Technical and automation fluency (AI-augmented) — comfortable using AI pair-programming and LLM tools to accelerate drafting of specs, mappings, and test logic, and able to set safe-use guidelines, evaluation practices, and reusable patterns for the team.
Benefits
Industry-competitive salary and equity
Comprehensive medical, dental, and vision coverage, with 100% of employee-only benefit premiums covered for most medical plans
16 weeks paid Parental Leave for all new parents
Health & wellness stipend
Remote workspace, internet, and cellphone stipend
Commuter benefits for team members who report to the SF and NYC office
Family planning benefits
Matching 401(k) contribution with immediate vesting
Flexible PTO policy, plus 80 hours of Sick Time
11 company-paid holidays
Virtual team building activities, lunch and learns, and other company-wide events!
Pay
Industry-competitive salary and equity
Schedule
Full-time