Senior Security GRC Lead
Gong · San Francisco, CA · 3 wk ago
Information Technology$121k–$185k/yrFull-time
About the role
Gong harnesses the power of AI to transform how revenue teams win. The Senior GRC Security Lead will design and implement Gong’s Common Controls Framework, establish a risk process and register, and own the full policy, standards, and exceptions management lifecycle.
Responsibilities
- Design and implement Gong’s Common Controls Framework, mapping controls across various frameworks.
- Rationalize overlapping requirements across frameworks to reduce compliance burden and create a single source of truth for control ownership.
- Partner with Engineering, Infrastructure, and Product Security to embed controls at the architecture level.
- Establish control testing methodology, evidence collection standards, and continuous control monitoring processes.
- Serve as the subject-matter expert on control mapping during customer and external audits, RFPs, and enterprise sales engagements.
- Build Gong’s product & enterprise risk register from the ground up, defining risk taxonomy, scoring methodology, risk appetite thresholds, and ownership models.
- Implement a GRC platform and system of record, and create executive level dashboards to track vulnerability, risk, and control remediation.
- Create and maintain risk treatment plans in partnership with risk owners across the business, tracking remediation milestones and escalating blockers.
- Develop executive-level risk reporting cadences and dashboards for the Head of GRC and senior leadership.
- Own the complete lifecycle of Gong’s information security policy suite, including creation, review cycles, version control, and employee acknowledgment tracking.
- Establish and operate a formal exceptions management program, including intake, risk assessment, approval workflows, compensating controls, and periodic review.
- Ensure policies remain aligned with evolving regulatory requirements, industry frameworks, and Gong’s rapidly changing technology environment.
- Drive policy adoption through clear communication, training support, and cross-functional partnership.
- Liaise with external auditors and certification bodies for SOC 2, ISO, and other certifications.
Qualifications
- 7+ years of progressive experience in GRC, Information Security, or a closely related function.
- Deep expertise across multiple compliance and security frameworks, including SOC 2 Type II, ISO 27001, NIST CSF, and at least one regulatory framework (GDPR, CCPA, HIPAA, or equivalent).
- Strong policy and standards writing ability, capable of translating complex regulatory language into clear, actionable documentation.
- Experience conducting and managing product & enterprise risk assessments, with a working knowledge of risk quantification methodologies.
- Proven ability to manage and communicate with senior stakeholders, including Legal, Engineering, and executive audiences.
- Bachelor’s degree in Information Security, Computer Science, Business, or a related field; equivalent practical experience considered.
- Relevant certifications strongly preferred: CISSP, CISM, CRISC, CISA, CCSP, or comparable credentials.