The role requires a pragmatic operator who understands that GRC exists to enable the business,balancing rigorous standards with the velocity of a high-growth startup.

Key responsibilities include:

• Technical Leadership & Mentorship:
• Act as the technical anchor for the GRC team.
• Mentor GRC analysts and engineers, setting the standard for quality, technical depth, and operational efficiency.
• Own the technical vision for Replit's GRC program, moving the team from manual workflows toward 'Compliance-as-Code' and automated evidence collection.
• Cross-Functional Collaboration:
• Partner with Architects and Engineering Leads to 'bake in' compliance requirements early in the design phase.
• Work closely with Legal Counsel to interpret and implement requirements for Privacy (GDPR, CCPA) and emerging AI-specific regulations (e.g., EU AI Act).
• Enable the Sales team by managing the Customer Trust Center and handling complex security questionnaires.
• Risk Management & Strategic Compliance:
• Own the Cybersecurity Risk Register.
• Identify, quantify, and track risks, distinguishing between theoretical compliance gaps and meaningful business risks.
• Manage and evolve our compliance posture across SOC 2, ISO 27001, and prepare the organization for future certifications in regulated markets (e.g., FedRAMP, ITAR, PCI, HIPAA).
• Automation & Efficiency:
• Drive the shift from manual evidence collection to continuous monitoring.
• Identify opportunities to automate audit work, ensuring GRC scales with the business.
• Architect a scalable framework for assessing third-party vendors and AI model providers, ensuring our supply chain remains secure without creating administrative bottlenecks.

The ideal candidate will have:

• 8+ years of experience in GRC or Information Security.
• Leadership experience, proven by mentoring other GRC professionals or leading complex cross-functional projects.
• Technical fluency, speaking the language of engineering, cloud (GCP/AWS), and security architecture.
• Regulatory breadth, with deep experience with SOC 2, ISO 27001, PCI, HIPAA, and Privacy laws.
• Collaborative communication skills, explaining risk and tradeoffs to technical, legal, and commercial stakeholders.
• An automation mindset, with experience with GRC automation tools (e.g., Vanta, Drata) and a bias toward reducing manual toil.

Bonus qualifications include familiarity with FedRAMP, ITAR, or AI regulation.

We value pragmatism, business enablement, solutions-oriented leadership, and clarity. This is a full-time role that can be held from our Foster City, CA office, with an in-office requirement of Monday, Wednesday, and Friday.

Full-time employee benefits include competitive salary and equity, 401(k) program with a 4% match, health, dental, vision, and life insurance, short-term and long-term disability, paid parental, medical, caregiver leave, commuter benefits, monthly wellness stipend, autonomous work environment, in-office set-up reimbursement, flexible time off (FTO) + holidays, quarterly team gatherings, and in-office amenities.

XML job scraping automation by YubHub