[Hiring] GRC Engineer @SpyCloud

Role Description

The GRC Engineer is a role within SpyCloud’s Governance, Risk, and Compliance (GRC) department, part of the Legal & Compliance organization. This position plays a critical role in strengthening SpyCloud’s compliance posture by driving audit readiness, scaling continuous control testing, and embedding compliance requirements into cloud-native systems and workflows.

This role partners closely with Engineering, Security, IT, Product, and Legal teams to ensure compliance requirements are implemented effectively within cloud environments. The GRC Engineer leads complex compliance initiatives while leveraging automation and scripting to improve efficiency, accuracy, and scalability.

What You'll Do:

• Compliance Program & Framework Management:
  • Lead and support compliance programs including SOC 2, ISO 27001, and CMMC, with a strong focus on cloud-native environments.
  • Coordinate internal and external audits, ensuring accurate evidence collection and alignment with technical stakeholders.
  • Support customer security reviews and questionnaires by clearly articulating SpyCloud’s cloud security controls and compliance posture.
• Audit Readiness & Continuous Controls:
  • Own continuous audit readiness across cloud platforms such as AWS, GCP, and Azure.
  • Design and execute continuous control testing using automation and scripting (preferably Python).
  • Partner with Engineering and Security teams to ensure compliance is embedded into system design and change management processes.
• GRC Automation & Tooling:
  • Build, maintain, and enhance automated evidence collection workflows using Vanta.
  • Integrate Vanta with cloud environments, identity systems, and CI/CD pipelines to support continuous compliance.
  • Collaborate with Engineering to implement automated compliance checks within cloud deployments.
• Governance, Policies & Standards:
  • Develop and maintain security and compliance policies, standards, and procedures aligned with cloud architecture and operational practices.
  • Ensure governance documentation supports SOC 2, ISO 27001, and CMMC requirements while remaining practical for technical teams.
  • Translate complex technical requirements into clear, actionable controls.
• Risk Management:
  • Lead risk assessments across cloud services, systems, and business processes.
  • Identify, assess, and drive remediation of cloud security and compliance risks.
  • Partner with stakeholders to ensure risks are understood, prioritized, and addressed.
• Vendor Risk Management:
  • Enhance vendor risk management workflows through automation and integration, including integration audits of third-party cloud services.
• Cross-Functional Collaboration:
  • Work closely with Engineering, IT, Security, Product, and Legal teams to embed compliance into architecture and design decisions.
  • Serve as a subject matter expert for cloud compliance, control validation, and compliance automation.

Qualifications

• 5+ years of experience in Governance, Risk & Compliance (GRC), security compliance, auditing, or related roles.
• Demonstrated experience applying SOC 2, ISO 27001, and/or CMMC requirements to cloud environments.
• Experience leading audit readiness activities and working directly with auditors.
• Strong collaboration experience with engineering and cloud operations teams.

Requirements

• Education: Bachelor’s degree in Information Security, Computer Science, Engineering, or equivalent professional experience.
• Technical Skills Required:
  • Ability to understand and write code, preferably Python, to automate evidence collection and validate cloud controls.
  • Strong knowledge of cloud architectures, IAM, logging, monitoring, and cloud security best practices.
  • Hands-on experience using Vanta for compliance automation and integrations.
  • Familiarity with SOC 2, ISO 27001, CMMC, NIST 800-53, and CIS Benchmarks.
• Soft Skills:
  • Strong written and verbal communication skills.
  • Ability to work independently and manage multiple priorities.
  • Strong analytical, problem-solving, and collaboration skills.
• Nice to Have:
  • Certifications such as CISA, CISSP, CCSK, CCAK, or ISO 27001 Lead Auditor/Implementer.
  • Experience with CI/CD pipelines, secure development practices, or cloud security engineering.
  • Experience conducting integration audits or third-party cloud risk assessments.

Benefits

• 401(k) with Employer Contribution
• Health, Vision, and Dental Insurance
• Health Savings Account (HSA) available with Employer Contribution
• Employer Paid Life, Short-term, and Long-term Disability Insurance
• Generous PTO Plan and 16 paid holidays per year