Sr. GRC Specialist, Security Risk Management
United States
Full Time Senior-level / Expert USD 179K - 215K
HashiCorp
HashiCorp delivers consistent workflows to provision, secure, connect, and run any infrastructure for any application.About the team
As part of the Security organization and within the Governance, Risk and Compliance (GRC) department, the Security Risk team is responsible for security risk management at HashiCorp. The team defines the security risk management process, operationalizes it, manages risk pragmatically, and tracks and reports on security risk across HashiCorp. This includes both internal and third party vendor security risk.
We are looking for an experienced security risk manager who has done risk management at scale in a mature environment to join a new Security Risk team to help mature and operationalize the security risk management program at HashiCorp. This role is an opportunity to have direct and considerable impact on a newer risk management program from the ground up. This role will contribute to HashiCorp primarily by helping define the risk management framework and program, assessing risk, and tracking, reporting and communicating on security risk. This role will also spend some time on vendor security risk management, in particular helping better identify and articulate the security-related vendor risks to our products and services, as well as key business processes and data.
In this role, you will:
- Help define and mature the internal and vendor security risk framework, program and processes
- Help define, standardize, and educate stakeholders on risk taxonomy and nomenclature
- Help define and continually improve risk scoring methodologies
- Perform and facilitate internal and vendor security risk assessments
- Review new risk submissions and facilitate its progress through the risk management process
- Track progress against, follow up and report on risk treatment efforts
- Maintain the security risk register
- Track and report on risks to stakeholders across the company
- Track and report on trends in security risk and threats
- Define, track and report on KRIs
- Help develop the HashiCorp Common Controls Framework
- Help develop and contribute to quarterly and annual planning for the risk program
- Track execution against OKRs and the risk program roadmap
- Assist with other GRC activities as needed, including external security audits and other tasks as required
Must-Have Qualifications
- 6+ years of experience in risk management, with at least 3 in security risk management
- Strong understanding of cloud, preferably AWS
- Considerable hands-on experience with one or more risk management framework or standard (e.g., FAIR, ISO 31000 and 27005, RMF, etc)
- Ability to ask the right questions and understand complex technical topics
- Strong understanding of current cyber security threats and TTPs
- Excellent written and verbal communication
- Ability to prioritize and track multiple projects in parallel
- Highly responsive and collaborative
- Flexibility in daily hours (i.e., willingness to work longer hours during end of quarter, peak periods and audits)
Desired Qualifications
- Previous experience at a technology or SaaS company in similar role
- Experience with risk engineering and using data to make risk-informed decisions
- Experience with quantitatively measuring security risks
- Experience with risk management in other industries (e.g., finance, insurance, aerospace, etc)
- Experience with risk management tooling and platforms
#LI-REMOTE
The base pay range for this role in the SF Bay Area / NYC area is:$182,800—$215,000 USDThe base pay range for this role in Seattle Metro, Denver / Boulder Metro, New York (excluding NYC), Washington D.C., or California (excluding SF Bay Area) is:$167,500—$197,100 USDThe base pay range for this role in Colorado (excluding Denver / Boulder Metro) and Washington (excluding Seattle Metro) is:$152,300—$179,200 USDALERT: HashiCorp has received reports of scams where individuals purporting to represent HashiCorp conduct bogus “employment interviews” via email or text, and then request payment as a condition for receiving an offer of employment. HashiCorp and its subsidiaries do not conduct interviews by email or text, and will never request payment as a condition for applying for a position or receiving an offer of employment. These scam operators may also ask for your personal information (name, address, birthdate, social security number, etc.), which you should not provide to them. If you have been the target of such a scam, you should report it to the U.S. Federal Trade Commission (see this FTC posting for further details: https://www.consumer.ftc.gov/articles/job-scams) the office of your state Attorney General, or the government agency responsible for investigating matters such as this where you reside.
Tags: Audits AWS C Cloud Compliance Finance Governance Government agency OKR Risk assessment Risk management RMF SaaS TTPs
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Information Security Officer jobs
- Open Information Security Specialist jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Senior Cyber Security Engineer jobs
- Open Ethical hacker / Pentester H/F jobs
- Open Cyber Security Architect jobs
- Open Cyber Security Specialist jobs
- Open Product Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Cybersecurity Analyst jobs
- Open Staff Security Engineer jobs
- Open Chief Information Security Officer jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Security Specialist jobs
- Open Senior Information Security Analyst jobs
- Open Senior Information Security Engineer jobs
- Open Cybersecurity Consultant jobs
- Open Senior Penetration Tester jobs
- Open IT Security Analyst jobs
- Open Consultant SOC / CERT H/F jobs
- Open Security Researcher jobs
- Open Sr. Security Engineer jobs
- Open Security Operations Analyst jobs
- Open Cybersecurity Specialist jobs
- Open IT Security Engineer jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open Pentesting-related jobs
- Open ISO 27001-related jobs
- Open Application security-related jobs
- Open Agile-related jobs
- Open GCP-related jobs
- Open Vulnerability management-related jobs
- Open CISA-related jobs
- Open Analytics-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open SaaS-related jobs
- Open Security assessment-related jobs
- Open APIs-related jobs
- Open Malware-related jobs
- Open Java-related jobs
- Open Forensics-related jobs
- Open Security Clearance-related jobs
- Open DevOps-related jobs
- Open CEH-related jobs
- Open IDS-related jobs
- Open EDR-related jobs
- Open Kubernetes-related jobs