Cybersecurity GRC Engineer

As a Cybersecurity GRC Engineer, you will have a rare opportunity as a cybersecurity and Governance, Risk, and Compliance (GRC) subject matter expert and top-tier engineer to not only drive compliance, but to build the technology that will shape our organization's security posture, and to establish yourself as a thought leader in both the cybersecurity and GRC industries. You will report directly to the Director of Cybersecurity Governance, Risk, and Compliance, and work closely with the Cybersecurity team, IT, Engineering / Developers, Legal, and additional stakeholder teams to drive innovative solutions for automating and enhancing security governance, risk, and compliance processes, and embed and integrate security risk and compliance across enterprise-wide processes, including development, change management, and third-party risk management.

The Cybersecurity GRC Engineer will support the design, implementation, and ongoing evolution of a "Compliance‑as‑Code" program that translates security industry and regulatory requirements into automated, testable policies across cloud, infrastructure, and application layers. You will also be responsible for building real‑time compliance dashboards and reporting that give leadership clear visibility into the organization's security risk posture.

Proficiency with AI tools (LLMs, prompt engineering, generative‑AI workflows) is a core requirement – you'll use AI to streamline policy creation and implementation, evidence generation, and remediation suggestions. Experience with designing and implementing autonomous "agentic AI" solutions is preferred.

• Automation of Manual GRC Processes
  • Understand, Automate, and Enhance currently manual GRC activities (e.g. risk‑assessment questionnaires, risk register, control‑evidence collection, audit‑readiness, supplier management, exception handling, etc.).
  • Leverage generative AI and automation to prepare security questionnaire responses and evidence, synthesize findings, and propose remediation actions while embedding required human‑in‑the‑loop approvals.
  • Integrate automated workflows across toolsets, CI/CD pipelines, and ticketing systems to create a single source of truth.
  • Define success metrics (time saved, error reduction, audit‑readiness score) and continuously monitor, refine, and report on the automation's impact.
• Compliance‑as‑Code Program
  • Translate frameworks (e.g., ISO 27001, SOC 2, NIST SP800-53 / CSF, GDPR, CCPA, HIPAA, FedRAMP, etc.) into policy‑as‑code.
  • Engineer and automate security controls across infrastructure, cloud, and SaaS systems to strengthen our control environment and streamline evidence collection
  • Build reusable IaC modules that enforce security baselines and continuously verify compliance.
  • Embed compliance checks into CI/CD pipelines (e.g., GitHub Actions, Jenkins).
  • Design environments where evidence is produced automatically.
  • Design environments that cannot operate any other way than in-compliance with controls
  • Develop automated remediation playbooks and "push-button" routines to address suspected policy violations.
• Collaborate with cross-functional teams to ensure new projects and systems are designed with security and compliance embedded / integrated.
• Support internal and external audits by providing documentation, evidence, and responses to audit findings.
• Implement, configure, and maintain GRC solutions, platforms, and/or toolsets. Build API‑based connectors to ingest data from cloud services, security tools, ticketing systems, asset‑management tools, and AI‑generated outputs.
• Compliance Dashboards & Reporting: Architect, develop, and maintain real‑time compliance dashboards that visualize risk scores, control coverage, policy drift, and remediation status. Automate the generation of periodic compliance posture and audit readiness reports (e.g., SOC 2, ISO 27001, NIST, etc.) and deliver them to management.

Minimum

• Education: Bachelor's degree in Computer Science, Information Security, Information Systems, or a related field (or equivalent practical experience).
• Experience: 4 years in Cybersecurity / Information Security, GRC, security engineering, or infrastructure automation; proven track record automating manual GRC processes and building compliance‑as‑code programs.
• Technical Skills
  • Strong scripting/programming (e.g., Python, Shell, PowerShell, YAML/JSON).
  • AI Proficiency: Demonstrated proficiency using generative AI/LLMs for content creation, code assistance, and/or data summarization; ability to craft effective prompts, validate outputs, and embed AI into production workflows.
  • Experience with IaC, Policy‑as‑Code, CI/CD pipeline integration, cloud-based platforms (AWS).
  • Industry Standard / Regulatory Knowledge: Practical understanding of ISO 27001, SOC 2, NIST SP800-53, NIST CSF, GDPR/CCPA, and ability to translate them into technical controls.
• Soft Skills
  • Excellent communication - able to explain technical controls and AI‑generated findings to non‑technical stakeholders.
  • Strong analytical thinking and problem‑solving.
  • Ability to thrive in a fast‑growing, cross‑functional environment.

Preferred

• Agentic AI Experience – Designing, training, and supervising autonomous AI agents (e.g. custom functioncalling bots) that can autonomously scan IaC, generate remediation code, draft evidence artifacts, and/or run periodic compliance checks.
• Professional Certifications: CISSP, CISM, CRISC, CCSP.
• Experience conducting security audits (e.g., SOC 2 Type II, ISO 27001 certification, ITGCs).
• Experience configuring and/or administering Compliance Automation, TPRM, and/or GRC tools / apps (e.g. Vanta, Drata, ServiceNow, Archer, ProcessUnity, OneTrust, etc.).