Job Information
HashiCorp Sr. GRC Specialist, Security Risk Management in United States
About the team
As part of the Security organization and within the Governance, Risk and Compliance (GRC) department, the Security Risk team is responsible for security risk management at HashiCorp. The team defines the security risk management process, operationalizes it, manages risk pragmatically, and tracks and reports on security risk across HashiCorp. This includes both internal and third party vendor security risk.
We are looking for an experienced security risk manager who has done risk management at scale in a mature environment to join a new Security Risk team to help mature and operationalize the security risk management program at HashiCorp. This role is an opportunity to have direct and considerable impact on a newer risk management program from the ground up. This role will contribute to HashiCorp primarily by helping define the risk management framework and program, assessing risk, and tracking, reporting and communicating on security risk. This role will also spend some time on vendor security risk management, in particular helping better identify and articulate the security-related vendor risks to our products and services, as well as key business processes and data.
In this role, you will:
Help define and mature the internal and vendor security risk framework, program and processes
Help define, standardize, and educate stakeholders on risk taxonomy and nomenclature
Help define and continually improve risk scoring methodologies
Perform and facilitate internal and vendor security risk assessments
Review new risk submissions and facilitate its progress through the risk management process
Track progress against, follow up and report on risk treatment efforts
Maintain the security risk register
Track and report on risks to stakeholders across the company
Track and report on trends in security risk and threats
Define, track and report on KRIs
Help develop the HashiCorp Common Controls Framework
Help develop and contribute to quarterly and annual planning for the risk program
Track execution against OKRs and the risk program roadmap
Assist with other GRC activities as needed, including external security audits and other tasks as required
Must-Have Qualifications
6+ years of experience in risk management, with at least 3 in security risk management
Strong understanding of cloud, preferably AWS
Considerable hands-on experience with one or more risk management framework or standard (e.g., FAIR, ISO 31000 and 27005, RMF, etc)
Ability to ask the right questions and understand complex technical topics
Strong understanding of current cyber security threats and TTPs
Excellent written and verbal communication
Ability to prioritize and track multiple projects in parallel
Highly responsive and collaborative
Flexibility in daily hours (i.e., willingness to work longer hours during end of quarter, peak periods and audits)
Desired Qualifications
Previous experience at a technology or SaaS company in similar role
Experience with risk engineering and using data to make risk-informed decisions
Experience with quantitatively measuring security risks
Experience with risk management in other industries (e.g., finance, insurance, aerospace, etc)
Experience with risk management tooling and platforms
#LI-REMOTE
Individual pay within the range will be determined based on job related-factors such as skills, experience, and education or training.
The base pay range for this role in the SF Bay Area / NYC area is:
$182,800—$215,000 USD
The base pay range for this role in Seattle Metro, Denver / Boulder Metro, New York (excluding NYC), Washington D.C., or California (excluding SF Bay Area) is:
$167,500—$197,100 USD
The base pay range for this role in Colorado (excluding Denver / Boulder Metro) and Washington (excluding Seattle Metro) is:
$152,300—$179,200 USD