Product GRC SME jobs in United States
cer-icon
Apply on Employer Site
company-logo

Vanta · 4 hours ago

Product GRC SME

positionUnited States
timeFull-time
remoteRemote
senioritySenior Level
date5+ years exp

Vanta is a company dedicated to helping businesses earn and prove trust through continuous security monitoring. The GRC Subject Matter Expert will be responsible for developing and maintaining multi-framework GRC solutions, ensuring alignment with security and compliance needs, and collaborating across various teams to enhance product offerings.

Artificial Intelligence (AI)ComplianceCyber SecurityInternetSoftware
check
Growth Opportunities
check
H1B Sponsor Likelynote

Responsibilities

Build and maintain compliance frameworks - Lead the creation, enhancement, and lifecycle management of controls, evidence requirements, and implementation guidance for standards such as SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, and regional regulations (e.g., GDPR/CCPA). Author clear control rationales, acceptance criteria, and customer-facing guidance
Design crosswalks and mappings (framework‑agnostic) - Create and steward an internal common‑control approach informed by industry catalogs (e.g., SCF, UCF, or similar). Maintain bidirectional crosswalks across industry leading security and privacy regulatory frameworks. Define canonical control IDs, mapping confidence, and evidence data dictionaries; version crosswalks with changelogs and traceability to source authority. Partner with Engineering to operationalize mappings in‑product (integrations, automated tests, exceptions/exemptions, continuous monitoring workflows)
Elevate content quality and usability - Define standards for control wording, evidence specificity, testing method, and reviewer guidance. Establish content QA processes, audits, and metrics (e.g., adoption, time-to-evidence, completion rates) to continually improve outcomes
Drive end‑to‑end GRC product enablement - Build modular content, guidance, and templates for risk management (methodologies, scoring, KRIs), issue & corrective action management (POA&M), policy management (lifecycle, attestations), access reviews (SoD, recertification flows), customer trust / Trust Center artifacts, and third‑party risk management (TPRM) (due diligence, monitoring, contract clauses)
Act as a product advisor across discovery & design - Partner with PM/Design to support feature discovery (customer interviews, JTBD, task analysis), review UI/UX for control, evidence, and review workflows, run usability tests, and author PRDs/acceptance criteria grounded in auditor and customer needs
Author automated tests & continuous monitoring - Translate controls/compliance knowledge and infrastructure contexts (cloud services, SaaS apps, on‑prem, endpoints, networks, CI/CD) into spec‑level automated tests and detectors in Vanta. Define test logic, data sources/integrations (APIs, logs, configs), edge cases, and acceptance criteria; pair with Engineering to implement, validate, and maintain detectors with versioned mappings to frameworks for continuous monitoring
Partner with Product to drive roadmap - Translate customer and market needs into GRC requirements, propose experiments, and validate solutions through discovery with Design/UX Research. Influence prioritization using data and field insights; own a backlog for framework/content improvements
Enable AI‑assisted compliance - Partner with Engineering/ML to design and ship LLM‑powered guidance and automation. Translate SME knowledge into machine‑readable specs (schemas, ontologies, prompts), define gold‑standard evaluation sets and acceptance criteria, and implement quality/safety guardrails (red‑teaming, refusal policy, privacy controls). Instrument features to monitor accuracy and drift in production
Synthesize feedback loops - Analyze input from customers, auditors/assessors, partners, and internal teams to identify gaps, resolve issues, and deliver iterative updates quickly and safely

Qualification

GRC frameworksInformation SecurityCompliance managementCloud environmentsRisk managementTechnical automationAnalytical skillsTeam supportCommunication skillsCollaboration skillsSelf-motivatedAdaptabilityProblem-solvingAttention to detail

Required

5-7+ years in GRC and/or Information Security with hands‑on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800‑53)
Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring)
Ability to translate requirements into productizable capabilities; comfort with experimentation and data‑driven prioritization
Build leverage with lightweight tools, LLMs, and automation workflows
Skilled at precise control wording, mapping accuracy, and evidence specificity; comfortable working in spreadsheets and large data sets (lookups, pivots)
Excellent written and verbal skills; able to partner effectively with engineers, designers, GTM teams, auditors, and customers
Able to work autonomously while contributing to team success
Willing & excited to support cross-functional teams and improve compliance content
Skilled at managing change, solving problems proactively, and taking initiative

Preferred

Bachelor's degree in Computer Science; advanced degree a plus
Experience with cloud environments and SaaS is strongly preferred
Federal experience (e.g., FedRAMP) is a plus but not required
Experience with privacy regulations (GDPR/CCPA), risk quantification (e.g., FAIR), audit/assessor background, or B2B SaaS content/enablement
One or more of: CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI‑ISA/QSA

Benefits

100% covered medical, dental, and vision benefits with dependents coverage
16 weeks fully-paid parental Leave for all new parents
Health & wellness and remote workplace stipends
Family planning benefits through Carrot Fertility
401(k) matching
Flexible work hours and location
Open PTO policy
11 paid holidays in the US

Company

Vanta

twittertwittertwitter
Glassdoor4.4
company-logo
Vanta is a trust management platform that automates compliance and risk management.
dateFounded in 2018
location
San Francisco, California, USA
people-size1001-5000 employees
web-link
https://vanta.com

H1B Sponsorship

Vanta has a track record of offering H1B sponsorships. Please note that this does not guarantee sponsorship for this specific role. Below presents additional info for your reference. (Data Powered by US Department of Labor)
Distribution of Different Job Fields Receiving Sponsorship
Represents job field similar to this job
Trends of Total Sponsorships
2025 (23)
2024 (6)
2023 (4)
2022 (10)
2021 (3)

Funding

Current Stage
Late Stage
Total Funding
$503M
Key Investors
Wellington ManagementSequoia CapitalCrowdStrike
2025-07-23Series D· $150M
2024-07-24Series C· $150M
2023-05-10Series B

Leadership Team

leader-logo
Christina Cacioppo
Cofounder and CEO
linkedin
leader-logo
David Eckstein
Chief Financial Officer
linkedin

Recent News

WebProNews
Corporate Storytellers: The New $274K Power Players Reshaping Brand Narratives
2025-12-20
EU-Startups
Antwerp-based XFA raises €1.5 million to tackle this critical blind spot in modern workplace cybersecurity
2025-12-13
Business Wire
Vanta Introduces Agentic Trust Platform to Unify Compliance, Risk, and Security Assessments
2025-11-18
Company data provided by crunchbase