Apply on Employer Site

Exterro · 1 day ago

Director, Security Risk & Compliance

United States

Full-time

Remote

Director/Executive

$150K/yr - $175K/yr

7+ years exp

Exterro is seeking an experienced, dynamic, and multifaceted Director, Risk and Compliance to manage, lead, and enhance their comprehensive governance, risk, and compliance program. This critical leadership role oversees a dedicated team responsible for delivering key services that ensure Exterro's operational integrity and regulatory adherence.

EdiscoveryLegalLegal TechRisk ManagementSoftware

Responsibilities

Lead, mentor, and manage the Risk and Compliance team, setting strategic priorities, driving performance, and fostering a culture of security, compliance, and continuous improvement

Develop, implement, and maintain the overarching strategy for the Governance, Risk, and Compliance (GRC) program across all Exterro products and operations

Serve as a key strategic partner to executive leadership on matters of risk exposure, regulatory change, and compliance investments

Audit Support and Management: Oversee the entire lifecycle of internal and external audits (e.g., SOC 2, ISO 27001, HIPAA, and customer-driven audits). This includes preparation, coordination, evidence gathering, remediation tracking, and report finalization

FedRAMP Program Ownership: Manage and maintain the full lifecycle of the Continuous Monitoring (ConMon) process for FedRAMP compliance, ensuring all required activities, documentation, and reporting are executed accurately and on time to sustain Authorization

Risk Management & Oversight: Establish and mature the enterprise-wide risk management framework, including identifying, assessing, mitigating, and monitoring technology, operational, and regulatory risks

Policy Management: Oversee the creation, review, dissemination, and enforcement of all internal security, compliance, and acceptable use policies, ensuring they align with regulatory requirements and industry best practices

Customer Assurance & Trust Services: Lead the team in supporting sales and customer success through crucial security business enablement activities:

Directly support the completion and review of complex RFPs (Request for Proposals) by providing accurate and detailed security and compliance information

Negotiate and review Security Addendums and security-related clauses in contracts with both new and existing customers, ensuring Exterro's commitments are accurately reflected and met

Security Awareness Program: Design, manage, and continuously evolve the internal security awareness and training program to ensure employees understand their role in protecting Exterro and customer data

Implement and manage an internal audit function to regularly test and validate the effectiveness of security controls and compliance program elements

Provide crucial oversight and reporting for the vulnerability management process, ensuring that identified security weaknesses are prioritized, tracked, and remediated in a timely manner according to defined risk thresholds

Ensure alignment of controls and processes across various compliance frameworks (e.g., GDPR, CCPA, FedRAMP, etc.) to drive efficiency and reduce duplication of effort

Qualification

Risk ManagementCompliance ManagementAudit ManagementFedRAMP ComplianceGRC Program DevelopmentRegulatory FrameworksProject ManagementAnalytical SkillsCustomer AssuranceSecurity Awareness TrainingContract NegotiationCISSP CertificationCISA CertificationCISM CertificationCRISC CertificationOrganizational SkillsTeam LeadershipCommunication Skills

Required

7+ years of experience in a dedicated Risk, Compliance, GRC, or Information Security leadership role, preferably within the LegalTech, SaaS, or highly regulated technology sectors

Proven experience leading audit efforts for major compliance standards (e.g., SOC 2, ISO 27001, FedRAMP)

Deep, hands-on understanding of the FedRAMP Continuous Monitoring (ConMon) process

Demonstrated experience supporting sales and legal teams by managing customer-facing security assurance activities (RFPs, contract negotiations, security questionnaires)

Expert knowledge of regulatory frameworks relevant to data privacy and security (e.g., GDPR, CCPA, HIPAA, etc.)

Strong analytical, organizational, and project management skills with the ability to manage multiple complex initiatives simultaneously