Staff Trust & Assurance Engineer

This is a consumer fintech startup, and you will be working with serial entrepreneurs who have built strong consumer brands and innovative products. We value extreme ownership, clear communication, a strong sense of craftsmanship, and the desire to create lasting work and work relationships. Yes, you can build an exciting business AND have real-life real-customer impact.

As the Staff Trust & Assurance Engineer, you will report to the Lead of Security and be the first dedicated hire establishing Kikoff's Trust & Assurance function within Security. You will own the design, operation, and attestation of the cybersecurity controls that external auditors, regulators, and B2B customers rely on.

The function is engineering-led, with a strong emphasis on automation, code-backed control operations, and AI-assisted evidence workflows. You will partner closely with the SOX Manager in the CFO org as a cybersecurity control owner, while owning the cyber compliance program end-to-end for SOC 2 and PCI.

You will lead three connected work streams: security compliance (SOC 2, PCI, and IT general controls supporting SOX), customer assurance (questionnaires, trust portal, sub-processor inventory), and third-party risk management.

• →Own Kikoff's SOC 2 Type II program end-to-end, including scoping, control design, evidence collection, walkthroughs, and external auditor management.
• →Maintain Kikoff's PCI DSS self-attestation, including annual SAQ completion, scope analysis to ensure cardholder data remains with our payment processors, payment-vendor oversight, and monitoring product and engineering changes that could expand scope.
• →Serve as the cybersecurity control owner for IT general controls supporting the SOX program, partnering with the SOX Manager on logical access, change management, and related areas.
• →Operationalize the GLBA Safeguards Rule technical controls across the program elements.
• →Source and steward the substantive cybersecurity content behind SEC Regulation S-K Item 106 disclosures, working with Legal on language and with the SOX Manager on disclosure controls.
• →Own the customer and vendor security questionnaire pipeline, including reusable evidence libraries and a self-serve trust portal.
• →Design and operate the internal cybersecurity control testing and continuous monitoring program in partnership with Security Engineering.
• →Build policy-as-code, compliance-as-code, and AI-driven evidence automation that scales with the engineering organization.
• →Serve as the primary cybersecurity audit contact for SOC 2, PCI, and customer-driven cyber assessments.

• 7+ years of experience in security compliance, GRC, or technical audit, with a primary focus on cloud-native environments.
• Has owned at least one SOC 2 Type II cycle end-to-end, including design, evidence, walkthroughs, and auditor defense.
• Hands-on experience with PCI DSS, including SAQ environments and tokenization-driven scope reduction.
• Able to read and modify code, infrastructure-as-code, and IAM policies. Comfortable working in Git-based engineering workflows and shipping changes through CI/CD.
• Understanding of cloud infrastructure and modern AI-native technologies.
• Demonstrated experience managing external auditors and translating control requirements into engineering deliverables.
• Excellent written communication, with the ability to produce auditor-ready documentation and engineering-ready specifications.
• Comfortable operating across functional boundaries, including Engineering, Legal, and Finance.

• Prior experience as a control owner supporting SOX IT general controls audits in a pre-IPO or newly public company.
• Experience building or operating AI- or LLM-driven GRC automation, including custom agents, MCP servers, or evidence-collection pipelines.
• Background in IPO readiness or newly public company environments.
• Familiarity with ISO 27001, ISO 42001, FedRAMP, CMMC 2.x, or NIST 800-53.