GRC Engineer

The GRC Engineer is a role within SpyCloud’s Governance, Risk, and Compliance (GRC) department, part of the Legal & Compliance organization. This position plays a critical role in strengthening SpyCloud’s compliance posture by driving audit readiness, scaling continuous control testing, and embedding compliance requirements into cloud-native systems and workflows.

This role partners closely with Engineering, Security, IT, Product, and Legal teams to ensure compliance requirements are implemented effectively within cloud environments. The GRC Engineer leads complex compliance initiatives while leveraging automation and scripting to improve efficiency, accuracy, and scalability.

• →Compliance Program & Framework Management
• →Lead and support compliance programs including SOC 2, ISO 27001, and CMMC, with a strong focus on cloud-native environments. 
• →Coordinate internal and external audits, ensuring accurate evidence collection and alignment with technical stakeholders. 
• →Support customer security reviews and questionnaires by clearly articulating SpyCloud’s cloud security controls and compliance posture.
• →Audit Readiness & Continuous Controls
• →Own continuous audit readiness across cloud platforms such as AWS, GCP, and Azure.
• →Design and execute continuous control testing using automation and scripting (preferably Python). 
• →Partner with Engineering and Security teams to ensure compliance is embedded into system design and change management processes.
• →GRC Automation & Tooling 
• →Build, maintain, and enhance automated evidence collection workflows using Vanta. 
• →Integrate Vanta with cloud environments, identity systems, and CI/CD pipelines to support continuous compliance. 
• →Collaborate with Engineering to implement automated compliance checks within cloud deployments.
• →Governance, Policies & Standards 
• →Develop and maintain security and compliance policies, standards, and procedures aligned with cloud architecture and operational practices. 
• →Ensure governance documentation supports SOC 2, ISO 27001, and CMMC requirements while remaining practical for technical teams. 
• →Translate complex technical requirements into clear, actionable controls.
• →Risk Management 
• →Lead risk assessments across cloud services, systems, and business processes.
• →Identify, assess, and drive remediation of cloud security and compliance risks. 
• →Partner with stakeholders to ensure risks are understood, prioritized, and addressed.
• →Vendor Risk Management 
• →Enhance vendor risk management workflows through automation and integration, including integration audits of third-party cloud services.
• →Cross-Functional Collaboration 
• →Work closely with Engineering, IT, Security, Product, and Legal teams to embed compliance into architecture and design decisions. 
• →Serve as a subject matter expert for cloud compliance, control validation, and compliance automation.

• Experience
• 5+ years of experience in Governance, Risk & Compliance (GRC), security compliance, auditing, or related roles. 
• Demonstrated experience applying SOC 2, ISO 27001, and/or CMMC requirements to cloud environments. 
• Experience leading audit readiness activities and working directly with auditors.
• Strong collaboration experience with engineering and cloud operations teams.
• Education 
• Bachelor’s degree in Information Security, Computer Science, Engineering, or equivalent professional experience.
• Technical Skills Required: 
• Ability to understand and write code, preferably Python, to automate evidence collection and validate cloud controls. 
• Strong knowledge of cloud architectures, IAM, logging, monitoring, and cloud security best practices. 
• Hands-on experience using Vanta for compliance automation and integrations.
• Familiarity with SOC 2, ISO 27001, CMMC, NIST 800-53, and CIS Benchmarks.
• Soft Skills 
• Strong written and verbal communication skills. 
• Ability to work independently and manage multiple priorities. 
• Strong analytical, problem-solving, and collaboration skills.

• Certifications such as CISA, CISSP, CCSK, CCAK, or ISO 27001 Lead Auditor/Implementer.
• Experience with CI/CD pipelines, secure development practices, or cloud security engineering. 
• Experience conducting integration audits or third-party cloud risk assessments.

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud's data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on your company’s exposed data, visit spycloud.com.

Our mission is to make the internet a safer place by disrupting the criminal underground. Together with our customers and partners, we aim to end criminals’ ability to profit from stolen information.

SpyCloud is a place for innovative, collaborative, and problem-solvers to thrive. Individually, we’re amazing, but together, we’re unstoppable. We celebrate diversity and various perspectives and aim to create an inclusive and supportive environment for all. We are proud to be an Equal Employment Opportunity and Affirmative Action employer of choice. All aspects of employment decisions will be based on merit, performance, and business needs. We do not discriminate on the basis of any status protected under federal, state, or local law. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, sex (including pregnancy, childbirth, reproductive health decisions, or related medical conditions), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, genetic information, political views or activity, or other applicable legally protected characteristics. Women, minorities, individuals with disabilities, and protected veterans are encouraged to apply. SpyCloud complies with applicable state and local laws governing nondiscrimination in employment. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.

SpyCloud expressly prohibits any form of workplace harassment. Improper interference with the ability of SpyCloud's employees to perform their job duties may result in discipline up to and including discharge. SpyCloud shares the right to work and participates in the E-Verify program in all locations.

If you need assistance or accommodation due to a disability, you may contact us.

Our culture is something really special. We’re all driven to disrupt the cybercriminal economy as we keep customer accounts safe from compromise. We support a truly worthy and serious mission, but we have fun doing it together. If you are driven, inventive, and collaborative, you’ll fit right in.

We will never ask an applicant for sensitive or personal financial information during the recruitment process. We advise all applicants seeking employment with SpyCloud to review available information on recruitment fraud. Anyone who suspects that they have been contacted by someone falsely representing SpyCloud should email careers@spycloud.com.