Staff Security Governance & Compliance Analyst

About the Role

We are looking for a sharp, automation-first Compliance Engineer to join our Governance, Risk & Compliance (GRC) team. In this role, you will own the technical side of our compliance programme designing and operating systems that continuously verify our security controls, collect evidence automatically, and keep us audit-ready at all times.

You will work at the intersection of security engineering and regulatory compliance, leveraging AI-powered and agentic tooling to replace manual, point-in-time audit work with real-time, scalable assurance. If you love turning compliance from a periodic scramble into an always-on engineering discipline, this role is built for you.

Key Responsibilities

Compliance Automation & Continuous Assurance

• Design, build, and maintain automated pipelines for controls testing across SOC 2 Type II, ISO 27001, and other applicable frameworks.
• Develop scripts, integrations, and workflows that continuously collect, validate, and store compliance evidence from cloud infrastructure, SaaS tools, CI/CD pipelines, and endpoint systems.
• Implement AI and agentic tools (e.g., LLM-based classification, autonomous agents) to interpret data, flag control deviations, and draft audit narratives reducing manual effort.
• Build and maintain a compliance-as-code library so controls are versioned, testable, and auditable.

Frameworks & Audit Readiness

• Serve as an internal SME for SOC 2 (Trust Services Criteria) and ISO 27001 / 27701 control mapping.
• Maintain a continuously updated control inventory and evidence repository ready for external auditor review at any point in the year.
• Coordinate with external auditors during annual assessments; own the evidence pack preparation and auditor Q&A.
• Identify control gaps through automated gap assessments and drive remediation with engineering and product teams.

GRC Programme Development

• Contribute to the design and evolution of the company's internal assurance programme, including risk assessment methodologies and control effectiveness metrics.
• Develop dashboards and executive-level reporting that show real-time compliance posture across all frameworks.
• Advise on vendor and third-party risk assessments, including security questionnaire automation.
• Stay current on emerging regulations and integrate new requirements into the automation stack.

Required Qualifications

Experience

• 5+ years of experience in information security, with a minimum of 3 years focused on GRC, compliance engineering, or security assurance.
• Demonstrable experience designing or operating a SOC 2 or ISO 27001 compliance programme, including evidence collection and audit support.
• Hands-on experience writing automation scripts (Python, NodeJS, or similar) to interact with cloud APIs (AWS, GCP, or Azure), SaaS platforms, or SIEM/log aggregation tools.
• Experience integrating AI or ML tooling into operational workflows including working with LLM APIs, prompt engineering, or building agentic pipelines using frameworks.

Certifications (at least one required)

• CISSP Certified Information Systems Security Professional
• CISA Certified Information Systems Auditor
• CISM Certified Information Security Manager
• ISO 27001 Lead Auditor or Lead Implementer
• CompTIA Security+ or equivalent (acceptable as a secondary certification)

Technical Skills

• Proficiency in Python for automation; familiarity with REST APIs, webhooks, and data pipelines.
• Working knowledge of cloud-native security services (AWS Config, AWS Security Hub, Azure Policy, GCP SCC) and how they map to compliance controls.
• Experience with GRC platforms (Vanta, Drata, Tugboat Logic, OneTrust, or equivalent) and ideally extending them via API or custom integrations.
• Understanding of IAM, encryption, logging, vulnerability management, and change management controls in a cloud-first environment.

Preferred Qualifications

• Experience building agentic workflows where an AI system autonomously gathers evidence, tests controls, and surfaces exceptions with minimal human intervention.
• Background in a high-growth SaaS, fintech, or B2B technology company where compliance was a commercial differentiator.
• Experience with Infrastructure-as-Code tools (Terraform) and how policy guardrails integrate with deployment pipelines.