• execute and support ongoing security operations aligned with Sequel’s security priorities and roadmap • translate security findings, alerts, and audit requirements into actionable remediation plans • proactively monitor the evolving threat landscape and regulatory environment • contribute to investment and business-case discussions by articulating risk-reduction value • partner with IT and Security & Compliance to implement security initiatives • manage the vulnerability lifecycle, including scanning, triage, prioritization, and remediation tracking • drive recurring patch cycles in coordination with IT operations • monitor, triage, and investigate alerts across SIEM and Microsoft Defender tools • lead end-to-end incident response • identify, investigate, and remediate risky users and devices • administer Microsoft 365 security and data protection solutions • support the execution of the security awareness program • maintain documentation and drive remediation of audit findings

Role Description Engineers are expected to identify and design solutions for issues involving: - New features - Interoperability - Vulnerability - System limits and constraints facing the platforms and products In addition, engineers are responsible to evaluate current capabilities and predict future needs, then work with internal stakeholders, vendors and peers to anticipate, define, and pursue these capabilities. Main Responsibilities - Perform engineering support. - Assess operational business processes to ensure security is appropriately integrated. - Assess potential risks with new applications and products and provide security requirements and recommendations for risk mitigation to help the business succeed with their projects. - Directly engage in advanced troubleshooting and delivery with stakeholders, including end customers. - Consult as security subject matter expert with network architects, engineers, and others on solutions to security problems. - Recommend new information security systems and controls to mitigate emerging threats and risks across the company. - Ensure reports and findings are delivered in a timely and appropriate manner to management, operations and executive leadership. - Recommend new security policy, standards, best practices, and system configuration standards. Consult with internal clients on security topics and policy interpretation. - Identify higher risk areas of the corporate and carrier infrastructure for assessment. - Coordinate activities across multiple departments and business units. - Other duties as assigned. Qualifications - Bachelors Degree - 6 years of experience, or 4 with Masters degree Preferred Qualifications - Masters Degree - Ability and commitment to communicate effectively, consistently chooses communication methods to ensure critical information reaches and persuades intended audience - Uses strong interpersonal skills to build partnerships with stakeholders and peers - Possesses leadership qualities and persuades stakeholders to achieve positive outcomes - Demonstrates a strong sense of ownership and commitment toward leading peers and stakeholders on critical projects and tasks; making, meeting and communicating progress. Compensation This information reflects the anticipated base salary range for this position based on current national data. Minimums and maximums may vary based on location. Individual pay is based on skills, experience and other relevant factors. - $84,629 - $112,838 in these states: AL, AR, AZ, FL, GA, IA, ID, IN, KS, KY, LA, ME, MO, MS, MT, ND, NE, NM, OH, OK, PA, SC, SD, TN, UT, VT, WI, WV, WY - $88,860 - $118,480 in these states: CO, HI, MI, MN, NC, NH, NV, OR, RI - $93,092 - $124,122 in these states: AK, CA, CT, DC, DE, IL, MA, MD, NJ, NY, TX, VA, WA Benefits - Comprehensive package featuring a broad range of Health, Life, Voluntary Lifestyle benefits and other perks that enhance your physical, mental, emotional and financial wellbeing. What to Expect Next Requisition #: 342500 Life at Lumen Life at Lumen is human and connected, even in a fast moving, AI‑focused organization. We set clear expectations and trust people to meet them. With real support and shared accountability, teams collaborate better, move faster, and deliver meaningful outcomes. Background Screening If you are selected for a position, there will be a background screen, which may include checks for criminal records and/or motor vehicle reports and/or drug screening, depending on the position requirements. Equal Employment Opportunities We are committed to providing equal employment opportunities to all persons regardless of race, color, ancestry, citizenship, national origin, religion, veteran status, disability, genetic characteristic or information, age, gender, sexual orientation, gender identity, gender expression, marital status, family status, pregnancy, or other legally protected status (collectively, “protected statuses”). Privacy Notice Lumen is committed to protecting the privacy and security of personal information collected during the recruitment and hiring process. Disclaimer The job responsibilities described above indicate the general nature and level of work performed by employees within this classification. It is not intended to include a comprehensive inventory of all duties and responsibilities for this job. Job duties and responsibilities are subject to change based on evolving business needs and conditions.

Role Description This is a high-visibility, high-impact role at the center of Gong’s security and compliance story. As our Senior GRC Security Lead, you will be the architect of foundational programs we are building: - Gong’s first-ever Common Controls Framework - Standing up a formal risk process and register - Implementing a GRC tooling ecosystem - Owning the full policy, standards, and exceptions management lifecycle This is not a role for someone looking to inherit a mature program. It’s a role for a builder — someone who thrives in ambiguity, operates with urgency, and finds energy in creating order from complexity. You will work directly with Legal, Sales, Engineering, Customer Audit teams, and executive stakeholders, and your fingerprints will be visible across everything Gong builds for compliance and trust for years to come. Responsibilities - Design and implement Gong’s Common Controls Framework, mapping controls across SOC 2, ISO 27001, 27017, 27701, 27018, HIPAA, PCI, and other applicable frameworks. - Rationalize overlapping requirements across frameworks to reduce compliance burden and create a single source of truth for control ownership. - Partner with Engineering, Infrastructure, and Product Security to embed controls at the architecture level, not just as audit checkboxes. - Establish control testing methodology, evidence collection standards, and continuous control monitoring processes. - Serve as the subject-matter expert on control mapping during customer and external audits, RFPs, and enterprise sales engagements. - Build Gong’s product & enterprise risk register from the ground up — defining risk taxonomy, scoring methodology, risk appetite thresholds, and ownership models. - Implementation of a GRC platform and system of record, and ability to build executive level dashboards to track vulnerability, risk, and control remediation. - Create and maintain risk treatment plans in partnership with risk owners across the business, tracking remediation milestones and escalating blockers. - Develop executive-level risk reporting cadences and dashboards for the Head of GRC and senior leadership. - Own the complete lifecycle of Gong’s information security policy suite — creation, review cycles, version control, and employee acknowledgment tracking. - Establish and operate a formal exceptions management program, including intake, risk assessment, approval workflows, compensating controls, and periodic review. - Ensure policies remain aligned with evolving regulatory requirements, industry frameworks, and Gong’s rapidly changing technology environment. - Drive policy adoption through clear communication, training support, and cross-functional partnership. - Liaise with external auditors and certification bodies for SOC 2, ISO, and other certifications. Qualifications - 7+ years of progressive experience in GRC, Information Security, or a closely related function — with meaningful time spent building or scaling programs, not just running them. - Demonstrated hands-on experience building a GRC program at scale — ideally in a high-growth SaaS or technology company. - Deep expertise across multiple compliance and security frameworks, including SOC 2 Type II, ISO 27001, NIST CSF, and at least one regulatory framework (GDPR, CCPA, HIPAA, or equivalent). - Experience creating and implementing GRC Record of Truth/Tooling. - Strong policy and standards writing ability — capable of translating complex regulatory language into clear, actionable documentation. - Experience conducting and managing product & enterprise risk assessments, with a working knowledge of risk quantification methodologies. - Proven ability to manage and communicate with senior stakeholders, including Legal, Engineering, and executive audiences. - Bachelor’s degree in Information Security, Computer Science, Business, or a related field; equivalent practical experience considered. - Relevant certifications strongly preferred: CISSP, CISM, CRISC, CISA, CCSP, or comparable credentials. Benefits - We offer Gongsters a variety of medical, dental, and vision plans, designed to fit you and your family’s needs. - Wellbeing Fund - flexible wellness stipend to support a healthy lifestyle. - Mental Health benefits with covered therapy and coaching. - 401(k) program to help you invest in your future. - Education & learning stipend for personal growth and development. - Flexible vacation time to promote a healthy work-life blend. - Paid parental leave to support you and your family. - Company-wide recharge days each quarter. - Work from home stipend to help you succeed in a remote environment.

• Engineer the security infrastructure the rest of the company depends on across AWS and Kubernetes: telemetry pipelines, cryptographic material lifecycle, compliance automation, and the architecture patterns that scale across hundreds of environments. • Build and maintain agentic AI workflows using tools like Claude Code, MCP-based integrations, and custom agent harnesses to automate security engineering tasks. Examples include code review for vulnerability patterns, drift detection in security controls, and automated evidence collection. • Engineer the lifecycle of cryptographic material as code, including key generation, secure storage, certificate issuance, rotation, and revocation. All steps version-controlled, automated, and recoverable without a human in the loop. • Build security telemetry pipelines that detect, enrich, and route signals with the fidelity our auto-remediation systems require. • Embed security controls into deployment pipelines so vulnerabilities are prevented or resolved at build time rather than discovered post-deployment, including policy-as-code rules and automated playbooks. • Build compliance evidence collection and continuous control monitoring as engineered systems that produce auditor-ready outputs from continuous data flows. • Develop and maintain threat models that inform security architecture decisions and prioritize where engineered controls earn their place. Promote learnings into reusable patterns the rest of engineering can adopt. • Consult, review, and approve architectural decisions by other infrastructure and product teams for security compliance and outcomes, with attention to where secrets are stored and how trust boundaries are crossed. • Provide engineering support to Security Operations during incident response: build the tooling, telemetry, and automation that aids detection, containment, and recovery, in coordination with the Sec Ops team that owns the response process. • Partner with other Risk functions, technical teams, auditors, vendors, and clients to translate security requirements into engineered systems and validate posture across all environments. • Evaluate emerging AI-assisted engineering patterns and tooling through proof-of-concept work, including agent harness designs, prompt patterns, and eval methodologies. Promote what proves itself into team standard practice. • Operate our COTS security tooling when needed, usually through IaC and automation we've built ourselves, occasionally by clicking through a vendor console. • Perform other duties as assigned.