Smartsheet logo
Smartsheet

Founded in 2005, Smartsheet offers collaborative work management and process automation to empower greater enterprise productivity. A leading cloud-based platfo

Principal Security Engineer – GRC Team Lead

Location

Washington

Posted

1 day ago

Salary

$205K - $275K / year

Seniority

Senior

Job Description

Principal Security Engineer – GRC Team Lead

Smartsheet

• Own the end-to-end GRC strategy and roadmap: Lead the planning and prioritization of GRC initiatives that drive compliance maturity, reduce audit risk, and improve operational efficiency. • Design and implement policy-as-code systems: Translate compliance frameworks (SOC 2, ISO 27001, FedRAMP, HIPAA) into enforceable code, leveraging Infrastructure-as-Code (Terraform, CloudFormation) and automated compliance validation. • Build custom control frameworks: Design Smartsheet-specific Unified Control Frameworks (UCF) and Secure Control Frameworks (SCF) that map to our cloud architecture, multi-framework requirements, and organizational risk appetite. • Lead full audit cycles: Manage preparation, execution, and resolution for SOC 2 Type II, ISO 27001, FedRAMP, and other certification audits. Own evidence gathering, audit readiness tracking, and post-audit remediation. • Architect GRC platform strategy: Evaluate, select, configure, and integrate GRC tooling (Vanta, Drata, or similar) with our cloud infrastructure, identity systems, ticketing systems, and CI/CD pipelines to enable continuous compliance monitoring. • Design automated evidence collection and validation: Build data pipelines and integrations that automatically collect compliance evidence from AWS, application logs, identity systems, and operational tools; validate accuracy and reduce manual verification. • Translate compliance requirements into technical implementations: Work with engineering and security teams to express policies and regulatory requirements in a way they can execute and monitor—breaking down silos between compliance and technical teams. • Establish risk management and governance processes: Design and operate risk registers, control effectiveness assessments, continuous monitoring workflows, and escalation processes that provide leadership with real-time visibility into compliance posture. • Build and lead the GRC team: Mentor and develop your team, establish technical and operational practices, define the playbooks for compliance execution, and create a culture of continuous improvement.

Job Requirements

  • 10+ years of experience in GRC, compliance, security engineering, or related roles, with 5+ years in a technical or leadership capacity managing compliance programs at scale.
  • A degree in Computer Science, Computer Engineering, Cybersecurity or a related field or equivalent practical experience.
  • Deep hands-on expertise in running full audit cycles across multiple frameworks, particularly SOC 2 Type II, ISO 27001, and FedRAMP. You've managed evidence preparation, control testing, audit remediation, and continuous monitoring.
  • Strong technical foundation in cloud architecture and compliance: Working knowledge of AWS/GCP/Azure, infrastructure-as-code (Terraform), CI/CD pipelines, identity and access management, encryption, and logging—sufficient to design control implementations and validate technical posture.
  • Hands-on experience with GRC platform administration and customization (Vanta, Drata, ServiceNow GRC, or equivalent), including integration design and workflow automation.
  • Proficiency in policy-as-code and compliance-as-code principles: Experience implementing automated controls, policy enforcement, and continuous compliance validation through code and configuration.
  • Fluency in multiple compliance frameworks: Deep knowledge of SOC 2 Trust Service Criteria, ISO 27001 control objectives, NIST 800-53 (or 800-171 for government), and experience with HIPAA, GDPR, and industry-specific frameworks.
  • Scripting and automation skills: Comfortable with Python, Bash, or similar for building integrations, data pipelines, and automated control validation.
  • Excellent communication and program management: Ability to distill complex compliance concepts for both technical and business audiences, manage multi-workstream programs, and drive alignment across teams.
  • Some federal/government sector experience is valuable but not required: Understanding of FedRAMP processes, government compliance nuances, and federal contractor requirements is a plus.
  • US Person Status: Must be a U.S. Citizen, U.S. National to meet federal compliance requirements.

Benefits

  • Employer subsidized medical/vision and dental coverage for full-time employees
  • 401k Match to help you save for your future (50% of your contribution up to the first 6% of your eligible pay)
  • Monthly stipend to support your work and productivity
  • Flexible Time Away Program, plus Sick Time Off
  • US employees are automatically covered under Smartsheet-sponsored life insurance, short-term, and long-term disability plans
  • US employees receive 12 paid holidays per year
  • Up to 24 weeks of Parental Leave
  • Personal paid Volunteer Day to support our community
  • Opportunities for professional growth and development including access to Udemy online courses
  • Company Funded Perks, including a counseling membership, local retail discounts, and your own personal Smartsheet account
  • Teleworking options from any registered location in the U.S. (role specific)

Related Categories

Related Job Pages

More Security Engineer Jobs

Twilio logo

Staff Engineer – Offensive Security

Twilio

Build the future of communications.

Full TimeRemoteTeam 5,001-10,000H1B Sponsor

• Perform manual and automated testing of web applications, APIs, and mobile apps • Conduct network and cloud level assessments • Triage and validate reports from automated scanners • Perform initial prompt injection and jailbreak tests on AI prototypes • Draft high-quality reports detailing pathways to compromise • Manage and update testing infrastructure • Provide technical guidance to engineering teams • Design and lead multi-week Red Team operations • Build custom payloads and exploit development • Execute attacks against cloud services focusing on security configurations • Collaborate with SIRT and Detection Engineering

California + 5 moreAll locations: California | Connecticut | New Jersey | New York | Pennsylvania | Washington
$155.5K - $194.4K / year
Mastercard logo

Security Engineer (Threat Detection & Response)

Mastercard

Founded in 1966, Mastercard is a worldwide transaction, payment-processing, and consulting company best known for its line of personal and business credit cards. As an employer, Ma

Full TimeRemoteTeam 38,800Since 1966

Our Purpose Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we're helping build a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential. Title and Summary Security Engineer (Threat Detection & Response) Overview The Security Threat & Response Management (STRM) program within Mastercard's Corporate Security organization seeks a Security Engineer II for the Defend Product team to help execute our prevention-focused security control strategy. The ideal candidate will demonstrate initiative, strong analytical abilities, technical expertise in cybersecurity, and a proactive approach to problem-solving. This position is instrumental in defining and advancing the roadmap and strategy for the program's core security tools and defenses. We are seeking a technically skilled professional who actively tracks emerging security trends and threats, applies advanced knowledge of security technologies, and facilitates innovation to enhance resilience throughout our environments. Effective interaction with internal STRM teams and other groups inside and outside of Corporate Security is an essential aspect of this role. Strong documentation and communication skills with the ability to manage complex discussions are also required. Responsibilities• Implement the strategic technical roadmap for the 'Defend' product team as defined by the Defend Product Owner, which covers defensive security controls, platforms, capabilities and configurations across dozens of security tools and including EDR, DLP, Email Security, SIEM, SOAR, XDR, NGFW, UEBA, NDR, and more.• Contribute to and execute on the Defend roadmap by translating security strategy and requirements into well-defined technical initiatives and deliverables.• Act as a technical lead for the Defend feature team, helping prioritize work, sharing expertise with other engineers, and ensuring consistent engineering standards and outcomes.• Collaborate with stakeholders across engineering, endpoint, identity, cloud, and SecOps teams to implement and optimize security controls.• Translate security requirements, risk policies, and threat models into actionable engineering work items and backlog-ready initiatives.• Lead and participate in security capability assessments, providing recommendations to product and program leadership.• Configure, integrate, and optimize security tooling (e.g., EDR/XDR, NGFW, IDS, DLP, Application Control) in alignment with defined objectives and initiatives.• Monitor control effectiveness and participate in continuous tuning of policies and detections to reduce friction while increasing coverage and fidelity.• Ensure implementations align with internal security standards, regulatory requirements, and industry best practices. All About You The ideal candidate for this position should:• Bachelor's degree in computer science, Cybersecurity, Information Technology, Engineering, or a related field. • 2-3 years of hands-on experience in cybersecurity, security operations, incident response, detection engineering, threat hunting, or related security disciplines. • Be a hands-on Security Engineer with experience across multiple security domains and SecOps functions such as Security Operations, Security Engineering, Incident Response, Detection Engineering, Threat Hunting, and Insider Threat in a large, complex enterprise environment. • Have experience working within Agile or hybrid delivery models, contributing to backlog refinement, sprint execution, and cross-team coordination. • Be skilled at translating complex security requirements into clear, implementable technical designs and work items. • Be comfortable working directly with security tooling, including configuring access controls, tuning detections, integrating telemetry, and supporting detection lifecycles. • Demonstrate strong technical communication skills, with the ability to explain designs, trade-offs, and outcomes to both technical and non-technical stakeholders. Additional capabilities that will set you apart:• Experience implementing proactive security controls, working with modern security platforms, and tooling.• Hands-on experience integrating and operationalizing advanced threat intelligence within security tools, controls, and platforms.• Hands on experience with leveraging Agentic AI to modernize security operations.• Strong understanding of modern SecOps concepts such as attack surface reduction, response automation, posture management, zero trust, and cloud-native security.• Familiarity with common regulatory and security frameworks (e.g., NIST, ISO, MITRE ATT&CK, D3FEND, PCI).• Proven ability to collaborate effectively with SOC, IR, Engineering, and platform teams to deliver shared outcomes.• A mindset of continuous improvement, with a passion for optimizing security tooling and processes through engineering excellence.• Hands on experience with configuration and optimization of the Microsoft Security ecosystem of tools including XDR, Sentinel, Security Copilot, and Defender for Endpoint.• Security platform administration with experience in building, configuring, tuning, and optimizing security policies and controls. Corporate Security Responsibility All activities involving access to Mastercard assets, information, and networks comes with an inherent risk to the organization and, therefore, it is expected that every person working for, or on behalf of, Mastercard is responsible for information security and must: - Abide by Mastercard's security policies and practices; - Ensure the confidentiality and integrity of the information being accessed; - Report any suspected information security violation or breach, and - Complete all periodic mandatory security trainings in accordance with Mastercard's guidelines.

Mexico
ORAEX CLOUD CONSULTING logo

Mid-level Cybersecurity Analyst – AppSec

ORAEX CLOUD CONSULTING

Data Management • Cloud • DevOps • Observability

Full TimeRemoteTeam 51-200Since 2012H1B No Sponsor

• Implement and evolve Cybersecurity practices with a focus on DevSecOps, Application Security (AppSec) and security process automation; • Support the integration of security controls into CI/CD pipelines (Jenkins, Azure DevOps and GitLab), contributing to SSDLC adherence and continuous improvement of secure development processes; • Perform security analyses, tests and validations on applications, identifying vulnerabilities and supporting their remediation with development teams; • Develop and maintain automations in Python and/or Shell Script to optimize Cybersecurity activities, including metric collection, report generation and tool integrations; • Support initiatives applying Artificial Intelligence and LLMs in security processes, contributing to analysis, information correlation and automation of operational activities; • Work together with AppSec, CTU, Risk Remediation, Development and Infrastructure teams to implement security improvements and follow up on technical requests; • Analyze vulnerabilities identified by SAST, SCA, DAST and infrastructure scanners, supporting risk prioritization and remediation; • Produce metrics, dashboards and operational and management reports related to Cybersecurity initiatives and processes; • Contribute to area projects and initiatives, participating in the definition and implementation of technical solutions aligned with security best practices.

Brazil
ContractRemoteTeam 51-200

• Collaborate effectively with cross-functional teams to assess, document, and communicate security risks and mitigation strategies. • Perform the scanning procedures required for the comprehensive security assessments in alignment with FedRAMP, BSI IT-Grundschutz, and other international regulatory frameworks • Provide clear, actionable recommendations to improve security posture based on assessment findings, industry best practices, and compliance requirements. • Support the development and continuous refinement of security assessment methodologies and documentation. • Analyze and validate security controls across multiple cloud providers like OpenStack (AWS, Azure and GCP also accepted)

United States