Transforming the moving world, one startup at a time
Sr. Security Controls & Compliance Engineer
Location
United States
Posted
20 hours ago
Salary
0
Seniority
Senior
Job Description
Sr. Security Controls & Compliance Engineer
UP.Labs
Role Description We are hiring a Sr. Security Controls & Compliance Engineer to build, implement, and operate the security control foundation across multiple applications in a venture studio environment. This is a hands-on security execution role. We need someone who can: - Understand enterprise customer security requirements. - Identify the controls required. - Implement or configure those controls directly where possible. - Verify that controls are operating effectively. This person will help prepare our venture applications for SOC 2 readiness while supporting enterprise customer data, information security, and TPRM requirements. They will work across: - Cloud environments - Identity systems - Source control - CI/CD workflows - Logging - Monitoring - Compliance tooling - Operational security processes The goal is to create a repeatable security baseline that each venture application can inherit, operate against, and eventually carry forward as it matures or spins out. Responsibilities - Build, implement, and operate security and compliance controls across multiple venture applications and supporting systems. - Translate enterprise customer security, data handling, and TPRM requirements into practical technical controls, operational workflows, evidence requirements, and remediation plans. - Create a reusable security control baseline that can be applied across current and future venture applications. - Configure and operate compliance automation platforms such as Vanta, Drata, Secureframe, or similar tools. - Configure evidence integrations across systems such as cloud platforms, GitHub, identity providers, ticketing systems, device management tools, productivity platforms, and security tooling. - Implement identity and access controls, including SSO, MFA, role-based access, least-privilege permissions, access review workflows, and offboarding evidence. - Implement secure SDLC controls, including branch protection, required code reviews, code scanning, dependency scanning, secret scanning, vulnerability management workflows, and release/change management evidence. - Implement or configure cloud security controls, including IAM policies, encryption settings, logging, monitoring, backup settings, network restrictions, and security alerting. - Implement operational security workflows, including vendor review, risk review, change management, policy attestation, incident response evidence, exception tracking, and recurring control reviews. - Maintain a centralized control library mapped to SOC 2 Trust Services Criteria, customer-specific requirements, and relevant frameworks such as ISO 27001, NIST CSF, or CIS Controls. - Support SOC 2 readiness activities, including control mapping, evidence requirements, gap tracking, audit preparation, and control verification. - Identify launch-blocking security gaps and close them directly where possible. - Partner with product engineering only where application-specific code, architecture, or deeper infrastructure changes are required. - Write clear technical requirements and acceptance criteria for any security work that must be completed by product engineering. - Review and verify control implementation to ensure controls are actually operating and producing evidence. - Support customer security questionnaires, audits, evidence requests, and enterprise security reviews with accurate technical detail. - Track control gaps, remediation status, launch blockers, and compliance risk for leadership. - Help create a repeatable security implementation playbook that future ventures can inherit as they mature or spin out. What Success Looks Like - Enterprise customer requirements are translated into implemented controls, not just documented gaps. - Each venture application has a working security baseline across identity, cloud, source control, CI/CD, logging, monitoring, evidence, and operational processes. - SOC 2 readiness is actively tracked with clear control ownership, evidence collection, and operating cadence. - Compliance tooling is configured and produces useful evidence across the required systems. - Engineering teams are not overloaded with generic security tasks; they are engaged only when product-specific implementation is required. - Security launch blockers are identified early, prioritized clearly, and remediated quickly. - Customer security reviews, audits, and questionnaires are handled with accurate technical detail and supporting evidence. - Leadership has clear visibility into control maturity, launch risk, audit readiness, and open remediation items. - The venture studio has a reusable security control baseline that can be applied to new applications and carried forward as ventures mature. Qualifications - 5+ years of experience in security engineering, cloud security, DevSecOps, security operations, security compliance, GRC, or a related field. - Hands-on experience implementing security controls in cloud/SaaS application environments. - Experience supporting SOC 2 readiness, SOC 2 audits, or similar compliance programs. - Strong understanding of security controls, audit evidence, policy requirements, control testing, and control operation. - Experience translating customer or enterprise security requirements into practical technical controls. - Ability to configure and operate security and compliance systems directly, not just document requirements. - Experience with identity and access controls, including SSO, MFA, RBAC, least privilege, access reviews, and offboarding controls. - Experience with secure SDLC controls, including source control permissions, code reviews, branch protection, vulnerability management, dependency scanning, secret scanning, and change management evidence. - Experience with cloud security controls such as IAM, encryption, logging, monitoring, backups, network restrictions, and alerting. - Experience with compliance automation or GRC tools such as Vanta, Drata, Secureframe, OneTrust, Tugboat Logic, or similar platforms. - Familiarity with tools such as GitHub, Jira, Linear, Okta, Google Workspace, Slack, AWS, Azure, GCP, or similar systems. - Strong written communication skills for policies, procedures, audit documentation, technical requirements, and customer-facing security responses. - Ability to operate in an ambiguous, fast-moving startup or venture environment. Preferred Qualifications - Experience supporting enterprise customers with strict security, data handling, or TPRM requirements. - Experience in venture-backed startups, SaaS companies, enterprise software, or venture studio environments. - Familiarity with SOC 2 Trust Services Criteria, ISO 27001, NIST CSF, CIS Controls, or similar frameworks. - Experience implementing security controls across AWS, Azure, GCP, or multi-cloud environments. - Experience with GitHub security features, CI/CD security controls, vulnerability management tools, and cloud security monitoring tools. - Experience with identity platforms such as Okta, Google Workspace, Microsoft Entra ID, or similar. - Experience with logging, monitoring, incident response, vendor risk, evidence automation, and security questionnaire support. - Relevant certifications such as CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, AWS Security Specialty, Security+, or similar.
Related Guides
Related Categories
Related Job Pages
More Security Engineer Jobs
Lead Cyber Security Architect
ESA - Electronic Security AssociationTHE voice of the electronic security and life safety industry.
• Act as a thought leader in cyber security, championing best practices and innovative solutions that enhance the organisation’s security posture. • Monitor and anticipate future security trends, leveraging this knowledge to influence and adapt security strategies, ensuring they remain robust and effective. • Drive the development of security strategies and roadmaps, ensuring a cohesive and forward-thinking approach to all security initiatives. • Develop and implement reference security architectures that align with organisational goals. • Collaborate with cross-functional teams to design and deploy advanced security controls, ensuring compliance with company and industry standards. • Act as a mentor, providing guidance and support to junior cybersecurity professionals in organisation.
Lead Cyber Security Architect
ESA - Electronic Security AssociationTHE voice of the electronic security and life safety industry.
• Act as a thought leader in cyber security, championing best practices and innovative solutions that enhance the organisation’s security posture. • Monitor and anticipate future security trends, leveraging this knowledge to influence and adapt security strategies, ensuring they remain robust and effective. • Drive the development of security strategies and roadmaps, ensuring a cohesive and forward-thinking approach to all security initiatives. • Develop and implement reference security architectures that align with organisational goals. • Collaborate with cross-functional teams to design and deploy advanced security controls, ensuring compliance with company and industry standards. • Act as a mentor, providing guidance and support to junior cybersecurity professionals in organisation.
Lead Cyber Security Architect
ESA - Electronic Security AssociationTHE voice of the electronic security and life safety industry.
• Pełnienie roli eksperta i lidera opinii w obszarze cyberbezpieczeństwa poprzez promowanie najlepszych praktyk oraz innowacyjnych rozwiązań zwiększających poziom bezpieczeństwa organizacji. • Monitorowanie oraz przewidywanie przyszłych trendów w zakresie bezpieczeństwa, a następnie wykorzystywanie tej wiedzy do kształtowania i doskonalenia strategii bezpieczeństwa. • Opracowywanie strategii bezpieczeństwa oraz map drogowych (roadmap), zapewniających spójne i perspektywiczne podejście do wszystkich inicjatyw związanych z bezpieczeństwem. • Tworzenie i wdrażanie referencyjnych architektur bezpieczeństwa zgodnych z celami organizacji. • Współpraca z zespołami międzyfunkcyjnymi w celu projektowania i wdrażania zaawansowanych mechanizmów bezpieczeństwa, zgodnie ze standardami firmowymi i branżowymi. • Pełnienie funkcji mentora, wspieranie oraz rozwijanie mniej doświadczonych specjalistów ds. cyberbezpieczeństwa w organizacji.
Specialist Account Executive, Data Security – Enterprise
ZscalerZscaler helps leading organizations in 180+ countries securely transform their networks and applications for a mobile and cloud-first world. Founded in 2008, th
• Serve as the primary specialist for customers, partners, and internal teams to drive revenue growth across the data security product portfolio • Partner with domain-expert solution engineers to capture customer requirements and craft compelling value propositions that close complex business deals • Own the regional quota and territory achievement by building and implementing account-based strategies to land and expand data security solutions • Collaborate synergistically with primary sales teams and leadership to ensure a unified and effective Zscaler presence in the market • Engage stakeholders across the organization, selling effectively to both C-suite executives and technical practitioners


