Role Description
We are hiring a Sr. Security Controls & Compliance Engineer to build, implement, and operate the security control foundation across multiple applications in a venture studio environment. This is a hands-on security execution role. We need someone who can:
-
Understand enterprise customer security requirements.
-
Identify the controls required.
-
Implement or configure those controls directly where possible.
-
Verify that controls are operating effectively.
This person will help prepare our venture applications for SOC 2 readiness while supporting enterprise customer data, information security, and TPRM requirements. They will work across:
-
Cloud environments
-
Identity systems
-
Source control
-
CI/CD workflows
-
Logging
-
Monitoring
-
Compliance tooling
-
Operational security processes
The goal is to create a repeatable security baseline that each venture application can inherit, operate against, and eventually carry forward as it matures or spins out.
Responsibilities
-
Build, implement, and operate security and compliance controls across multiple venture applications and supporting systems.
-
Translate enterprise customer security, data handling, and TPRM requirements into practical technical controls, operational workflows, evidence requirements, and remediation plans.
-
Create a reusable security control baseline that can be applied across current and future venture applications.
-
Configure and operate compliance automation platforms such as Vanta, Drata, Secureframe, or similar tools.
-
Configure evidence integrations across systems such as cloud platforms, GitHub, identity providers, ticketing systems, device management tools, productivity platforms, and security tooling.
-
Implement identity and access controls, including SSO, MFA, role-based access, least-privilege permissions, access review workflows, and offboarding evidence.
-
Implement secure SDLC controls, including branch protection, required code reviews, code scanning, dependency scanning, secret scanning, vulnerability management workflows, and release/change management evidence.
-
Implement or configure cloud security controls, including IAM policies, encryption settings, logging, monitoring, backup settings, network restrictions, and security alerting.
-
Implement operational security workflows, including vendor review, risk review, change management, policy attestation, incident response evidence, exception tracking, and recurring control reviews.
-
Maintain a centralized control library mapped to SOC 2 Trust Services Criteria, customer-specific requirements, and relevant frameworks such as ISO 27001, NIST CSF, or CIS Controls.
-
Support SOC 2 readiness activities, including control mapping, evidence requirements, gap tracking, audit preparation, and control verification.
-
Identify launch-blocking security gaps and close them directly where possible.
-
Partner with product engineering only where application-specific code, architecture, or deeper infrastructure changes are required.
-
Write clear technical requirements and acceptance criteria for any security work that must be completed by product engineering.
-
Review and verify control implementation to ensure controls are actually operating and producing evidence.
-
Support customer security questionnaires, audits, evidence requests, and enterprise security reviews with accurate technical detail.
-
Track control gaps, remediation status, launch blockers, and compliance risk for leadership.
-
Help create a repeatable security implementation playbook that future ventures can inherit as they mature or spin out.
What Success Looks Like
-
Enterprise customer requirements are translated into implemented controls, not just documented gaps.
-
Each venture application has a working security baseline across identity, cloud, source control, CI/CD, logging, monitoring, evidence, and operational processes.
-
SOC 2 readiness is actively tracked with clear control ownership, evidence collection, and operating cadence.
-
Compliance tooling is configured and produces useful evidence across the required systems.
-
Engineering teams are not overloaded with generic security tasks; they are engaged only when product-specific implementation is required.
-
Security launch blockers are identified early, prioritized clearly, and remediated quickly.
-
Customer security reviews, audits, and questionnaires are handled with accurate technical detail and supporting evidence.
-
Leadership has clear visibility into control maturity, launch risk, audit readiness, and open remediation items.
-
The venture studio has a reusable security control baseline that can be applied to new applications and carried forward as ventures mature.
Qualifications
-
5+ years of experience in security engineering, cloud security, DevSecOps, security operations, security compliance, GRC, or a related field.
-
Hands-on experience implementing security controls in cloud/SaaS application environments.
-
Experience supporting SOC 2 readiness, SOC 2 audits, or similar compliance programs.
-
Strong understanding of security controls, audit evidence, policy requirements, control testing, and control operation.
-
Experience translating customer or enterprise security requirements into practical technical controls.
-
Ability to configure and operate security and compliance systems directly, not just document requirements.
-
Experience with identity and access controls, including SSO, MFA, RBAC, least privilege, access reviews, and offboarding controls.
-
Experience with secure SDLC controls, including source control permissions, code reviews, branch protection, vulnerability management, dependency scanning, secret scanning, and change management evidence.
-
Experience with cloud security controls such as IAM, encryption, logging, monitoring, backups, network restrictions, and alerting.
-
Experience with compliance automation or GRC tools such as Vanta, Drata, Secureframe, OneTrust, Tugboat Logic, or similar platforms.
-
Familiarity with tools such as GitHub, Jira, Linear, Okta, Google Workspace, Slack, AWS, Azure, GCP, or similar systems.
-
Strong written communication skills for policies, procedures, audit documentation, technical requirements, and customer-facing security responses.
-
Ability to operate in an ambiguous, fast-moving startup or venture environment.
Preferred Qualifications
-
Experience supporting enterprise customers with strict security, data handling, or TPRM requirements.
-
Experience in venture-backed startups, SaaS companies, enterprise software, or venture studio environments.
-
Familiarity with SOC 2 Trust Services Criteria, ISO 27001, NIST CSF, CIS Controls, or similar frameworks.
-
Experience implementing security controls across AWS, Azure, GCP, or multi-cloud environments.
-
Experience with GitHub security features, CI/CD security controls, vulnerability management tools, and cloud security monitoring tools.
-
Experience with identity platforms such as Okta, Google Workspace, Microsoft Entra ID, or similar.
-
Experience with logging, monitoring, incident response, vendor risk, evidence automation, and security questionnaire support.
-
Relevant certifications such as CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, AWS Security Specialty, Security+, or similar.