Sr. GRC Specialist, Security Risk Management

About the team

As part of the Security organization and within the Governance, Risk and Compliance (GRC) department, the Security Risk team is responsible for security risk management at HashiCorp. The team defines the security risk management process, operationalizes it, manages risk pragmatically, and tracks and reports on security risk across HashiCorp. This includes both internal and third party vendor security risk.

We are looking for an experienced security risk manager who has done risk management at scale in a mature environment to join a new Security Risk team to help mature and operationalize the security risk management program at HashiCorp. This role is an opportunity to have direct and considerable impact on a newer risk management program from the ground up. This role will contribute to HashiCorp primarily by helping define the risk management framework and program, assessing risk, and tracking, reporting and communicating on security risk. This role will also spend some time on vendor security risk management, in particular helping better identify and articulate the security-related vendor risks to our products and services, as well as key business processes and data.

In this role, you will:

• Help define and mature the internal and vendor security risk framework, program and processes
• Help define, standardize, and educate stakeholders on risk taxonomy and nomenclature
• Help define and continually improve risk scoring methodologies
• Perform and facilitate internal and vendor security risk assessments
• Review new risk submissions and facilitate its progress through the risk management process
• Track progress against, follow up and report on risk treatment efforts
• Maintain the security risk register
• Track and report on risks to stakeholders across the company
• Track and report on trends in security risk and threats
• Define, track and report on KRIs
• Help develop the HashiCorp Common Controls Framework
• Help develop and contribute to quarterly and annual planning for the risk program
• Track execution against OKRs and the risk program roadmap
• Assist with other GRC activities as needed, including external security audits and other tasks as required

Must-Have Qualifications

• 6 years of experience in risk management, with at least 3 in security risk management
• Strong understanding of cloud, preferably AWS
• Considerable hands-on experience with one or more risk management framework or standard (e.g., FAIR, ISO 31000 and 27005, RMF, etc)
• Ability to ask the right questions and understand complex technical topics
• Strong understanding of current cyber security threats and TTPs
• Excellent written and verbal communication
• Ability to prioritize and track multiple projects in parallel
• Highly responsive and collaborative
• Flexibility in daily hours (i.e., willingness to work longer hours during end of quarter, peak periods and audits)

Desired Qualifications

• Previous experience at a technology or SaaS company in similar role
• Experience with risk engineering and using data to make risk-informed decisions
• Experience with quantitatively measuring security risks
• Experience with risk management in other industries (e.g., finance, insurance, aerospace, etc)
• Experience with risk management tooling and platforms

#LI-REMOTE