InfoSec GRC Manager

Make your impact within a rapidly growing Fintech Company

The Governance, Risk and Compliance (GRC) team at BILL facilitates information security risk management, enables risk-based decision-making in alignment with business goals, and drives compliance with standards, policies and applicable regulations globally. We are looking for a talented, enthusiastic, and authentic InfoSec GRC Manager to join our team. This position offers an outstanding opportunity to create a variety of cross-functional partnerships. Reporting to the Director of GRC Customer Audit and Assurance, the InfoSec GRC manager serves as the focal point for overseeing the enterprise-wide security compliance program, responsible for implementing, maintaining, and improving security controls to ensure compliance with company policies, applicable regulatory and legal requirements, as well as best practices. This role also oversees customer and partner security assessments and assurance, building strong bonds of trust with our customers and business partners enabling business growth. Being successful in this role requires the desire and ability to influence, uplift, collaborate, and empower individuals that also includes a strong technical background.

In this role you will:

• Lead cross-functionally to maintain annual compliance certification such as SOC1 and SOC2 Type II, and/or other new certifications that exhibit assurance internally and externally
• Project manage external security audit, assessment, and/or due diligence requests from regulators, business partners and customers, demonstrating compliance with applicable laws and regulations as well as contractual obligations
• Implement processes to continuously monitor information security control, and validate effectiveness of the controls in the face of changing business strategies, technologies, and threats
• Lead planning, scope developments, and project execution for technical compliance related self-assessments, including design and operating effectiveness testing and ensure results are appropriately documented and communicated
• Drive remediation of process and control deficiencies and improvements identified internally and externally
• Educate process/control owners to better understand the security controls framework and their responsibilities, advising them on the preparation and on-going maintenance of controls and control documentation 
• Provide guidance for various technology projects, including the evaluation and recommendation of technical controls
• Enable self-service consumption of BILL security information, compliance credentials and collateral to effectively support our Sales team and customers while reducing friction in partners and customers across all GRC domain
• Proactively identify opportunities for control automation
• Establish center of excellence by centralizing and maintaining currency of program documentation, SOP, control database, control ownership, narratives and evidence artifacts 
• Effectively report program execution status, compliance status, key accomplishments and risks to senior management both within Security and to our business partners
• Support the GRC team in establishing OKRs, defining audit & compliance strategies, objectives, metrics, and reporting mechanisms
• Stay abreast of the latest developments, threats, and trends in cybersecurity

We’d love to chat if you have:

• Combined 8+ years of experience in Technology risk and compliance roles. Preferably at a technology or SaaS / Cloud and / or as an auditor at Big 4 firm
• Deep understanding of and experience achieving/maintaining compliance with risk management methodologies, frameworks, and principles (e.g. SOX, COBIT, NIST, CSA, ITIL, PCI, GDPR, PCI-DSS, ISO 27001, NIST CSF, NIST 800-53)
• Strong ability to analyze complex data, interpret compliance requirements, develop effective solutions, and achieve agreement
• Strong oral and written communication skills along with refined presentation skills and the ability to communicate with customer, technical and management personnel at multiple levels
• Ability to build relationships with and influence cross-functional stakeholders, both internally and externally
• Proficiency in planning, executing, and monitoring multiple projects simultaneously to ensure they are completed on time and within budget
• Action-oriented with the ability to multi-task and work in agile, changing and fast growing environments
• You prefer working in a collaborative environment. You embrace the team player concept with willingness to share knowledge, to jump in and help colleagues, to ask for help when you need it
• Bachelor's Degree in Business, Security, Computer Science, Data, or Risk
• CISSP, CRISC, CISA, CIPP, CRMA, PMP or similar license/certification
• A commitment to keeping up to date with the latest developments in the GRC field, including evolving laws and regulations, emerging risks, and best practices in GRC management