About the Role
We are hiring a Sr. Security Controls & Compliance Engineer to build, implement, and operate the security control foundation across multiple applications in a venture studio environment.This is a hands-on security execution role. We are not looking for someone who only documents gaps, manages a compliance tool, or routes work to engineering. We need someone who can understand enterprise customer security requirements, identify the controls required, implement or configure those controls directly where possible, and verify that they are operating effectively.
This person will help prepare our venture applications for SOC 2 readiness while supporting enterprise customer data, information security, and TPRM requirements. They will work across cloud environments, identity systems, source control, CI/CD workflows, logging, monitoring, compliance tooling, and operational security processes.The goal is to create a repeatable security baseline that each venture application can inherit, operate against, and eventually carry forward as it matures or spins out.
Responsibilities
What Success Looks Like
Required Qualifications
Preferred Qualifications
We are hiring a Sr. Security Controls & Compliance Engineer to build, implement, and operate the security control foundation across multiple applications in a venture studio environment.This is a hands-on security execution role. We are not looking for someone who only documents gaps, manages a compliance tool, or routes work to engineering. We need someone who can understand enterprise customer security requirements, identify the controls required, implement or configure those controls directly where possible, and verify that they are operating effectively.
This person will help prepare our venture applications for SOC 2 readiness while supporting enterprise customer data, information security, and TPRM requirements. They will work across cloud environments, identity systems, source control, CI/CD workflows, logging, monitoring, compliance tooling, and operational security processes.The goal is to create a repeatable security baseline that each venture application can inherit, operate against, and eventually carry forward as it matures or spins out.
Responsibilities
- Build, implement, and operate security and compliance controls across multiple venture applications and supporting systems.
- Translate enterprise customer security, data handling, and TPRM requirements into practical technical controls, operational workflows, evidence requirements, and remediation plans.
- Create a reusable security control baseline that can be applied across current and future venture applications.
- Configure and operate compliance automation platforms such as Vanta, Drata, Secureframe, or similar tools.
- Configure evidence integrations across systems such as cloud platforms, GitHub, identity providers, ticketing systems, device management tools, productivity platforms, and security tooling.
- Implement identity and access controls, including SSO, MFA, role-based access, least-privilege permissions, access review workflows, and offboarding evidence.
- Implement secure SDLC controls, including branch protection, required code reviews, code scanning, dependency scanning, secret scanning, vulnerability management workflows, and release/change management evidence.
- Implement or configure cloud security controls, including IAM policies, encryption settings, logging, monitoring, backup settings, network restrictions, and security alerting.
- Implement operational security workflows, including vendor review, risk review, change management, policy attestation, incident response evidence, exception tracking, and recurring control reviews.
- Maintain a centralized control library mapped to SOC 2 Trust Services Criteria, customer-specific requirements, and relevant frameworks such as ISO 27001, NIST CSF, or CIS Controls.
- Support SOC 2 readiness activities, including control mapping, evidence requirements, gap tracking, audit preparation, and control verification.
- Identify launch-blocking security gaps and close them directly where possible.
- Partner with product engineering only where application-specific code, architecture, or deeper infrastructure changes are required.
- Write clear technical requirements and acceptance criteria for any security work that must be completed by product engineering.
- Review and verify control implementation to ensure controls are actually operating and producing evidence.
- Support customer security questionnaires, audits, evidence requests, and enterprise security reviews with accurate technical detail.
- Track control gaps, remediation status, launch blockers, and compliance risk for leadership.
- Help create a repeatable security implementation playbook that future ventures can inherit as they mature or spin out.
What Success Looks Like
- Enterprise customer requirements are translated into implemented controls, not just documented gaps.
- Each venture application has a working security baseline across identity, cloud, source control, CI/CD, logging, monitoring, evidence, and operational processes.
- SOC 2 readiness is actively tracked with clear control ownership, evidence collection, and operating cadence.
- Compliance tooling is configured and produces useful evidence across the required systems.
- Engineering teams are not overloaded with generic security tasks; they are engaged only when product-specific implementation is required.
- Security launch blockers are identified early, prioritized clearly, and remediated quickly.
- Customer security reviews, audits, and questionnaires are handled with accurate technical detail and supporting evidence.
- Leadership has clear visibility into control maturity, launch risk, audit readiness, and open remediation items.
- The venture studio has a reusable security control baseline that can be applied to new applications and carried forward as ventures mature.
Required Qualifications
- 5+ years of experience in security engineering, cloud security, DevSecOps, security operations, security compliance, GRC, or a related field.
- Hands-on experience implementing security controls in cloud/SaaS application environments.
- Experience supporting SOC 2 readiness, SOC 2 audits, or similar compliance programs.
- Strong understanding of security controls, audit evidence, policy requirements, control testing, and control operation.
- Experience translating customer or enterprise security requirements into practical technical controls.
- Ability to configure and operate security and compliance systems directly, not just document requirements.
- Experience with identity and access controls, including SSO, MFA, RBAC, least privilege, access reviews, and offboarding controls.
- Experience with secure SDLC controls, including source control permissions, code reviews, branch protection, vulnerability management, dependency scanning, secret scanning, and change management evidence.
- Experience with cloud security controls such as IAM, encryption, logging, monitoring, backups, network restrictions, and alerting.
- Experience with compliance automation or GRC tools such as Vanta, Drata, Secureframe, OneTrust, Tugboat Logic, or similar platforms.
- Familiarity with tools such as GitHub, Jira, Linear, Okta, Google Workspace, Slack, AWS, Azure, GCP, or similar systems.
- Strong written communication skills for policies, procedures, audit documentation, technical requirements, and customer-facing security responses.
- Ability to operate in an ambiguous, fast-moving startup or venture environment.
Preferred Qualifications
- Experience supporting enterprise customers with strict security, data handling, or TPRM requirements.
- Experience in venture-backed startups, SaaS companies, enterprise software, or venture studio environments.
- Familiarity with SOC 2 Trust Services Criteria, ISO 27001, NIST CSF, CIS Controls, or similar frameworks.
- Experience implementing security controls across AWS, Azure, GCP, or multi-cloud environments.
- Experience with GitHub security features, CI/CD security controls, vulnerability management tools, and cloud security monitoring tools.
- Experience with identity platforms such as Okta, Google Workspace, Microsoft Entra ID, or similar.
- Experience with logging, monitoring, incident response, vendor risk, evidence automation, and security questionnaire support.
- Relevant certifications such as CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, AWS Security Specialty, Security+, or similar.