Head of GRC (Governance, Risk, & Compliance)
About Blitzy
Blitzy is a Cambridge, MA based AI software development platform on a mission to revolutionize the software development life cycle by autonomously building custom software to unlock the next industrial revolution. We're transforming how enterprises build software, turning enterprise requirements into production-ready code with an agentic software development platform that can autonomously execute 80% of the quantum of software development work. We're backed by multiple tier 1 investors, and have proven success as founders of previous start-ups.
Location: 1 Kendall Square, Cambridge, MA (On-site)
Compensation: $220,000 - $260,000 plus bonus and equity, commensurate with experience
The Role
Security and compliance at Blitzy currently run on a patchwork: a Security Delegate managing our frameworks with help from an external compliance vendor, backend engineers pulled off their real jobs to answer security questions, and audit evidence assembled after the fact instead of built in from the start.
We're hiring one person to fix that. As Head of GRC, you'll own a compliance program that's audit-ready by design, not by scramble.
To be clear about scope, this role is not:
A paperwork-only compliance role with no rigor.
A job where you escalate every auditor question to engineering or to the Security Delegate.
A way to move our current reactive compliance model in-house unchanged — the point is to make it proactive.
What Success Looks Like
You spot the gap — like SSO being “available” but not “enforced” — before an auditor finds it, not after.
You've personally run a SOC 2 Type II or ISO 27001:2022 cycle and know exactly what auditors sample.
You own Vanta (or an equivalent GRC platform) as the single source of truth, not a reference tool.
You manage auditors and compliance partners directly, without needing anyone to run interference for you.
Engineers stop getting pulled into compliance busywork because you've taken security scope questions and screenshot requests off their plate.
You write clearly — policies, audit narratives, and questionnaire responses that hold up under scrutiny.
Areas of Ownership
Proactive Compliance & GRC Ownership
Own Vanta (or equivalent) as the system of record — configuring tests and keeping evidence current, not just checking a dashboard.
Run SOC 2 Type II and ISO 27001:2022 compliance building continuously toward what auditors actually sample, rather than scrambling before the audit window opens.
Manage auditor and partner relationships directly, including firms like Insight Assurance and FedRAMP platform partners such as Second Front Systems/Game Warden — without routing every conversation through the Security Delegate.
Build the compliance processes that don't exist yet, starting with a formal sub-processor change communication process, which is already coming up as a contractual requirement in enterprise deals.
Evaluate evidence critically rather than take it at face value, confirming, for example, that SSO is enforced via admin panel configuration — not just available in a settings screen.
Required Experience
Personal, hands-on ownership of at least one full SOC 2 Type II or ISO 27001:2022 audit cycle — not just adjacent to one.
Direct experience running a GRC/compliance platform (Vanta or equivalent) as the system-of-record owner.
A track record of managing vendor and auditor relationships independently, without hand-holding.
The seniority and judgment to reduce engineering interrupt load, not add to it — engineers should be comfortable handing things off to you, not double-checking your work.
What Makes You Stand Out
FedRAMP exposure, even at Moderate — we're targeting FedRAMP High.
A track record of building a compliance process from scratch, not just running an existing playbook.
Experience managing multiple frameworks concurrently — SOC 2, ISO 27001, and GDPR at the same time.
Familiarity with Google Workspace as an identity provider.
GDPR/data privacy program experience — cookie consent, Article 27 representative coordination, DPA review.
What Makes This Role Different
You'll have direct ownership of a function that's currently split across engineering, a Security Delegate, and an external vendor — with full autonomy to build it right from day one. That includes a seat at the table on FedRAMP, one of the most demanding compliance programs a company can pursue.
Our interview process reflects the role itself: an audit walkthrough round where you'll talk through a real SOC 2 or ISO 27001 cycle you've run and how you handled your findings.
Our Culture
Who we are:
Led by two pioneering co-founders we are one of the fastest growing companies in the U.S., creating our own category of enterprise autonomous software development. We automate thousands of hours of software development for our customers, which includes strong representation within the Fortune 500.
How we work:
We move Blitzy Fast: Time is both our company's and our clients' most precious asset. We move quickly and decisively to innovate internally and deliver exceptional software externally.
Championship Mindset: We operate like a professional sports team. We win as a team by holding ourselves and each other to high standards, collaborating in-person, and remaining focused on the mission.
Passion for Invention: We're pushing the frontier of what's possible, requiring constant innovation and iteration.
We Work for the Customer: We focus on delivering outsized value to the customers we work with and expanding those relationships into deep, meaningful partnerships.
We believe in being 'everyday athletes'—taking care of ourselves so we can bring our best minds to work. We promote great sleep, movement, and restorative activities for optimal mental performance. It makes for a happier and more productive team.
Blitzy is an equal opportunity employer committed to building a diverse and inclusive team. We believe different perspectives make us stronger.