Sr. GRC Specialist, Security Risk Management, United States

About the team

As part of the Security organization and within the Governance, Risk and Compliance (GRC) department, the Security Risk team is responsible for security risk management at HashiCorp. The team defines the security risk management process, operationalizes it, manages risk pragmatically, and tracks and reports on security risk across HashiCorp. This includes both internal and third party vendor security risk.

We are looking for an experienced security risk manager who has done risk management at scale in a mature environment to join a new Security Risk team to help mature and operationalize the security risk management program at HashiCorp. This role is an opportunity to have direct and considerable impact on a newer risk management program from the ground up. This role will contribute to HashiCorp primarily by helping define the risk management framework and program, assessing risk, and tracking, reporting and communicating on security risk. This role will also spend some time on vendor security risk management, in particular helping better identify and articulate the security-related vendor risks to our products and services, as well as key business processes and data.

In this role, you will:

Help define and mature the internal and vendor security risk framework, program and processes
Help define, standardize, and educate stakeholders on risk taxonomy and nomenclature
Help define and continually improve risk scoring methodologies
Perform and facilitate internal and vendor security risk assessments
Review new risk submissions and facilitate its progress through the risk management process
Track progress against, follow up and report on risk treatment efforts
Maintain the security risk register
Track and report on risks to stakeholders across the company
Track and report on trends in security risk and threats
Define, track and report on KRIs
Help develop the HashiCorp Common Controls Framework
Help develop and contribute to quarterly and annual planning for the risk program
Track execution against OKRs and the risk program roadmap
Assist with other GRC activities as needed, including external security audits and other tasks as required

Must-Have Qualifications

6+ years of experience in risk management, with at least 3 in security risk management
Strong understanding of cloud, preferably AWS
Considerable hands-on experience with one or more risk management framework or standard (e.g., FAIR, ISO 31000 and 27005, RMF, etc)
Ability to ask the right questions and understand complex technical topics
Strong understanding of current cyber security threats and TTPs
Excellent written and verbal communication
Ability to prioritize and track multiple projects in parallel
Highly responsive and collaborative
Flexibility in daily hours (i.e., willingness to work longer hours during end of quarter, peak periods and audits)

Desired Qualifications

Previous experience at a technology or SaaS company in similar role
Experience with risk engineering and using data to make risk-informed decisions
Experience with quantitatively measuring security risks
Experience with risk management in other industries (e.g., finance, insurance, aerospace, etc)
Experience with risk management tooling and platforms

#LI-REMOTE

The base pay range for this role in the SF Bay Area / NYC area is:

$182,800—$215,000 USD

The base pay range for this role in Seattle Metro, Denver / Boulder Metro, New York (excluding NYC), Washington D.C., or California (excluding SF Bay Area) is:

$167,500—$197,100 USD

The base pay range for this role in Colorado (excluding Denver / Boulder Metro) and Washington (excluding Seattle Metro) is:

$152,300—$179,200 USD

Life at HashiCorp

HashiCorp is driven by our people and our principles which have been the foundation of everything we do since the company was founded in 2012. Join us on our journey as we work to support the world's most innovative companies as they transition to cloud and multi-cloud infrastructure through simple yet powerful workflows and automation.

Learn More

About HashiCorp

At HashiCorp, we build the infrastructure that enables innovation. Our suite of multi-cloud infrastructure automation products are the underpinnings of the largest enterprises in the world, who rely on our solutions to provision, secure, connect, and run their critical applications to deliver crucial services, communications tools, and entertainment platforms to the world. We're building a once-in-a-generation infrastructure company with a unique approach rather than focusing on specific technologies, and we build products and solutions that support real-world workflows spanning the multiple cloud environments that nearly every organization worldwide is using today.

HashiCorp is proud to be an Equal Employment Opportunity employer. We are committed to providing equal employment opportunities to qualified applicants and do not discriminate on the basis of race, color, ancestry, religion, sex, pregnancy, gender, gender identity, gender expression, sexual orientation, national origin, age, marital status, genetic information, disability, protected veteran status or any other characteristic protected by federal, state, or local laws. We also consider qualified applicants with arrest and conviction records consistent with the San Francisco Fair Chance Ordinance, the Los Angeles Fair Chance Ordinance, and other applicable state or local laws.

HashiCorp is committed to providing reasonable accommodations to qualified individuals with disabilities in our job application procedures. If you need assistance or an accommodation due to a disability, please reach out to benefits@hashicorp.com

We comply with all laws and regulations set forth in the following posters:

Know Your Rights: Workplace Discrimination is Illegal

EEO is the Law Supplement

Pay Transparency Non-Discrimination