Director, Grc & Privacy Security

Polymarket Polymarket · Fintech · New York, NY · IT

Polymarket is seeking a Director of GRC & Privacy to build and lead its governance, risk, and compliance function within the security organization. This senior role reports to the CISO, involves managing a team of three, and requires expertise in regulatory requirements, risk management, and executive communication. The responsibilities include establishing the enterprise security risk management program, security control framework, policy development, leading governance forums, managing SOC 2 Type II and PCI-DSS compliance, continuous audit readiness, third-party risk management, and overseeing the data privacy program.

What you'd actually do

  1. Build and own the enterprise security risk management program — risk register, risk appetite framework, risk scoring methodology, and regular reporting to the CISO and executive leadership
  2. Establish and maintain the security control framework, mapping controls to applicable standards (SOC 2 TSCs, PCI-DSS, CIS Controls) across all entities and subsidiaries
  3. Drive security policy development and lifecycle management — authoring, reviewing, approving, and enforcing policies across the organization
  4. Lead the company's security committee and governance forums, ensuring risk decisions are documented, escalated appropriately, and tracked to resolution
  5. Own the end-to-end compliance program for SOC 2 Type II and PCI-DSS — scoping, control design, evidence collection, auditor management, and remediation tracking

Skills

Required

  • 8+ years of experience in GRC, information security compliance, or a related field
  • 3+ years in a management or program leadership role
  • Deep, hands-on experience with SOC 2 Type II
  • Strong working knowledge of PCI-DSS v4.0
  • Demonstrated experience managing compliance across multiple legal entities or subsidiaries
  • Experience building or significantly maturing a GRC program
  • Working knowledge of GDPR and CCPA
  • Ability to communicate risk and compliance requirements clearly to technical teams, business stakeholders, and executive leadership
  • Experience managing external auditor relationships

Nice to have

  • Experience in fintech, payments, cryptocurrency, or financial services
  • Familiarity with money transmitter licensing or FinCEN obligations
  • Professional certifications: CISM, CRISC, CISSP, CIPP/E, CIPP/US, or equivalent
  • Exposure to ISO 27001, CIS, or NIST CSF
  • Experience with GRC platforms (Vanta, Drata, Tugboat Logic, ServiceNow GRC, or equivalent)
  • Familiarity with AWS cloud environments
  • Prior experience standing up a GRC function in a high-growth, previously unstructured environment

What the JD emphasized

  • build and lead the governance, risk, and compliance function
  • establish the GRC program from scratch
  • Deep, hands-on experience with SOC 2 Type II — you have managed or led multiple audit cycles and understand the TSCs, evidence requirements, and auditor dynamics from the inside
  • Strong working knowledge of PCI-DSS v4.0 and experience implementing or managing PCI compliance programs
  • Experience building or significantly maturing a GRC program — not just maintaining one someone else built