Product Grc Sme

Vanta · Enterprise · U.S. · Remote · Security

Vanta is seeking a Product GRC SME to develop and maintain multi-framework GRC solutions. This role acts as a bridge between Product Management, Engineering, Design, Sales, and Customer Success, ensuring solutions align with security, privacy, and risk frameworks. Responsibilities include building and maintaining compliance frameworks, designing crosswalks, elevating content quality, driving GRC product enablement, acting as a product advisor, authoring automated tests, partnering with Product for roadmap, enabling AI-assisted compliance, and synthesizing feedback loops. Requires 5-7+ years in GRC/Information Security with hands-on implementation or assessment across multiple frameworks.

What you'd actually do

  1. Build and maintain compliance frameworks - Lead the creation, enhancement, and lifecycle management of controls, evidence requirements, and implementation guidance for standards such as SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, and regional regulations (e.g., GDPR/CCPA). Author clear control rationales, acceptance criteria, and customer-facing guidance.
  2. Design crosswalks and mappings (framework‑agnostic) - Create and steward an internal common‑control approach informed by industry catalogs (e.g., SCF, UCF, or similar). Maintain bidirectional crosswalks across industry leading security and privacy regulatory frameworks. Define canonical control IDs, mapping confidence, and evidence data dictionaries; version crosswalks with changelogs and traceability to source authority. Partner with Engineering to operationalize mappings in‑product (integrations, automated tests, exceptions/exemptions, continuous monitoring workflows).
  3. Elevate content quality and usability - Define standards for control wording, evidence specificity, testing method, and reviewer guidance. Establish content QA processes, audits, and metrics (e.g., adoption, time-to-evidence, completion rates) to continually improve outcomes.
  4. Drive end‑to‑end GRC product enablement - Build modular content, guidance, and templates for risk management (methodologies, scoring, KRIs), issue & corrective action management (POA&M), policy management (lifecycle, attestations), access reviews (SoD, recertification flows), customer trust / Trust Center artifacts, and third‑party risk management (TPRM) (due diligence, monitoring, contract clauses).
  5. Act as a product advisor across discovery & design - Partner with PM/Design to support feature discovery (customer interviews, JTBD, task analysis), review UI/UX for control, evidence, and review workflows, run usability tests, and author PRDs/acceptance criteria grounded in auditor and customer needs.

Skills

Required

  • GRC
  • Information Security
  • SOC 2
  • ISO 27001/27701
  • HIPAA
  • PCI DSS
  • NIST CSF/800-53
  • Product Management
  • Engineering Collaboration
  • Customer Needs Analysis
  • Risk Management
  • Policy Management
  • Access Reviews
  • Third-Party Risk Management (TPRM)
  • Automated Testing
  • Continuous Monitoring

Nice to have

  • Cloud environments
  • SaaS
  • Federal experience (e.g., FedRAMP)
  • Computer Science degree
  • Advanced degree

What the JD emphasized

  • 5-7+ years in GRC and/or Information Security with hands-on implementation or assessment across multiple frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800-53)
  • GRC craft - Deep understanding of controls, risks, testing approaches, evidence standards, and program operations (policies, risk registers, issues/POA&M management, vendor risk, continuous monitoring).
  • Product mindset - Ability to translate requirements into productizable capabilities; comfort with experimentation and data-driven prioritization.