Company Overview Docusign brings agreements to life. Over 1.5 million customers and more than a billion people in over 180 countries use Docusign solutions to accelerate the process of doing business and simplify people’s lives. With intelligent agreement management, Docusign unleashes business-critical data that is trapped inside of documents. Until now, these were disconnected from business systems of record, costing businesses time, money, and opportunity. Using Docusign’s Intelligent Agreement Management platform, companies can create, commit, and manage agreements with solutions created by the #1 company in e-signature and contract lifecycle management (CLM). What you'll do As the most trusted brand in our industry, Docusign recognizes the profound importance of maintaining and enhancing customer trust in our products. Docusign's security program is vital to that trust, and this role is a critical leadership position driving our success. The Senior Director, Security Governance, Risk, and Compliance (GRC) will be a technically proficient, business savvy leader who manages all aspects of the GRC program and multiple facets of product and enterprise security. Security GRC will embed within Product, Technology, Digital Technology, and Sales teams to proactively identify and reduce security risks - transforming legacy GRC practices into a more contemporary, productized capability and replacing document-centric compliance with scalable security controls built directly into engineering and business workflows. The Senior Director, GRC will tailor and implement Docusign's security controls framework to protect the platform, company, and customers through a risk-based approach to security. They will enhance engineering and development capabilities within the GRC team; implement contemporary, cost-effective tools and practices to automate historically manual activities; and leverage AI and ML where appropriate to optimize efficiencies while delivering at scale and with speed while managing emerging risk and supporting product and business innovation. This position will leverage leading security frameworks like NIST, ISO, and BSIMM as foundations for the overall security program while driving continuous improvement. The role will ensure that security governance mechanisms and documentation are implemented and effective. The Senior Director will also be responsible for driving revenue growth through direct support to Sales teams, managing customer security assurance, ensuring audit readiness in preparation for certification and global regulatory and customer requirements. Ultimately, the Senior Director will be responsible for managing GRC product innovation, development, engineering, and delivery. The role will deepen security within the platform and across the enterprise, while enhancing customer trust. They will be charged with optimizing the GRC user experience - serving as the product owner for the security controls framework and security risk mitigation; ensuring policies, standards, procedures, and controls are designed for adoption, automated by default, and measured through real-time data; and driving revenue growth through GRC support to the business. This position is a people manager role reporting to the Group Vice President, Chief Information Security Officer. Responsibility Lead and manage the global GRC team and program, including core components: GRC engineering, governance, risk, compliance, and customer security assurance Manage a high-performing, product-driven team focused on measurable outcomes and continuous improvement. Implement tailored program goals, objectives, milestones, key results, and key performance indicators to drive consistent progress and outcomes Define and drive a multi-year product vision and roadmap for security governance, risk, and compliance (including GRC engineering and development) focused on adoption and measurable risk reduction Establish the architectural blueprint that transforms GRC into a scalable product platform and service Set vision, strategy, and leadership for how governance, risk, and compliance are engineered and automated across the company, translating requirements into a technology-driven automation strategy Manage architecting of scalable platforms for GRC automation and evidence production, while growing the team's technical skills sets and ensuring engineering and development best practices Manage delivery and prioritization while ensuring timely delivery of GRC product, engineering, and risk reduction capabilities Maintain expertise in components and capabilities of the product ecosystem as well as company infrastructure, environments, data, and security controls Maintain expertise in security threats, trends, technologies, and industry best practices (existing and emerging) Serve as a trusted leader/advisor to the CISO, other executives, and teams – translating technical risk into business impact, providing clear updates, trade-offs, and advice Manage collaboration and effective relationships with cross-functional teams to ensure frictionless security and paved path approaches with leadership across the business Manage the GRC budget and resourcing Ensure security practices and controls meet internal security policy and standards, industry frameworks, and regulatory and customer requirements Implement contemporary tooling and automation to optimize insights, efficiency, and efficacy while enhancing technical security rigor Contribute to technical requirements, architectural design and modification documents, and educational resources Serve as a senior escalation point for complex or high risk security issues; drive architectural, process, and implementation improvements from lessons learned Implement the GRC strategy for using AI across GRC teams and responsibilities; maintain a high level of individual proficiency in using AI to perform daily and longer term tasks Manage and continuously improve the company-wide Docusign security controls framework, ensuring controls are appropriately tailored and effective across all domains Manage compliance requirements relevant to modern software development, enterprise security, and trust and safety protections against platform abuse Serve as Security's primary liaison between technical teams and regulatory/audit bodies Work closely with third-parties on assessments, audits, attestations, and in shaping security programs, roadmaps, and deliverables Job Designation Hybrid: Employee divides their time between in-office and remote work. Access to an office location is required. (Frequency: Minimum 2 days per week; may vary by team but will be weekly in-office expectation) Positions at Docusign are assigned a job designation of either In Office, Hybrid or Remote and are specific to the role/job. Preferred job designations are not guaranteed when changing positions within Docusign. Docusign reserves the right to change a position's job designation depending on business needs and as permitted by local law. What you bring Basic 15+ years' working experience in Security GRC, Product Security, Application Security, Engineering, Trust and Safety or closely related security and engineering disciplines, with 8+ years in technical leadership roles Bachelor's degree in computer science, data science, artificial intelligence, machine learning, cybersecurity, risk management, or a related technical field Experience designing and leading security programs, including but not limited to security risk management, governance (especially under NIST, ISO, and FedRAMP frameworks), compliance, engineering/secure development, customer security assurance, product security, enterprise security, and trust and safety Experience with NIST CSF, NIST SDF, NIST AI RMF, ISO 27001, SOC, BSIMM, IL5, FedRAMP High, and other, more narrowly tailored or geographically focused security frameworks Experience driving automation strategies, predictive analytics, and data-driven insights Experience in implementing or improving security tools where they previously did not exist, did not perform to expectations, and/or better options emerged (e.g., workflow tools, case management systems, agents developed and trained to meet mission) Experience designing and embedding security controls across the business, plus validating efficacy Experience defining security KPIs, metrics pipelines, and executive reporting frameworks Experience with cross-functional collaboration and stakeholder engagement across technical and business relationships, especially with Product, Technology, Digital Technology, Sales, Security, and executive teams Preferred Master's degree or higher Deeply technical with strong strategic vision, tactical acumen, excellence in execution Forward looking and acting with the ability to understand and address current and future threats and business requirements exceedingly well and manage products and their team to suit Growth and product mindset; oriented to action and delivery; professional teammate Excellent leadership, communications, and presentation skills Certifications: CISSP, CCISO, CISM, CRISC, CGRC, CCSP, CSSLP, GSLC, GSEC, or equivalent Substantial experience in implementing best practices and compliance obligations for AI product security and AI enterprise security Demonstrated experience with modern security frameworks applied to cloud-native environments and SaaS products Experience embedding GRC requirements into CI/CD pipelines (shift-left security) Extensive technical knowledge, including network infrastructure, automated workflows, secure coding practices, cryptography basics, threat modeling, and data systems architecture Strong experience with project management that includes a track record of success Wage Transparency Pay for this position is based on a number of factors including geographic location and may vary depending on job-related knowledge, skills, and experience. Based on applicable legislation, the below details pay ranges in the following locations: California: $244,000.00 - $390,575.00 base salary Washington, Maryland, New Jersey and New York (including NYC metro area): $228,400.00 - $344,575.00 base salary This role is also eligible for the following: Bonus: Sales personnel are eligible for variable incentive pay dependent on their achievement of pre-established sales goals. Non-Sales roles are eligible for a company bonus plan, which is calculated as a percentage of eligible wages and dependent on company performance. Stock: This role is eligible to receive Restricted Stock Units (RSUs). Global benefits provide options for the following: Paid Time Off: earned time off, as well as paid company holidays based on region Paid Parental Leave: take up to six months off with your child after birth, adoption or foster care placement Full Health Benefits Plans: options for 100% employer paid and minimum employee contribution health plans from day one of employment Retirement Plans: select retirement and pension programs with potential for employer contributions Learning and Development: options for coaching, online courses and education reimbursements Compassionate Care Leave: paid time off following the loss of a loved one and other life-changing events Life at Docusign Working here Docusign is committed to building trust and making the world more agreeable for our employees, customers and the communities in which we live and work. You can count on us to listen, be honest, and try our best to do what’s right, every day. At Docusign, everything is equal. We each have a responsibility to ensure every team member has an equal opportunity to succeed, to be heard, to exchange ideas openly, to build lasting relationships, and to do the work of their life. Best of all, you will be able to feel deep pride in the work you do, because your contribution helps us make the world better than we found it. And for that, you’ll be loved by us, our customers, and the world in which we live. Accommodation Docusign is committed to providing reasonable accommodations for qualified individuals with disabilities in our job application procedures. If you need such an accommodation, or a religious accommodation, during the application process, please contact us at accommodations@docusign.com. If you experience any issues, concerns, or technical difficulties during the application process please get in touch with our Talent organization at taops@docusign.com for assistance. Applicant and Candidate Privacy Notice States Not Eligible for Employment This position is not eligible for employment in the following states: Alaska, Hawaii, Maine, Mississippi, North Dakota, South Dakota, Vermont, West Virginia and Wyoming. Equal Opportunity Employer It's important to us that we build a talented team that is as diverse as our customers and where all employees feel a deep sense of belonging and thrive. We encourage great talent who bring a range of perspectives to apply for our open positions. Docusign is an Equal Opportunity Employer and makes hiring decisions based on experience, skill, aptitude and a can-do approach. We will not discriminate based on race, ethnicity, color, age, sex, religion, national origin, ancestry, pregnancy, sexual orientation, gender identity, gender expression, genetic information, physical or mental disability, registered domestic partner status, caregiver status, marital status, veteran or military status, or any other legally protected category. EEO Know Your Rights poster #LI-Hybrid
Sr. Director, Security Governance, Risk and Compliance
DocuSign · Enterprise · San Francisco, CA +2 · Security
This role leads the Security Governance, Risk, and Compliance (GRC) program, focusing on embedding security into product and enterprise workflows. It involves managing a global GRC team, defining a product vision for GRC, automating manual activities, and leveraging AI/ML for efficiency. The role ensures compliance with security frameworks, regulatory requirements, and customer needs, while also supporting sales and driving revenue growth through GRC product innovation and delivery.
What you'd actually do
- Lead and manage the global GRC team and program, including core components: GRC engineering, governance, risk, compliance, and customer security assurance
- Define and drive a multi-year product vision and roadmap for security governance, risk, and compliance (including GRC engineering and development) focused on adoption and measurable risk reduction
- Manage architecting of scalable platforms for GRC automation and evidence production, while growing the team's technical skills sets and ensuring engineering and development best practices
- Implement the GRC strategy for using AI across GRC teams and responsibilities; maintain a high level of individual proficiency in using AI to perform daily and longer term tasks
- Manage collaboration and effective relationships with cross-functional teams to ensure frictionless security and paved path approaches with leadership across the business
Skills
Required
- Security Governance, Risk, and Compliance (GRC) program management
- Product and enterprise security leadership
- Risk-based security approach
- Security controls framework implementation
- AI and ML application in GRC
- Automation of manual GRC activities
- Security frameworks (NIST, ISO, BSIMM)
- Customer security assurance
- Audit readiness and certification management
- Global regulatory and customer requirements
- GRC product innovation, development, and delivery
- GRC user experience optimization
- Policy, standards, and procedure design
- Real-time data measurement of controls
- Sales support for GRC
- Team leadership and management
- Cross-functional collaboration
- Budget and resource management
- Technical security rigor
- AI proficiency for daily tasks
Nice to have
- Experience in regulated environments (e.g., fintech, healthcare, government)
- Experience with specific AI/ML tools or platforms for GRC
What the JD emphasized
- technically proficient
- productized capability
- scalable security controls
- risk-based approach
- contemporary, cost-effective tools and practices to automate historically manual activities
- AI and ML where appropriate to optimize efficiencies
- delivering at scale and with speed
- product owner for the security controls framework and security risk mitigation
- policies, standards, procedures, and controls are designed for adoption, automated by default, and measured through real-time data
- driving revenue growth through GRC support to the business
- product innovation, development, engineering, and delivery
- deepen security within the platform and across the enterprise
- enhancing customer trust
- optimizing the GRC user experience
- measurable outcomes and continuous improvement
- architectural blueprint that transforms GRC into a scalable product platform and service
- technology-driven automation strategy
- timely delivery of GRC product, engineering, and risk reduction capabilities
- security threats, trends, technologies, and industry best practices (existing and emerging)
- translating technical risk into business impact
- frictionless security and paved path approaches
- contemporary tooling and automation to optimize insights, efficiency, and efficacy
- enhancing technical security rigor
- technical requirements, architectural design and modification documents
- senior escalation point for complex or high risk security issues
- architectural, process, and implementation improvements from lessons learned
- high level of individual proficiency in using AI to perform daily and longer term tasks
- continuously improve the company-wide Docusign security program