Principal Security Engineer – GRC Team Lead (Remote Eligible)
SmartsheetYou'll be redirected to the original listing.
Description
For over 20 years, Smartsheet has empowered teams to manage work seamlessly and scale solutions smarter. Now, in our most ambitious chapter yet, we are uniting human teams with AI agents. By orchestrating the work agents do best, automating manual tasks and uncovering insights at scale, we create the space for people to focus on what truly matters: judgment, creativity, and big thinking. That is magic at work, and it’s what we show up for every day.
Smartsheet’s GRC function is at an inflection point. As we scale our compliance programs across multiple frameworks (SOC 2, ISO 27001, FedRAMP, HIPAA, and emerging regulations), the manual work is becoming unsustainable. We need a technical GRC leader—someone who understands both compliance deeply and how to engineer solutions. As GRC Team Lead, you’ll architect the technical foundation for how Smartsheet manages risk and compliance at scale. You’ll design policy-as-code systems, build custom control frameworks aligned with our unique architecture, manage full audit cycles, and lead process improvements that make our GRC function a scalable engine. This is a principal-level role combining compliance expertise with technical execution. You’ll be responsible for the strategy and delivery of GRC automation, evidence collection systems, audit readiness, risk management workflows, and technical control implementation. You’ll work across security, engineering, and product teams to embed compliance into operations and reporting. This is an excellent opportunity to define how a world-class SaaS company approaches GRC in 2026 and beyond.
What You Will Do
- Own the end-to-end GRC strategy and roadmap: Lead the planning and prioritization of GRC initiatives that drive compliance maturity, reduce audit risk, and improve operational efficiency.
- Design and implement policy-as-code systems: Translate compliance frameworks (SOC 2, ISO 27001, FedRAMP, HIPAA) into enforceable code, leveraging Infrastructure-as-Code (Terraform, CloudFormation) and automated compliance validation.
- Build custom control frameworks: Design Smartsheet-specific Unified Control Frameworks (UCF) and Secure Control Frameworks (SCF) that map to our cloud architecture, multi-framework requirements, and organizational risk appetite.
- Lead full audit cycles: Manage preparation, execution, and resolution for SOC 2 Type II, ISO 27001, FedRAMP, and other certification audits. Own evidence gathering, audit readiness tracking, and post-audit remediation.
- Architect GRC platform strategy: Evaluate, select, configure, and integrate GRC tooling (Vanta, Drata, or similar) with our cloud infrastructure, identity systems, ticketing systems, and CI/CD pipelines to enable continuous compliance monitoring.
- Design automated evidence collection and validation: Build data pipelines and integrations that automatically collect compliance evidence from AWS, application logs, identity systems, and operational tools; validate accuracy and reduce manual verification.
- Translate compliance requirements into technical implementations: Work with engineering and security teams to express policies and regulatory requirements in a way they can execute and monitor—breaking down silos between compliance and technical teams.
- Establish risk management and governance processes: Design and operate risk registers, control effectiveness assessments, continuous monitoring workflows, and escalation processes that provide leadership with real-time visibility into compliance posture.
- Build and lead the GRC team: Mentor and develop your team, establish technical and operational practices, define the playbooks for compliance execution, and create a culture of continuous improvement.
What You Have
- 10+ years of experience in GRC, compliance, security engineering, or related roles, with…
Related remote jobs