Security Governance Risk And Compliance (Grc) Lead

Security Governance Risk and Compliance (GRC) Lead

(San Francisco, Denver, NYC or Remote)

Gusto processes billions of dollars in payroll every month for small businesses and their employees. Our clients trust us with a huge amount of personally identifiable information (PII) and protected health information (PHI), including SSNs, EINs, salaries, home addresses, and more. Our business is largely built on trust, as a result protecting our clients' information is our top priority.

The Governance Risk and Compliance (GRC) team is responsible for ensuring that Gusto complies with all applicable laws, regulations and its own internal controls, manages its risks effectively, and maintains a high level of information security. As a Lead GRC Analyst at Gusto, you will play a critical role in ensuring that our organization adheres to the highest standards of governance, risk management, and compliance, including managing of all the pre and post sales IT & Security support for Gusto Embedded.

Here's what you'll do day-to-day:

• Develop, implement, and maintain a comprehensive strategy and supporting documentation that aligns with the business goals and objectives to help support all pre and post sales IT & Security support for Gusto embedded payroll.

• Support pre-sales initiatives with large potential customers by aligning with the internal Sales team on who Gusto is targeting in order to perform initial compatibility due diligence, including reputational checks, public breach history, etc.

• Support the continued refinement of tier-based security requirements, inclusive of internal service level objectives (SLOs).

• Aligning to a chosen security framework with explicit guidelines for each type of partner Gusto would work with.

• Creation of playbooks, driving agility and efficiency, improving Gusto's embedded payroll service, including current controls and positioning IT & Security as a competitive advantage in our go-to-market strategy.

• Develop project plans to capture key milestones, sign off and support throughout the pre (and post) sales process.

• Understand, triage and respond to all partner due diligence requirements in a centralized, organized, and timely manner. For areas with identified gaps, coordinate internal discussions for a path to remediation.

• Facilitate negotiations with partners to ensure there is risk reduction for both parties, including ensuring any commitments from Gusto are specific, time-bound and achievable prior to insertion in a contract.

• Ensure there is continued trust with our Embedded Partners by ensuring proactive communication of external security and IT exam or scan results and management of on-going Security or IT requirements inclusive of annual audits, attestations and other due diligence exercises.

• Continuously monitor changes in compliance regulations, standards, and best practices, and adapt the company's GRC program accordingly.

• Lead efforts to drive process improvement and enhance the effectiveness of the GRC function.

Here's what we're looking for:

• 8+ years of experience in the GRC, audit, compliance space assisting an organization in working towards SOX, SOC 1, SOC 2, ISO 27001, PCI and HIPAA.

• Experience with ISO 27001, ISO 27002, NIST CSF and working knowledge of ISO 27005 and ISO 27018

• Client-facing experience managing pre and post sales for IT & Security support

• Relevant certifications (e.g., CISA, CISSP, CRISC, CISM) preferred.

• Excellent analytical, problem-solving, and project management skills.

• Ability to work collaboratively with cross-functional teams and stakeholders, from control owners up to the executive level.

• High attention to detail and a commitment to upholding the highest standards of data security and compliance.

• Experience with response coordination tools like Loopio, RFPio, etc.

Our cash compensation amount for this role is targeted at $144,000/yr to $180,000/yr in Denver & most remote locations, and $174,000/yr to $210,000/yr for San Francisco & New York. Final offer amounts are determined by multiple factors including candidate experience and expertise and may vary from the amounts listed above.