As UpGuard continues to rapidly expand, we're looking for a seasoned InfoSec Governance Risk and Compliance Lead to spearhead our information security risk and compliance initiatives. Reporting directly to the CISO, you will own the strategy and execution of our cybersecurity compliance programs, lead cross-functional risk management efforts, and ensure our systems and processes align with world-class security standards. Additionally, you will play a critical role in supporting our procurement and vendor management pipelines, ensuring all third-party relationships meet our stringent security and compliance requirements.
What will you do?
Lead GRC Strategy: Drive the development, maturity, and execution of UpGuard’s InfoSec Governance, Risk, and Compliance function, with primary ownership over technology and cybersecurity risk.
Optimize Procurement & Vendor Security: Partner closely with procurement, legal, and business stakeholders to embed security reviews into the purchasing lifecycle. Lead Third-Party Risk Management (TPRM) evaluations for new and existing vendors.
Contract & Legal Support: Review security exhibits, Data Processing Agreements, and security questionnaires during procurement negotiations to safeguard UpGuard and its customers.
Enterprise Collaboration: Partner with the CISO to contribute expert analysis on broader enterprise and operational risk matters, ensuring a unified approach to risk management.
Own the Risk Management Process: Architect and run the technology and security components of the Risk Management process. You will maintain, continually improve, and deliver executive-ready reporting on trends, vulnerabilities, and strategic insights.
Champion SOC 2 & Security Compliance: Formally own the technology and security control components of UpGuard’s annual SOC 2 Type II audit cycle. Design, manage, and coordinate remediations and improvements stemming from prior cycles, incident post-mortems, and internal assessments.
Build Trust & Product Alignment: Work cross-functionally with the Product team to develop public-facing trust documentation, while identifying security control gaps and improvement opportunities within the Product Development Life Cycle (PDLC).
Policy Governance: Draft, implement, and maintain a robust framework of InfoSec policies, standards, processes, and guidelines tailored to an evolving threat landscape.
Security Culture: Design and implement comprehensive, company-wide security awareness and compliance training programs utilizing the MindTickle platform.
What will you bring?
Core Experience: 4+ years of dedicated experience in Information Security, IT Audit, or GRC within a technical, cloud-based landscape.
Risk & GRC Tooling Expertise: Deep familiarity and hands-on experience with modern technology risk management frameworks, GRC platforms, and Third-Party Risk Management (TPRM) tools.
Procurement & Legal Acumen: Experience partnering with procurement, legal, and privacy teams across diverse geographic areas (e.g., GDPR/CCPA, anti-corruption) to review vendor contracts, technical agreements, and security exhibits.
Strategic Communication: A clear, collaborative communicator capable of translating complex technical risks into clear business impacts for stakeholders, customers, and vendors.
Autonomy & Ownership: The ability to work independently, take swift initiative, and manage the fine details while never losing sight of long-term strategic goals.
Problem-Solving Mindset: A skillful issue-spotter and adaptive learner who can confidently navigate ambiguity and evaluate legal/business risk trade-offs.
Collaborative Nature: High ethical standards, meticulous attention to detail, a team-first attitude, and a dual passion for teaching and learning.
What will give you an edge?
Advanced Experience: 6+ years of experience, including at least 2 years in a dedicated lead or senior-level capacity within a fast-growing B2B SaaS environment.
Audit Mastery: A proven track record of successfully owning and leading complex, multi-stakeholder security audits from scratch (specifically SOC 2 Type II, ISO 27001, or NIST frameworks).
Industry Certifications: Relevant professional certifications such as CISA, CRISC, CISM, or CISSP.
Scalability Mindset: Demonstrated experience scaling a GRC and vendor security function alongside a rapidly expanding global startup.
What's in it for you?
- Monthly Lifestyle subsidy: Use this for financial, physical, and mental well-being
- WFH set-up allowance: To ensure you have the right environment to work in, we will help you get set up within your first 3 months at UpGuard
- $1500 USD annual Learning & Development allowance: To support your career development, all team members will be able to expense development opportunities against this allowance
- Annual leave: PTO plus two additional UpGuardian leave days to give you time to recharge your batteries.
- 18 weeks paid Parental Leave: Irrespective of parenting role
- Personal Leave Allowance: This includes sick & carer’s leave
- Fully remote working environment: While we have physical offices in Sydney & Hobart, we do not mandate compulsory attendance
- Top-spec hardware: All team members will be provided with top-spec laptops for their role
- Generative AI subsidy: UpGuard provides paid subscriptions for all team members to access generative AI tools to support their work
.png)
