Information Security GRC Lead

Summary

Join Smarsh's growing GRC team as a GRC Lead and play a key role in ensuring the company's security governance, risk, and compliance efforts are integrated, scalable, and proactive. You will lead the maintenance and continuous improvement of Smarsh’s ISO 27001-aligned ISMS, oversee the control assurance program, and own key internal and external audit workstreams. This role involves driving the risk assessment lifecycle, enhancing risk methodologies, and supporting risk acceptance processes. You will also monitor emerging regulations, manage customer security assessments, and lead third-party security reviews. Furthermore, you will maintain the InfoSec policy lifecycle, develop security governance metrics, and deliver security training and awareness campaigns. This is a strategic, hands-on role requiring collaboration with various teams across the organization.

Requirements

• 7–10 years’ experience in security governance, risk, or compliance roles within SaaS or regulated industries
• Strong track record operationalising ISMS frameworks, managing control assurance, and supporting external audits
• Hands-on experience with GRC platforms, security metrics reporting, and risk assessments
• Proven ability to work across business, engineering, and legal teams to embed governance effectively
• Familiarity with modern regulatory landscapes and frameworks such as ISO 27001, SOC 2, GDPR, DORA, FedRAMP and SEC Cyber rules
• Strong communication skills, with the ability to create executive-level reporting and artifacts
• Experience leading client assurance programmes or third-party risk management

Responsibilities

• Lead the maintenance and continuous improvement of Smarsh’s ISO 27001-aligned ISMS
• Oversee the control assurance programme, ensuring robust evidence collection, control testing, and continuous monitoring
• Own key internal and external audit workstreams, including SOC 2, ISO 27001, FedRAMP and customer audits
• Drive the risk assessment lifecycle, embedding business, technical, and supply chain risk perspectives
• Enhance risk methodologies and tools, integrating real-time risk metrics into dashboards and governance forums
• Support risk acceptance processes and facilitate cross-functional remediation plans
• Monitor emerging regulations (e.g. DORA, SEC, UK AI Act) and translate them into actionable internal obligations
• Manage customer security assessments and DDQs, enabling frictionless trust through reusable assurance artefacts
• Coordinate timely, high-quality client responses and external assurance artefacts
• Lead third-party security reviews and ensure governance controls are extended across the vendor lifecycle
• Partner with Procurement and Legal to align contractual security requirements and risk acceptance criteria
• Maintain the InfoSec policy lifecycle and track compliance across business units
• Develop and maintain security governance metrics and reporting for the CISO and wider executive team
• Support the operation of governance forums and steering committees
• Deliver targeted security training and awareness campaigns aligned to regulatory and business needs
• Promote a security-aware culture of governance accountability and enablement across teams
• Own and refine core GRC workflows, including documentation, issue tracking, evidence management, and status reporting
• Maintain and expand GRC tooling integrations, ensuring high-quality automation and reporting outputs

Preferred Qualifications

Professional certifications (CISA, CISM, ISO 27001 LA, CISSP, CRISC) preferred