Senior Risk & Compliance Engineer

Summary

Join Instacart’s Governance, Risk, and Compliance (GRC) team as a Risk & Compliance Engineer specializing in Third Party Risk Management. You will safeguard Instacart’s security and privacy by managing risks associated with third-party vendors. Oversee the vendor lifecycle, conducting due diligence, performing reviews, and managing offboarding. Identify and mitigate emerging security risks from technologies like AI and LLMs. Collaborate across teams to influence decision-makers and mitigate risks. Drive innovation through advanced risk quantification and strategic partnerships. Your work will inform Instacart’s security strategies, ensuring vendors align with Instacart’s expectations and regulatory compliance requirements. The GRC team partners with IT, Legal, and Security Engineering to proactively identify and reduce risks. This role offers the flexibility to work remotely.

Requirements

• 7+ years of progressive experience in third-party security risk management, vendor audits, or compliance roles, preferably within a technology company
• Hands-on experience with third-party risk management (TPRM) and Governance, Risk, and Compliance (GRC) tools (e.g., OneTrust, Archer, Prevalent, Process Unity, Venminder, BitSight, SecurityScorecard, Zip, Safe Security)
• Expertise in leading compliance standards and industry frameworks (e.g., GDPR, CCPA, SOC2, NIST, ISO 27001)
• Familiarity with common security concepts, including identity and access controls, firewalls, APIs, vulnerabilities (CVE), and software supply chain risks
• Proven ability to review and analyze a variety of vendor security documentation, including audit reports, vulnerability scans, and penetration test results
• Previous experience with consumer data protection and privacy risk management, including performing privacy risk assessments and suggesting mitigation plans
• Strong communication and stakeholder engagement skills, with a proven ability to influence decision-makers and articulate complex technical risks and control concepts to non-technical stakeholders, including senior executives and audit committees

Responsibilities

• Reviewing third-party vendors during onboarding due diligence and recurring evaluation processes, meticulously focusing on identifying and mitigating cybersecurity, data privacy, and compliance risks
• Operating and improving Instacart's third-party risk management systems, including leveraging tools like Zip for workflows and Safe Security for risk quantification
• Partnering with Legal, Security Engineering, and system owners to embed comprehensive security and privacy requirements directly into third-party contracts and agreements, ensuring alignment with Instacart policies and compliance frameworks (e.g., GDPR, CCPA, SOC2, NIST, etc)
• Liaising with high-tier vendors to understand their security posture, advocate for aligned improvements, and provide advisory on identified risks
• Developing and maintaining processes that enhance the efficiency and scalability of third-party evaluations, continuous monitoring, and offboarding procedures
• Identifying and quantifying risks, proposing effective mitigation measures, and influencing internal stakeholders to implement necessary security controls to improve the third-party risk posture
• Leading vendor risk documentation, including maintaining a comprehensive third-party risk register, developing risk quantification reports using models like FAIR-TAM, and presenting findings, trends, and action plans for senior leadership
• Working with internal security teams to investigate and respond to third-party-related security incidents, defining escalation procedures and remediation requirements

Preferred Qualifications

• Professional certifications such as CISSP, CRISC, CISM, CISA, CIPP/US, CIPP/E, CIPM, CIPT, or ISO 27001 Lead Auditor/Implementer
• Hands-on experience negotiating vendor contracts with comprehensive security and privacy clauses
• Familiarity with and/or hands-on experience applying risk quantification frameworks (e.g., FAIR-TAM) and cybersecurity metrics reporting to assess financial impact
• Experience working on innovative risk management programs leveraging automation, AI, and continuous monitoring techniques
• Familiarity with AI concepts, tools, policies, and best practices, particularly concerning LLM security risks like prompt injection, training data poisoning, and insecure output handling
• Understanding of security and privacy challenges related to data lakes and data warehouses, including large data volumes, unstructured data, complex access controls, and regulatory compliance

Benefits

• Instacart provides highly market-competitive compensation and benefits in each location where our employees work
• This role is remote
• This role is eligible for a new hire equity grant as well as annual refresh grants