Locations: In this role you can work from Remote, United States
Overview:
GitHub is looking for a technical GRC professional to join GitHub’s Audit and Compliance team. This role will work directly with security, engineering, and product teams to ensure products meet GitHub’s security expectations, and will then take those products through external certification audits. GitHub is committed to developing a compliance program that enables rapid product development while reliably exceeding our customers' high expectations for security and compliance.
If you have experience in compliance program management, have experience collaborating with product and engineering teams, in order to drive enterprise objectives and want to contribute to making the world's largest software development platform more secure, we want to hear from you!
About the Role:
This individual-contributor role will contribute to compliance efforts for GitHub’s suite of products, including GitHub Enterprise Cloud, GitHub Copilot, and products under development. You will work closely with peers on the Audit and Compliance team and multiple other groups including security, software engineering, infrastructure, and product to validate the secure and compliant design and implementation of GitHub products. This is a “hands on” role where you will participate directly in audit planning and execution.
Our ideal candidate takes a pragmatic approach to compliance (compliance happens because of good security), functions well as part of a growing team, and is able to balance the needs of a dynamic engineering culture with that of protecting the company and customer data. Compliance at GitHub is a team effort, so bringing your team members, leadership, and customers along for the ride is integral to your success. Central to the team's culture is that of inclusion, transparency, and teamwork — we lift each other up to be successful.
Past experience driving compliance results in IT, Software, Finance, Government or other complex organizations will stand out.
Responsibilities:
A large focus of this position will be to:
Engage with product and engineering teams to evaluate new products and make recommendations to existing products against security and compliance objectives.
Collaborate to design solutions for security and compliance challenges.
Evaluate potential new certifications against existing products and GitHub’s existing controls.
Develop paved-path compliance solutions with a focus on meaningful security and risk reduction; integrate these solutions with existing tools and processes.
Lead external certification audits, including hands-on scheduling and evidence wrangling.
Contribute to ongoing efforts to standardize and improve audit readiness testing techniques and program-level process/documentation.
Contribute to the development of customer-facing materials covering topics related to security, compliance, and audit to help customers manage their own audit efforts involving GitHub products more effectively.
Support GitHub’s “right to audit” activities for financial industry customers.
This job is U.S. based and open nationwide, however, semi-frequent travel (<10%) to our San Francisco, CA headquarters, OR Seattle, WA, will be necessary for a remote worker.
Qualifications:Required Qualifications:
4+ years professional experience in cyber security, security analysis, security engineering, or software development OR a Bachelor's Degree in a related field and 2+ years professional experience?
1+ years professional experience working with at least one of SOC 2 type II, ISO 27001, or FedRAMP, or other enterprise-recognized product security certification.
Preferred Qualifications
Several years experience with progressive responsibility and scope expansion in requirements development, program management, and process improvement efforts in a technical company.
Many years experience with progressive responsibility and scope expansion performing compliance and audit testing with demonstrated ability to execute activities all along the audit life cycle (e.g. planning, audit execution, reporting and wrap up, remediation), OR degree and a couple of years experience in related field.
Ability to design and work effectively against metrics/KPIs which assess program performance.
Ability to partner and effectively communicate with security, engineering, and devops staff with a heaving focus on clear and concise written asynchronous communications.
Experience working on a remote team in an asynchronous workflow.
Demonstrated ability to function as a strong business to technology "Human API," helping to bridge the business view and requirements to technologists building solutions.
Proven communication skills and ability to partner with and effectively communicate with technical and non-technical employees, security, engineering and management staff.
Strong independent motivation, high comfort level with written communication, use of chat tools, and asynchronous communication skills.
Proven skills at organizing complex work efforts and tracking details that may vary on a week by week basis.
Experience with collecting data with consistency and basic experience developing reporting or metrics to assess and report program performance using data analysis tools - Excel, Google Sheets, databases, or comparable tooling.
Proven success in developing and using metrics/KPIs to assess, report on and improve program performance.
Experience standing up and/or administering applications and tooling with a growth mindset for learning scripting and automating processes.
Preferred Approach:
Experience with a team-centric mindset. Drawn to collaboration with a belief that we create a better result together.
Mastery at digging into problems, answering questions, and assisting colleagues both within the GRC team and across the company.
Experience in an iterative, transparent environment where work is shared in draft stages and the belief of “Code speaks louder than words”.
Proficiency at working under ambiguous situations, with demonstrated drive to bring clarity using communication and independent research of existing documentation and resources.
Expertise in functioning as a business to technology translator and help bridge the business view of compliance to technical engineering and operations staff and vice versa.
Demonstrated confidence in ability to say "I don't know, but I will find out!" with a strong desire to learn.
In addition, certain roles also have the opportunity to earn sales incentives based on revenue or utilization, depending on the terms of the plan and the employee's role.
These pay ranges are intended to cover roles based across the United States. An individual's base pay depends on various factors including geographical location and review of experience, knowledge, skills, abilities of the applicant. At GitHub certain roles are eligible for benefits and additional rewards, including annual bonus and stock. These rewards are allocated based on individual impact in role. In addition, certain roles also have the opportunity to earn sales incentives based on revenue or utilization, depending on the terms of the plan and the employee's role.
GitHub Leadership Principles:
GitHub values
- Customer-obsessed
- Ship to learn
- Growth mindset
- Own the outcome
- Better together
- Diverse and inclusive
Manager fundamentals
- Model
- Coach
- Care
Leadership principles
- Create clarity
- Generate energy
- Deliver success
Our teams are dreamers, doers, and pioneers, leading the way in AI, driving humanitarian efforts around the globe, and even sending open source to Mars (and beyond!). At GitHub, our goal is to create the space you need to do your best work. We’re remote-first and offer competitive pay, generous learning and growth opportunities, and excellent benefits to support you, wherever you are—because we know that people flourish when they can work on their own terms.
Join us, and let’s change the world, together.
EEO Statement: GitHub is made up of people from a wide variety of backgrounds and lifestyles. We embrace diversity and invite applications from people of all walks of life. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences. Also, if you have a disability, please let us know if there's any way we can make the interview process better for you; we're happy to accommodate!