Security GRC Manager

Job Description:

• Own and mature Hex’s security and privacy compliance program across SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and other frameworks relevant to our business
• Ensure continuous audit readiness: maintain controls, gather evidence, manage auditors, and implement improvements.
• Track regulatory and industry changes, advising Hex leadership on impact and recommended responses.
• Maintain and develop core security policies, standards, and procedures, tailoring them to Hex’s real operating environment.
• Own Hex’s risk management lifecycle: identify, assess, track, and drive mitigation of security, privacy, operational, and regulatory risks.
• Build lightweight but effective governance processes, ensuring clear ownership, documentation, and accountability.
• Serve as the primary owner of customer and prospect security questionnaires, risk assessments, and contractual security provisions.
• Manage and improve Hex’s Trust Center / trust portal, ensuring accurate and compelling communication of Hex’s security posture.
• Lead internal and external audits from planning through remediation.
• Own Hex’s third-party risk management program, including vendor assessments, reviews, and ongoing monitoring.
• Define and run security awareness training tailored to Hex’s environment.

Requirements:

• 5–8+ years in GRC, compliance, security engineering, privacy, audit, or a related field
• Deep familiarity with frameworks such as SOC 2, ISO 27001, ISO 27701, PCI DSS, HIPAA, GDPR, and associated security controls
• Experience running or contributing significantly to audit cycles and certification processes
• Technical literacy in cloud-native environments (AWS preferred), SaaS architectures, and modern security tooling
• Ability to understand and explain product architecture, data flows, and control implementations to auditors and customers

Benefits:

• Competitive total rewards package
• Comprehensive health benefits
• Flexible paid time off