Staff/Senior Security GRC Engineer

THE WORK:

Through our blockchain technology and rapidly growing network of financial institutions, Ripple is improving the global financial system and increasing economic inclusion for more people, in more places around the world.  Ripple is looking for passionate Information Security professionals to build a world-class Information Security program. In this critical role, you will be responsible for driving operational excellence through automation within the GRC program. It requires a deep understanding of all areas of GRC with technical program management experience and knowledge of cloud, API integration and information security technologies. 

WHAT YOU’LL DO:

• Identify, assess, and prioritize information security risks across the organization, aligning with business objectives and risk appetite
• Develop and maintain a comprehensive risk repository, ensuring all identified risks are documented, tracked, and regularly updated
• Partner with stakeholders to analyze technical and business impacts of identified risks and recommend appropriate mitigation strategies
• Facilitate and lead risk assessment processes
• Remain up to date on current security laws, regulations, and standards ( SOC2, ISO 27001, NYDFS, PSD2, MAS, DORA, CBI, MICA, etc.)
• Represent the Infosec GRC team by actively engaging in projects and providing guidance, requirements, and documentation when requested
• Participate in designing and implementing technical solutions on how to optimize, automate, and monitor GRC processes such as control testing, evidence collection, workflows, and risk management activities
• Provide technical GRC guidance to Information Security and Engineering teams
• Participate in the configuration and administration of the program via integrated GRC tools
• Mentor and grow the GRC team while fostering an innovative, healthy, and productive team culture.
• Build strong partnerships with technical and business leaders to align team resources with company priorities and strategic goals.
• Develop and manage end-to-end technical GRC projects, establishing clear metrics and milestones to track progress and ensure timely delivery. 
• Develop and maintain dashboards to provide visibility into compliance status, risk posture, and program effectiveness.
• Develop  automation workflows to streamline evidence collection  for audits, control testing, and security configuration monitoring
• Assist with developing configuration monitoring capabilities for SaaS and IaaS platforms
• Mentors team members to effectively manage their workflows, programs, and projects independently, fostering self-reliance and professional growth

WHAT YOU'LL BRING: 

• Bachelor's Degree in relevant discipline or equivalent work experience
• 7+ years of experience in information security risk management and compliance within a highly regulated industry 
• A solid foundation in a technical information security role, with hands-on experience in areas such as infrastructure security, security operations, or security architecture, demonstrating a deep understanding of technical security measures,est practices, and their application to risk management and compliance 
• Exceptional writing skills, with the ability to clearly and effectively communicate risks and craft accurate, professional policies and procedures 
• Experience working with engineering teams to understand issues and prioritize remediations
• The ability to obtain a deep understanding of the company’s technology and product stack is essential, enabling the identification and assessment of associated security risks with precision and depth
• Exceptional analytical skills with the ability to translate complex security risks into clear and actionable recommendations
• Proficiency with common information security frameworks including SOC2, ISO 27001, NYDFS, PSD2, MAS, DORA, CBI, MICA, etc.
• Familiarity with capability maturity frameworks
• Hands-on experience assessing and managing security risks in public cloud environments, with a strong preference for expertise in AWS
• Proficiency in evaluating security risks associated with Kubernetes and container orchestration environments is not mandatory, but highly desirable
• Demonstrated ability to navigate cloud security and compliance challenges effectively
• Ability to collaborate effectively with cross-functional teams of engineers, product managers, and security and compliance experts
• Familiarity and experience with IT/Security tooling, including GRC platforms
• Ability to analyze empirical evidence and technical reports, identify root causes, and work with teams to identify solutions to remediate gaps
• Someone willing to adapt to changes in a fast-moving environment
• Experience with cloud-native pre-IPO startup companies
• Desirable certifications:  CISSP, CISA, AWS Certified Solutions Architect, AWS Certified Security, PMP