Security GRC Engineering Manager

About the role:

We are looking for a Security Engineering Manager to lead our GRC team. You will be responsible for developing and implementing strategies to ensure we get and maintain industry certifications, as well as liaising with other teams delivering parts of our overall security posture. The ideal candidate will have a proven track record of building, implementing and improving the maturity of security programs in Cloud-based SaaS organizations and possess excellent leadership and communication skills.  You must have significant engineering acumen as this is a highly technology-driven role.

Grafana and the LGTM stack continue to be highly successful open-source projects and on-premise products, with over a million instances of our application running in the wild. Grafana is also the main frontend for Grafana Cloud where users can visualize their telemetry data as well as use our opinionated solutions for easier troubleshooting of both their infrastructure and their applications. 

Responsibilities:

• Lead our security assurance team covering a range of areas, including certifications, application security, cloud security, and internal tooling development
• Develop, implement, and maintain security assurance programs to ensure compliance with organizational and regulatory requirements (e.g., ISO 27001, SOC 2, GDPR, NIST, PCI-DSS).
• Conduct security assessments and audits of systems, networks, applications, and vendors to identify vulnerabilities and ensure mitigation efforts are effective.
• Drive how Grafana implements automation to ensure compliance (verify Compliance as Code)
• Define, optimize, and implement the engineering strategy in concert with the security leadership team, ICs and stakeholders across the business
• Regular 1:1s, coaching and mentoring to ensure your team members are motivated, happy and engaged. Providing continuous feedback to ensure that they can add value while maintaining high standards
• Collaborate with cross-functional teams to integrate security controls into the software development lifecycle and operational processes.
• Work closely with legal and compliance teams to manage security certifications and regulatory obligations.
• Contributing to and reviewing design documents for upcoming projects. Ensuring projects are well-defined and ready for development. Advise on how to break down projects into tasks

Requirements:

• Compliance Automation (Compliance-as-Code):
• Proven expertise in automating security compliance processes using tools, scripts, and frameworks (e.g., Terraform, Ansible, or custom scripts).
• Experience integrating compliance checks into CI/CD pipelines to ensure ongoing adherence to security policies and standards.
• Ability to develop and maintain Infrastructure as Code (IaC) configurations that align with organizational security and regulatory requirements.
• Certifications and Standards Expertise:
• Deep understanding of industry-recognized security frameworks, standards, and certifications, such as ISO 27001, SOC 2, PCI DSS, NIST, or GDPR.
• Demonstrated experience in conducting gap analyses, preparing for audits, and ensuring compliance with relevant security certifications.
• Knowledge of emerging trends and updates in compliance standards to ensure continuous alignment with best practices.
• Project and Deadline Management:
• Strong capability to manage multiple complex projects and deadlines simultaneously, ensuring timely delivery of security and compliance objectives.
• Proficiency in using project management tools and methodologies (e.g., Agile, Kanban, or Gantt charts) to track progress and coordinate with cross-functional teams.
• Skilled in prioritizing tasks based on risk, impact, and organizational goals, maintaining focus under tight timelines.
• Technical Security Expertise:
• A solid foundation in security principles, architecture, and risk management.
• Hands-on experience with security tools (e.g., vulnerability scanners, SIEM platforms, and compliance reporting tools).
• Ability to assess, report, and remediate security vulnerabilities in a fast-paced environment.
• Collaboration and Communication:
• Strong interpersonal skills to collaborate with diverse stakeholders, including engineers, compliance officers, and leadership teams.
• Clear and effective communication of complex technical and compliance issues to non-technical audiences.
• Experience in creating and delivering documentation, training, and awareness programs related to security assurance and compliance.
• Problem-Solving and Innovation:
• A proactive approach to identifying and solving compliance and security challenges.
• Ability to innovate and improve existing processes, leveraging automation and modern tools to enhance efficiency.
• Preferred Qualifications:
• A degree in Computer Science, Information Security, or related field (or equivalent experience).
• Hands-on experience in cloud environments (AWS, Azure, or Google Cloud) and their compliance frameworks.

Soft Skills:

• Excellent communication and interpersonal skills to collaborate with technical and non-technical teams.
• Strong problem-solving and analytical skills.
• Ability to manage multiple projects simultaneously and meet deadlines in a fast-paced environment.
• High attention to detail and commitment to maintaining confidentiality and integrity.

Bonus Points:

• A technical background, ideally with programming or software engineering experience, before transitioning into security & leadership
• Working knowledge of Grafana Labs OSS projects and products. Experience in using observability tooling to solve security problems. 
• Experience working with OSS communities
• Experience securing large-scale distributed systems

In the USA, the base compensation range for this role is  200,000 USD - 240,000 USD.  Actual compensation may vary based on level, experience, and skillset as assessed in the interview process. Benefits include equity, bonus (if applicable) and other benefits listed here.

*Compensation ranges are country specific. If you are applying for this role from a different location than listed above, your recruiter will discuss your specific market’s defined pay range & benefits at the beginning of the process