Senior Manager, GRC

Please Note: This is a Utah-based hybrid position which will require some regular in-office days each week. Additionally, employment with BambooHR is contingent on passing both a background and credit check.  

Essential Job Duties

We are seeking an accomplished and strategic Senior Manager, GRC to lead our Governance, Risk, and Compliance initiatives. This is a pivotal role for an experienced GRC leader with a strong technical foundation, an "AI/Automation First" mindset, and deep expertise in cloud-native environments. You will be responsible for defining, implementing, and maturing our GRC framework, ensuring continuous compliance with industry standards, and proactively managing information security risks across our enterprise and product offerings.

You will:

• GRC Program Leadership: Own, mature, and continuously enhance the company's GRC program, including risk management, information security governance, control frameworks, and policy management.
• Risk Management: Develop and implement a comprehensive risk management program, including risk identification, assessment, mitigation strategies, and reporting across technical and business functions. Drive proactive risk reduction through collaboration with engineering and product teams.
• Cloud-Native GRC: Lead GRC efforts in our advanced cloud-native environment (e.g., AWS, Azure, GCP), ensuring security controls and compliance requirements are effectively integrated into cloud architecture, CI/CD pipelines, and microservices.
• AI/Automation First: Champion and drive an "AI/Automation First" approach to GRC, identifying and implementing solutions to automate compliance activities, risk assessments, control monitoring, and reporting, leveraging AI where impactful.
• Controls & Compliance: Define, implement, and monitor security controls to meet regulatory and industry standards. Oversee internal and external audits, driving successful attainment and maintenance of certifications and attestations (e.g., SOC 2, ISO 27001, ISO 42001, NIST CSF, CIS, PCI, GDPR, CCPA, etc.).
• NIST CSF 2.0 Expertise: Lead the adoption and maturation of our information security program aligned primarily with the NIST Cybersecurity Framework (CSF) 2.0.
• Policy & Standards Development: Develop, maintain, and enforce information security policies, standards, and guidelines that align with business objectives and regulatory requirements.
• Security Awareness Program: Manage information security training and awareness programs.
• Third-Party Risk Management (TPRM): Oversee the end-to-end Third-Party Risk Management program, including vendor security assessments, due diligence, contract reviews, and continuous monitoring.
• Cross-Functional Collaboration: Partner closely with Engineering, Product, Legal, Internal Audit, and Business Operations teams to embed security and compliance into business processes and product development cycles.
• Leadership & People Management: Recruit, mentor, and develop a high-performing GRC team. Foster a culture of security awareness and continuous improvement across the organization.
• Reporting & Communication: Provide clear, concise, and actionable reporting on the state of risk and compliance to executive leadership, boards, and other stakeholders.

What You Need to Get the Job Done

• Bachelor's degree in Computer Science, Information Security, Business Administration, or a related field; Master's degree preferred.
• Minimum 10 years of progressive experience in Information Security GRC, with at least 3-5 years in a leadership or management role.
• Demonstrated expertise in architecting and managing GRC programs within complex, cloud-native (AWS, Azure, GCP) environments.
• Proven track record of implementing and maturing security programs based on NIST Cybersecurity Framework (CSF) 2.0.
• Strong understanding of core GRC domains: Risk Management (methodologies like FAIR, OCTAVE), Governance structures, Controls implementation, and Policy lifecycle.
• "AI/Automation First" Mindset: Experience identifying opportunities and implementing automated solutions for GRC processes.
• Expertise in Third-Party Risk Management (TPRM) best practices and tools.
• A strong mix of technical/engineering skillsets (e.g., understanding of cloud architecture, API security, CI/CD, identity management) to effectively engage with technical teams and understand underlying risks.
• Experience leading successful internal and external audits for compliance standards (e.g., SOC 2 Type 2, ISO 27001, HIPAA, GDPR, CCPA).
• Exceptional leadership, team-building, and people management skills, with the ability to inspire and empower a team.
• Excellent written and verbal communication skills, with the ability to translate complex technical and compliance concepts for executive and non-technical audiences.
• Relevant certifications highly preferred (e.g., CISSP, CISM, CISA, CRISC, AWS Security, Azure Security Engineer).

What Will Make Us REALLY Love You 

• Experience in the HR Tech or SaaS industry.
• Experience with GRC automation platforms and tools.
• Contributions to industry standards or thought leadership in GRC or cloud security.

What You'll Love About Us

• A Great Company Culture that has been recognized by multiple organizations like Inc, and Salt Lake Tribune
• Comprehensive health, life, and disability insurance 
• Generous leave policies that include 4 weeks of vacation, 12 company holidays, parental leave, and volunteer time off so you can enjoy quality of life
• 401k plans with up to 6% company match
• $2000 Paid-Paid Vacation bonus
• EAP through Headspace
• Check out all our benefits that benefit you 

About Us

At BambooHR, we're building something different: we're building a people intelligence platform that transforms HR and sets people free to do great work! We're a proven market leader driving innovation while building lasting success through thoughtful, sustainable growth. Here, you'll find a place that champions growth: both professional and personal, both individual and collective. 

We invest in potential, giving you the space to stretch your capabilities and turn good ideas into reality while providing the safety net of a supportive, values-driven culture. Our approach combines meaningful work with meaningful lives, offering competitive benefits, professional development, and the flexibility to thrive both in and outside the office. 

What sets us apart isn't just what we do, but how we do it: with openness, integrity, and a shared commitment to doing the right thing. Join us in creating HR software that makes work better for everyone, while we make work better for you.

BambooHR is committed to the full inclusion of all qualified individuals and will ensure that persons with disabilities are provided reasonable accommodations throughout the hiring process.  If you would like to request accommodations, please let your recruiter know.

BambooHR is An Equal Opportunity Employer--M/F/D/V
Because our team members are trusted to handle sensitive information, we require all candidates that receive and accept employment offers to complete a background check before being hired.

For information on California Privacy Policy, click here.