Corporate Security Engineer (GRC)

TL;DR: We're seeking a Corporate Security Engineer to lead our GRC, Regulatory and Internal Corporate security efforts to help keep Cloudsmith – a world-class, security-first company powering the future of software delivery

About Cloudsmith

Cloudsmith is transforming how organizations handle software artifacts and secure their supply chains. As a fully managed multi-tenant Software as a Service (SaaS) built on AWS, our mission is to enable organizations to tackle scale and complexity through best-in-class artifact management and to secure software by default. Our vision is to become the software supply chain itself, powering the future of software delivery.

We are the world's most potent artifact management platform, built by developers for developers. Our platform supports over 30 formats spanning languages, containers, and operating systems, with enterprise-grade features, including vulnerability and security scanning, world-class policy management and enforcement, and web-scale to handle the Fortune 500. Organizations integrate Cloudsmith as critical infrastructure into their development, deployment, and distribution pipelines, trusting us to protect and accelerate, no matter the scale.

Backed by top-tier investors and on a trajectory toward IPO and beyond, we're building mission-critical infrastructure that powers software delivery for organizations worldwide. We operate at the cutting edge of cloud-native technology, tackling complex distributed systems challenges that directly impact millions of developers. Now is an exciting time to join us as we revolutionize how organizations deliver and secure software and help write the next chapter of our rocket-ship growth story.

The Role

As our GRC Corporate Security Engineer, you’ll be reporting to the head of application security. This role revolves around protecting Cloudsmith as a company, ensuring our assets are secure and that we remain compliant with industry-leading benchmarks and standards. You'll be responsible for leading our Governance, Risk and Compliance programme, ensuring we achieve and maintain industry best practices and standards such as ISO27001, SOC2 and others as Cloudsmith expands and meets its customers’ requirements. Additionally, you will be responsible for ensuring the secure configuration, hardening, and monitoring of our IT assets, accounts, and infrastructure, as well as leading the response to incidents and non-compliances.

As a leader of our GRC programme, you will work closely with customers of Cloudsmith, helping demonstrate how we meet all security requirements, as well as ensuring that the vendors Cloudsmith utilises are also adhering to best practices.

Key Responsibilities

Governance, Risk and Compliance

• Help Cloudsmith maintain and expand its regulatory Frameworks, including ISO27001, SOC2 and other industry-leading standards, to define our security-first best practices and lead by example for our customers. (Utilising Vanta)

• Lead Vendor Security engagements, both for the services and vendors that Cloudsmith uses as well as the assurance processes that are required by customers of Cloudsmith

• Define and improve our internal security processes relating to asset management, mobile device management, data loss protection, endpoint device protection, JML processes, incident response and monitoring

Corporate Security

• Maintain and proactively monitor our mobile device management profiles and tooling to ensure all endpoint assets are secured to industry best standards via our Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) Platforms

• With the help of the wider security team, work towards unifying our security configuration, deployment, monitoring and response utilising seamless integrations between services and automated playbooks to reduce response times to potential threats - our SOC, SIEM and SOAR initiatives

Internal Training and Readiness

• Assist in designing and leading regular security training of our staff to maintain best in class security awareness

• Lead table-top exercises, simulations and disaster recovery drills to ensure our response capability is robust and sound

Required Experience, Qualities & Skills

Technical Expertise

• 5+ years of experience in managing internal corporate security and compliance

• Proven track record of implementing a robust GRC programme with industry standard benchmarks

• Experience in automation of manual processes, either using PaaS tooling, or scripting

• Ability to conduct security audits, vulnerability assessments, and compliance checks.

• Policy Development with experience writing security policies, procedures, and standards to enforce best practices.

• Third-Party Risk Management: Evaluating vendor security posture and compliance requirements.

• Incident Response Planning: Experience developing incident response procedures and conducting tabletop exercises development: Writing security policies, procedures, and standards to enforce best practices.

• Third-Party Risk Management: Evaluating vendor security posture and compliance requirements.

• Incident Response Planning: Experience developing incident response procedures and conducting tabletop exercises.

• Security Automation & Monitoring: Familiarity with SIEM tools like Splunk, Microsoft Sentinel, or Elastic Security.

Domain Knowledge

• Regulatory Frameworks: Deep understanding of compliance standards such as ISO 27001, NIST, CIS Controls, SOC 2, GDPR, HIPAA, and industry-specific security requirements.

• Audit Processes: Conducting internal security audits, working with external auditors, and ensuring compliance across IT systems.

• Security Policy Development: Writing and enforcing security policies around data protection, access control, vendor risk management, and incident response.

• Vendor & Third-Party Risk Management: Evaluating security posture of suppliers and ensuring proper contracts (DPAs, SLAs, security agreements) are in place.cy Development: Writing and enforcing security policies around data protection, access control, vendor risk management, and incident response.

• Identity & Access Management (IAM): Deep knowledge of authentication mechanisms (RBAC, SSO, MFA) and tools like Okta, Azure AD, AWS IAM.

• Configuration Management & Hardening: Ensuring devices are configured to security standards, applying secure baseline templates (CIS benchmarks).

• Zero Trust Architecture: Implementing Zero Trust security principles for internal networks and endpoints.

Cultural Values We're Looking For

• An open and inquisitive attitude to learning, growing and improving how we do things best

• A naturally open communication style and positive collaboration on all matters security

• Strategic vision to see how the efforts we make to enhance the security of Cloudsmith improves the company and product, helps our customers and ultimately, secures the software supply chain

• A bias for action with ingenuity and initiative

• An assumption of positive intent and a desire to put things right

Impact & Opportunity

This role offers the chance to play a critical part in building and scaling Cloudsmith’s security capabilities. You’ll be helping to shape how we protect our platform, customers, and the broader software supply chain. From startups to Fortune 500 companies, your work will have a direct impact on how organizations control and secure their software supply chains.

Growth & Development

As part of Cloudsmith’s growing Security function, you’ll have the opportunity to help define and implement security best practices across the company. You’ll work closely with engineering, product, and leadership teams to build a secure-by-default platform — making a real contribution to the future of software supply chain security.

Benefits, Location & Work Environment

Note: You must be based in Ireland or the United Kingdom and have the right to work independently without requiring sponsorship.

Headlines

• A remote-first position based in Ireland or the United Kingdom.

• A competitive compensation package, including equity.

• With comprehensive health, dental, and vision insurance.

• Plus, generous annual leave and flexible working policies to suit your lifestyle.

• Including a professional development budget for conferences and training.

• In a dynamic, innovative, trust-centric, and supportive work environment.

• With the opportunity to shape a fast-growing Series A startup (and beyond).

• Regular monthly-ish)travel may be required for team meetings.

• Regular quarterly-ish travel may also be required for events and customers.

Health and Wellness

Regardless of your location, we deeply care about the health and wellness of our staff and their families; a sustainable pace is important to us. In addition to generous annual leave (PTO), we offer health and wellbeing benefits along with flexible family-friendly working policies.

Personal Growth

You will have an enormous opportunity to learn new skills alongside your colleagues, and your continued professional development is essential to us because it's important to you. We will support you with budgets for equipment, training, books, conferences, travel, and certifications. The more powerful you become, the better for all of us.

Hybrid / Remote First

Cloudsmith is headquartered in Belfast, Northern Ireland, with fully-equipped office space that’s open 24x7. We use our H.Q. regularly for activities like working sessions, team planning, meets and greets, and sometimes other group activities (like games!). We also hold all-hands offsites in Belfast (or otherwise) thrice yearly, with guest speakers and team activities. Most Cloudsmithers work remotely, close and far, so we rely on our online collaboration tools; Slack, Google Docs, Linear, and other popular collaboration tools are how we work.

About Equal Opportunity

Cloudsmith is an equal-opportunity employer proud to nurture a diverse workplace that welcomes applications from individuals of all races, genders, and ethnic groups. We do not discriminate on age, religion, sexual orientation, citizenship status, military service, or health conditions. We will not tolerate discrimination of any kind within our workforce.

The Final Word

We're looking for someone who can balance strategic thinking with technical depth, has the experience to build a scalable, secure, and user-centric security function, and is fearless in rolling up their sleeves when needed. We're critical infrastructure by developers / for developers and building the world's software supply chain platform and ecosystem. We want to hear from you if you're excited to build the foundation of a security-first culture with a lasting impact on the software industry from today until IPO and beyond.