Job Description
Governance, Risk and Compliance (GRC), Principal Engineer
Location: Remote, USA
ABOUT TECHNOLOGY AND SECURITY
Our team is made up of people from varied backgrounds, including engineers who built and scaled organizations like Google, Netflix, eBay, GitHub, and LivingSocial. We build modern software with modern techniques like TDD, continuous delivery, DevOps, and service-oriented architecture. Cross-functional partnerships are deeply meaningful to us and are how we’ve built up immense trust with the people running the business. We focus on high-value products that solve clearly identified problems but are designed in a sustainable way so that value continues to deliver in the long term. In fact, some of our proudest moments come from solving business problems without writing a line of code.
ABOUT THE ROLE
We are looking for a Governance Risk and Compliance (GRC) Principal Engineer to join our Information Security organization. Our team members are given a great deal of autonomy in the pursuit of keeping Stitch Fix secure. You will be primarily responsible for identifying security risks to the organization and addressing security compliance findings.
You will coordinate between our Legal and Finance teams to address technology and security compliance requirements (SOX, PCI, GDPR, NIST, etc) as part of our annual assessments and audits. You will contribute to discussions with external auditors and assessors alike to discuss our overall technology and security governance and compliance posture and future roadmaps. Finally, you will be contributing to our Security Awareness program, which involves both partnering with People & Culture on the training of Stitch Fix employees and relevant activities promoting better security awareness and culture. We trust you to focus your time and efforts where they are needed most to drive results at any given time.
You will continue to identify ways we can improve our GRC vendor risk management processes by developing a roadmap to scale our operations and execute recommendations such as automation to improve how we support the business and represent Security internally and externally.
You won’t do this alone. The security team will work with you to evolve our programs and our processes as a whole so that we get faster, more automated, and have a higher degree of focus and speed on GRC.
We’re looking specifically for GRC practitioners who place an emphasis on practical security. Stitch Fix is a fast-growing company, and our security programs need to be able to keep pace with that growth while not disrupting innovation. You will help us improve our ability to respond effectively to outside requests from external stakeholders. You will drive efforts to prototype, implement, test, deploy and maintain new automated processes to meet compliance requirements. You will work to understand our overall risk profile (inclusive of vendor risk), clearly explaining your prioritization decisions and how that impacts our risk management posture.
REQUISITE SKILLS AND EXPERIENCE
- At least 6+ years in Security, preferably in GRC role or similar (Technology/IT Audit, Internal Audit, IT Consulting, etc)
- Demonstrated experience with common compliance frameworks (SOX, GDPR, CCPA, PCI, ISO27000, NIST Cybersecurity Framework, NIST SP800-53)
- Understanding of common vendor risks and common vendor attestations (SSAE16, SOC2, SIG-Full/Lite)
- Understanding of security best practices (Password security, device security etc) in the context of Security Training and Awareness
- Demonstrated ability to drive multiple workstreams in parallel within GRC
- Strong written and spoken communication skills when responding to external requests
- Strong partnership and soft skills to influence outside of the Security organization to drive a culture of Security