Manager, GRC Subject Matter Experts, Product

This is a fully remote position, open to applicants in United States.

📋 Description

• Recruit, mentor, and nurture a team of Subject Matter Experts (SMEs) focused on commercial frameworks, government frameworks, test authoring, framework quality improvement, and framework maintenance. This includes planning for current and future capacity requirements, establishing standards for technical depth and content quality, and preparing high achievers for expanded responsibilities.

• Foster a stable and motivated team environment with well-defined operating rhythms, delegating effectively to enhance ownership and skills, while collaborating with your leader and People Business Partner to identify and address team health challenges promptly.

• Align the team's roadmap and content priorities with Vanta's overarching product and company strategy, anticipating short-term changes in customer needs, regulatory environments, and product direction, and adjusting focus to maintain team alignment.

• Establish open feedback channels within the team and adapt communication strategies regarding priorities, decisions, and risks for various audiences — from individual contributors to engineering, go-to-market partners, customers, and executives.

• Guide the team through transitions with consistency while holding yourself and your team accountable for commitments — proactively sharing progress and risks, addressing shortcomings directly, and fostering an environment where mistakes are seen as opportunities for learning rather than occasions for blame.

• Manage and oversee Vanta's framework release process from start to finish, collaborating with Product and Engineering to define the playbook for how new frameworks, framework updates, automated tests, crosswalks, and content are scoped, developed, reviewed, and delivered.

• Supervise the program management tasks related to GRC content, including new framework launches, framework updates, update notes, customer escalations, content and test requests, PMM material evaluations, and contributions to licensing and pricing discussions.

• Monitor team performance and report key performance indicators (KPIs) and metrics to security and product leadership, including framework release speed, content quality, adoption rates, time-to-evidence, and customer impact.

• Clarify ambiguous and competing priorities across framework launches, updates, test authoring, and quality improvements into specific, actionable decisions, balancing customer demand, market opportunities, and engineering capacity, while escalating complex trade-offs with context and recommended solutions.

• Spearhead the quality enhancement initiative for older commercial frameworks, ensuring Vanta's entire library adheres to a modern and consistent standard for control wording, evidence specificity, and testing methods.

• Direct the team's efforts on crosswalks and mappings across security and privacy frameworks, including canonical control IDs, mapping confidence, and evidence data dictionaries, collaborating with Engineering to integrate these in-product.

• Influence the team's contributions to the wider GRC product landscape — including risk management, issue and corrective action management (POA&M), policy management, access reviews, Trust Center, and third-party risk management.

• Collaborate with Product Management and Design to ensure SMEs serve as effective product advisors throughout discovery, PRD creation, UI/UX evaluation, and usability testing.

• Advocate for AI-assisted compliance within the team — guiding SMEs to convert domain expertise into machine-readable specifications, evaluation sets, and guardrails, while partnering with Engineering and ML to deliver LLM-powered guidance and automation.

• Collaborate with Sales, Customer Success, and Product Marketing to present the framework portfolio externally and contribute to discussions on pricing, packaging, and licensing matters (including frameworks such as HITRUST).

• Act as a senior escalation point for customer inquiries related to framework content, scoping, and interpretation.

• Provide insights and feedback on the development of GRC product features reliant on the team's content and expertise.

⛳️ Requirements

• Over 7 years of experience in GRC and/or Information Security, with practical implementation or assessment across various frameworks (e.g., SOC 2, ISO 27001/27701, HIPAA, PCI DSS, NIST CSF/800-53); familiarity with cloud environments and SaaS is highly preferred.

• At least 2 years of experience managing technical or subject matter expert teams, demonstrating a passion for developing talent and cultivating a culture of quality and accountability.

• Proven experience in owning or significantly contributing to programs that encompass Product, Engineering, and go-to-market strategies — ideally covering content lifecycle, framework release, or compliance product initiatives.

• Strong program management instincts: adept at defining processes, driving prioritization, and holding cross-functional partners accountable for release timelines and quality benchmarks.

• In-depth knowledge of GRC practices — including controls, risks, testing methodologies, evidence standards, and program operations (policies, risk registers, POA&M, vendor risk, continuous monitoring).

• A product-oriented mindset — capable of coaching the team on translating customer and regulatory requirements into productizable features, with a comfort level in utilizing data for prioritization.

• Proficiency in technical and automation tools (AI-augmented) — skilled in utilizing AI pair-programming and LLM tools to enhance the drafting of specifications, mappings, and test logic, and capable of establishing safe-use guidelines, evaluation practices, and reusable patterns for the team.

• Highly analytical and detail-oriented — proficient in precise control wording, mapping accuracy, and evidence specificity; comfortable handling spreadsheets and large datasets.

• Outstanding written and verbal communication skills; able to collaborate effectively with engineers, designers, go-to-market teams, auditors, and customers, and to represent the team's work to executives.

• Self-driven and adaptable in a dynamic environment, with a proven track record of leading teams through change.

• Federal experience (e.g., FedRAMP, CMMC, StateRAMP) is a plus but not mandatory.

• Experience with privacy regulations (GDPR/CCPA) and a background in audits/assessments are advantageous.

• Certifications are preferred but not mandatory — one or more of CISA, CISSP, CCSK/CCSK+, ISO 27001 Lead Implementer/Lead Auditor, CIPM/CIPT, PCI-ISA/QSA.

• Open to leveraging AI to enhance their skills and improve their work, showcasing curiosity, a willingness to learn, and sound judgment in applying AI responsibly to boost efficiency and impact.

🏝️ Benefits

• Comprehensive medical, dental, and vision insurance, with 100% coverage of employee-only premiums for most medical plans.

• 16 weeks of paid parental leave for all new parents.

• Health & wellness stipend.

• Remote workspace, internet, and cellphone stipends.

• Commuter benefits for team members commuting to the SF and NYC offices.

• Family planning benefits.

• Matching 401(k) contributions with immediate vesting.

• Flexible Paid Time Off (PTO) policy, along with 80 hours of sick time.

• 11 company-paid holidays.

• Virtual team-building activities, lunch and learns, and other company-wide events!