Security and Compliance Manager

This is a fully remote position, open to applicants in California, +7 more states.

📋 Description

• Develop and implement the security roadmap for the organization, focusing on enhancing the security of critical systems (payment infrastructure, donor data stores, authentication flows, API integrations) and ensuring adherence to relevant laws (e.g., data privacy and security).

• Collaborate directly with PDE leadership to integrate security measures into the development lifecycle: threat modeling, secure code review, vulnerability management, and CI/CD pipeline security tools (SAST, DAST, SCA).

• Take full ownership of the security incident response plan from start to finish: detection, containment, investigation, notification, remediation, and post-incident analysis.

• Partner with IT to enhance identity and access management, including role-based access controls, MFA enforcement, endpoint security, and session management.

• Gain a comprehensive understanding of fraud vectors in the fundraising and payments sectors—such as stolen cards, synthetic identities, friendly fraud, and campaign abuse—and assist in building adaptive systems as threats change.

• Oversee vendor security risk assessments for third-party tools, integrations, and sub-processors, ensuring ongoing monitoring instead of just annual check-ins.

• Manage the penetration testing program: maintain vendor relationships, establish testing schedules, translate findings into engineering tickets, and track remediation to completion.

• Create and deliver security awareness training for all staff, with specialized modules for PDE, CX, and leadership teams.

• Lead the SOC 2 Type II certification process from beginning to end: gap analysis, control design, evidence collection, remediation tracking, auditor coordination, and continuous maintenance.

• Develop the roadmap towards ISO 27001 certification as the security program evolves.

• Act as the primary owner of our GRC platform (Vanta): driving task completion, tracking compliance gaps, triaging findings, and ensuring accountability for remediation owners.

• Manage relationships with all external auditors and certification bodies.

• Build and sustain evidence repositories that facilitate continuous (as opposed to just point-in-time) compliance.

• Prepare compliance status reports and risk summaries suitable for board review on a quarterly basis.

• Under the guidance of the General Counsel, manage all necessary licenses, registrations, and regulatory filings across US jurisdictions, including state charitable fundraising platform registrations and other licenses.

• Oversee the Trust Center: ensuring content accuracy, access approvals, and compliance documentation for customers.

⛳️ Requirements

• A minimum of 7 years of experience in information security, security engineering, GRC, or a related discipline, with at least 4 years in a fintech, payments, or financial services context.

• Demonstrated hands-on experience in hardening production systems at a growth-stage company, rather than merely formulating policies.

• In-depth working knowledge of SOC 2, PCI DSS, and at least one additional framework (NIST CSF, CIS Controls, ISO 27001).

• Familiarity with modern AI-era threat vectors and the ability to articulate a defensive strategy against them.

• Technical fluency: capable of interpreting cloud infrastructure diagrams, understanding the significance of a GitHub permissions model, evaluating a penetration test report, and translating all this into actionable guidance for engineering teams.

• Hands-on experience with GRC tools (Vanta, Drata, Secureframe, or similar) and a proven track record of driving remediation workflows to closure, not just monitoring dashboards.

• Experience leading external audits from start to finish: managing auditor relationships, collecting evidence, remediating findings, and reporting to the board.

• Ability to create programs rather than just maintain them: thriving in environments where the playbook is yet to be established.

• Strong communication skills to explain complex security and regulatory topics in simple terms to non-technical stakeholders.

• Excellent judgment regarding when to escalate issues, when to take independent action, and when to advocate for necessary changes.

🏝️ Benefits

• Remote Work: Enjoy the flexibility of working remotely from one of our 10 hubs (Austin, Denver, Indianapolis, Los Angeles, San Francisco, New York, Salt Lake City, Minneapolis, Seattle, and Nashville).

• Health Insurance: We provide 100% coverage for Medical, Dental, and Vision insurance for employees, along with HSA and FSA accounts.

• Dependent Care Coverage: We offer coverage for dependents, with 50% of Medical, Dental, and Vision premiums covered for all eligible dependents.

• Mental Health: Givebutter health insurance plans include access to a TalkSpace membership.

• 401k: We offer a 3% 401k match for all eligible employees.

• Vacation and Holidays: Givebutter provides a Flexible PTO policy with uncapped vacation days and company-observed holidays.

• Wellness Week: Givebutter closes for one week each summer to prioritize rest and recharge for the entire team.

• Parental Leave: We offer 12 weeks of paid leave for all parents, along with comprehensive leave planning management through Aidora.

• Family Care Support: Benefit from a company-paid UrbanSitter membership and care credits to book trusted, background-checked caregivers for childcare, senior care, pet care, and household support when needed.

• Home Office Stipend: Enhance your home office with company-sponsored expenses, including high-quality laptops, monitors, and modern technology.

• Coworking Stipend: Receive a monthly stipend that allows you to work from coworking spaces or cafés whenever you seek connection, community, or a change of scenery.

• Charitable Giving: Employees are encouraged to contribute up to $50/month to any verified nonprofit they wish to support on Givebutter.

• Professional Development: We provide opportunities for learning and development reimbursement.

• Love What You Do: We are a mission-driven company dedicated to the charitable sector. Take pride in the work you do and the company you represent.