Vendor Security Risk Management Lead (Remote)
Vendor Security Risk Management Lead (Remote)
Why join us
Brex is reimagining financial systems so every growing company can realize their full potential. As the financial OS, we’re building software and services in one place—disrupting long-entrenched institutions with products and experiences that better serve the ambitions of our customers.
Working at Brex allows you to push your limits, challenge the status quo, and collaborate with some of the brightest minds in the industry. We’re committed to building a diverse team and inclusive culture and believe your potential should only be limited by how big you can dream. We make this a reality by empowering you with the tools, resources, and support you need to grow your career.
Engineering at Brex
The Engineering team includes Data, IT, Security, and Software, and is responsible for building innovative products and infrastructure for Brex and our customers. We believe that engineers should accelerate the business through technology, and collaborate across multiple teams to accomplish that.
Teams are autonomous, value inclusivity, eager to learn, teach and constantly improve how things work. The software we build today is the foundation for dozens of Brex systems in the future, so engineers have a strong sense of ownership and accountability and take pride in their craft.
What you’ll do
Building world-class financial services requires world-class security. As a GRC Lead on the Trust team, you will drive high-impact cross-organization governance, risk, and compliance initiatives. You’d advocate for security and privacy across the company, lead and scale Trust efforts while executing hands-on yourself.
GRC’s mission is to instill trust in Brex from our customers, regulators, partners, and workforce. We help enable the company’s continued growth by maturing our security posture, maintaining compliance, optimizing security practices, and mitigating enterprise risk. Toward these ends, ensuring that the third party vendors across our tech stack are like-minded in their security approach is essential.
The GRC team handles a wide range of cross-functional activities from security compliance certifications and audits to risk management, vendor reviews, inbound due diligence, security education, access control, policy and procedures, and many more.
Each of these ongoing parallel activities entails interpreting and setting requirements, assessing the effectiveness of security controls, risk-based decision making, collaboration and communication, and staying up-to-date on security best practices and how changes in the evolving threat landscape need to inform our strategy. We are committed to going above and beyond industry standards in every aspect of GRC.
Your primary role would be to manage our third party risk activities, namely to identify and assess risks associated with existing and new vendor relationships by conducting thorough due diligence reviews prior to procurement and periodically thereafter, and continuously monitoring for any relevant changes to the risk level or engagement scope. Where findings are identified during assessments, you would ensure plans of actions and check-ins are in place.
- Deep experience with cybersecurity/IT risk management, specifically reviewing project documentation, system design documents, and vendor security references such as certification reports, overviews, whitepapers, and supporting policies
- Knowledge of fundamental security concepts and domains, in order to both assess the vendor’s security practices and also to define and document requirements on how we should safely use their products and/or services to mitigate relevant threats and how the implementation of a vendor may impact the security posture of the current environment
- Comfort working with tools built to assist in vendor management (e.g., Security Scorecard, OneTrust, BitSight, Panorays, GRC platforms such as Archer, ZenGRC, etc.)
- Familiarity with compliance standards such as SOC 2, PCI, NIST, COBIT, ITIL, ISO 27001, or GDPR, CCPA, and willingness to learn others
- Proven track record of cross-functional collaboration, especially building security culture while keeping business needs top of mind
- Diligence and attention to detail in both process and content, strong written and verbal communication skills, with a talent for precise and clear articulation of complex concepts
- Experience working in or with startups, especially during periods of hypergrowth
- Fluency with other GRC operational work and security support tasks such as policy revision, audit preparation and evidence collection, process design and improvement, customer/prospect/partner assurance, etc.