Security Governance, Risk and Compliance Manager for Shippo in San Francisco, Austin, Remote US, or Dublin, Ireland (salary not disclosed)

June 27, 2022 | News/Articles


  • Establish and maintain a roadmap for security audit programs
  • Maintain cybersecurity program policies, standards, procedures, and best practices
  • Scope and manage security and privacy audits for multiple frameworks (SOC2, ISO, HIPAA, etc); Additionally, serve in a project management capacity to ensure that appropriate teams are involved in audit and control testing activities
  • Scope and manage security risk assessments. Oversee risk register and ongoing risk treatment lifecycle, including exception
  • Select, implement and maintain GRC tools, infrastructure, and compliance automation platforms
  • Respond to third party security audit and customer security due diligence requests
  • Conduct regular vendor assessments and build a scalable vendor risk management program
  • Establish and maintain unified compliance framework
  • Review and revise security and privacy terms in contracts. Create re-usable contract attachments for use in customer, partner and vendor agreements
  • Advise teams on developing pragmatic solutions that achieve business requirements and also maintain acceptable levels of risk
  • Lead organizational security awareness efforts, and implement a measured and managed awareness program
  • Develop external-facing security content to be shared with customers and partners, presented in meetings, and placed on company website
  • Evangelize security best practices across the organization
  • Measure security program maturity and build plans for increasing maturity through projects, capabilities, and controls
  • Develop reports to help senior organizational leaders understand cyber security risk and compliance related concerns
  • Create and maintain a data stewardship program to ensure ongoing compliance with Shippo’s data governance controls


  • Minimum 5 years of experience in a combination of risk management, information security and technical audit roles
  • BS or MS degree in Computer Science or equivalent experience
  • Experience building security programs and developing policies, standards and procedures
  • A deep understanding of security, regulatory and audit frameworks such as ISO 27001, 27017, 27018, GDPR, CCPA, SOC2 and related Trust Services Principles, etc. is necessary
  • Experience leading multiple audit efforts to successful outcomes, and maintaining successful outcomes in subsequent year audits
  • Experience leading security risk assessments, maintaining risk registers, with a successful track record of company-wide collaboration/influencing to prioritize and remediate risks
  • Experience building scaled processes for timely and effective response to security due diligence inquiries from partners, customers, and insurers
  • Experience performing third party risk assessments
  • Experience negotiating security terms in customer/partner/vendor contracts
  • Certification in one or more technical information security disciplines (e.g. CISSP, SSCP, CCSP, GIAC) is highly desired
  • Experience with data privacy is preferred
  • Deep understanding of customer needs and passion for customer success
  • Exceptional verbal, written, and interpersonal communication skills

For more info