Note: The job is a remote job and is open to candidates in USA. Smartsheet is a company that has empowered teams for over 20 years and is now seeking a Principal Security Engineer to lead their GRC team. In this role, you will architect the technical foundation for managing risk and compliance at scale, design policy-as-code systems, and lead the strategy and delivery of GRC automation.
Responsibilities
- Own the end-to-end GRC strategy and roadmap: Lead the planning and prioritization of GRC initiatives that drive compliance maturity, reduce audit risk, and improve operational efficiency
- Design and implement policy-as-code systems: Translate compliance frameworks (SOC 2, ISO 27001, FedRAMP, HIPAA) into enforceable code, leveraging Infrastructure-as-Code (Terraform, CloudFormation) and automated compliance validation
- Build custom control frameworks: Design Smartsheet-specific Unified Control Frameworks (UCF) and Secure Control Frameworks (SCF) that map to our cloud architecture, multi-framework requirements, and organizational risk appetite
- Lead full audit cycles: Manage preparation, execution, and resolution for SOC 2 Type II, ISO 27001, FedRAMP, and other certification audits. Own evidence gathering, audit readiness tracking, and post-audit remediation
- Architect GRC platform strategy: Evaluate, select, configure, and integrate GRC tooling (Vanta, Drata, or similar) with our cloud infrastructure, identity systems, ticketing systems, and CI/CD pipelines to enable continuous compliance monitoring
- Design automated evidence collection and validation: Build data pipelines and integrations that automatically collect compliance evidence from AWS, application logs, identity systems, and operational tools; validate accuracy and reduce manual verification
- Translate compliance requirements into technical implementations: Work with engineering and security teams to express policies and regulatory requirements in a way they can execute and monitor—breaking down silos between compliance and technical teams
- Establish risk management and governance processes: Design and operate risk registers, control effectiveness assessments, continuous monitoring workflows, and escalation processes that provide leadership with real-time visibility into compliance posture
- Build and lead the GRC team: Mentor and develop your team, establish technical and operational practices, define the playbooks for compliance execution, and create a culture of continuous improvement
Skills
- 10+ years of experience in GRC, compliance, security engineering, or related roles, with 5+ years in a technical or leadership capacity managing compliance programs at scale
- A degree in Computer Science, Computer Engineering, Cybersecurity or a related field or equivalent practical experience
- Deep hands-on expertise in running full audit cycles across multiple frameworks, particularly SOC 2 Type II, ISO 27001, and FedRAMP. You've managed evidence preparation, control testing, audit remediation, and continuous monitoring
- Strong technical foundation in cloud architecture and compliance: Working knowledge of AWS/GCP/Azure, infrastructure-as-code (Terraform), CI/CD pipelines, identity and access management, encryption, and logging—sufficient to design control implementations and validate technical posture
- Hands-on experience with GRC platform administration and customization (Vanta, Drata, ServiceNow GRC, or equivalent), including integration design and workflow automation
- Proficiency in policy-as-code and compliance-as-code principles: Experience implementing automated controls, policy enforcement, and continuous compliance validation through code and configuration
- Fluency in multiple compliance frameworks: Deep knowledge of SOC 2 Trust Service Criteria, ISO 27001 control objectives, NIST 800-53 (or 800-171 for government), and experience with HIPAA, GDPR, and industry-specific frameworks
- Scripting and automation skills: Comfortable with Python, Bash, or similar for building integrations, data pipelines, and automated control validation
- Excellent communication and program management: Ability to distill complex compliance concepts for both technical and business audiences, manage multi-workstream programs, and drive alignment across teams
- Some federal/government sector experience is valuable but not required: Understanding of FedRAMP processes, government compliance nuances, and federal contractor requirements is a plus
- US Person Status: Must be a U.S. Citizen, U.S. National to meet federal compliance requirements
- Professional certifications: CISSP, CISM, CISA, CRISC, GRCP, or AWS Certified Security – Specialty
- Experience with AI governance frameworks (NIST AI RMF, ISO 42001) as emerging compliance requirements
- Background in DevSecOps or security operations with hands-on CI/CD and Infrastructure-as-Code experience
- Experience with SaaS-scale operations and rapid compliance scaling in high-growth environments
Benefits
- Employer subsidized medical/vision and dental coverage for full-time employees
- 401k Match to help you save for your future (50% of your contribution up to the first 6% of your eligible pay)
- Monthly stipend to support your work and productivity
- Flexible Time Away Program, plus Sick Time Off
- US employees are automatically covered under Smartsheet-sponsored life insurance, short-term, and long-term disability plans
- US employees receive 12 paid holidays per year
- Up to 24 weeks of Parental Leave
- Personal paid Volunteer Day to support our community
- Opportunities for professional growth and development including access to Udemy online courses
- Company Funded Perks, including a counseling membership, local retail discounts, and your own personal Smartsheet account
- Teleworking options from any registered location in the U.S. (role specific)
Company Overview