Principal GRC Engineer

Who are we?
Smarsh empowers its customers to manage risk and unleash intelligence in their digital communications. Our growing community of over 6500 organizations in regulated industries counts on Smarsh every day to help them spot compliance, legal or reputational risks in 80+ communication channels before those risks become regulatory fines or headlines. Relentless innovation has fueled our journey to consistent leadership recognition from analysts like Gartner and Forrester, and our sustained, aggressive growth has landed Smarsh in the annual Inc. 5000 list of fastest-growing American companies since 2008.

Smarsh is a global leader in digital communications capture, archiving, and oversight. Smarsh is committed to embedding security as a business enabler through governance process excellence and scalable control frameworks. As a GRC Lead, you will play a critical role in advancing our governance, risk, and compliance programs. You'll be responsible for defining, implementing, and optimizing security controls and risk processes that support operational alignment across the organization. This role requires a deep understanding of how governance can scale through automation, control validation workflows, and "Policy as Code" principles. You'll collaborate closely with engineering, security, legal, and business teams to ensure our GRC practices mature in step with our growth.

Core Responsibilities

• ISMS Governance & Controls Assurance
• Lead the ongoing maintenance and enhancement of Smarsh's ISO 27001-aligned ISMS, ensuring policies, controls, and governance processes are clear, actionable, and aligned with business operations.
• Author and maintain security control narratives, working closely with technical teams to ensure controls are designed with enforceability and operational alignment in mind.
• Oversee the Control Assurance Program, ensuring effective evidence collection, control testing, and continuous monitoring practices.
• Coordinate internal and external audit readiness (SOC 2, ISO 27001, FedRAMP, customer audits) through structured governance workflows.
• Risk Management & Governance
• Manage the risk assessment lifecycle, ensuring comprehensive engagement across business, technical, and third-party risk domains.
• Facilitate risk acceptance workflows, maintaining governance rigor through well-defined documentation and approval processes.
• Ensure effective governance of risk treatment plans, enabling clear tracking and status reporting.
• Regulatory, Contractual & Client Assurance
• Translate emerging regulations (e.g., DORA, SEC Cyber Rules, UK AI Act) into internal governance requirements and operational processes.
• Manage customer security assessments and DDQs, utilizing standardized assurance artefacts to deliver efficient, high-quality responses.
• Ensure external assurance artefacts are maintained and accessible through the Smarsh Trust Center.
• Third-Party & Supply Chain Risk
• Lead third-party security reviews and ensure governance controls are extended across the vendor lifecycle.
• Partner with Procurement and Legal to align contractual security requirements and risk acceptance criteria.
• Policy Lifecycle & Governance Metrics
• Own the policy lifecycle process, ensuring policies are regularly reviewed, updated, and tracked for compliance.
• Develop governance reporting and dashboards that provide clear visibility into control effectiveness, risk posture, and audit readiness.
• Support governance forums and leadership committees with data-driven insights and structured governance reports.
• GRC Operations & Enablement
• Lead the continual refinement of GRC workflows, ensuring operational efficiency in documentation, evidence management, and status tracking.
• Collaborate with Engineering and Security teams to ensure controls are practically enforceable within operational workflows.
• Bring forward ideas and experience around scaling governance processes through automation and control validation techniques, supporting Smarsh's long-term governance maturity.

Essential Experience

• 7–10 years of experience in GRC leadership, security governance, or compliance process roles within SaaS or regulated industries.
• Proven experience writing security controls, managing control assurance programs, and leading external audit preparation.
• Deep understanding of how security controls are designed, enforced, and validated within technical and business environments.
• Experience translating regulatory frameworks (ISO 27001, SOC 2, GDPR, FedRAMP, DORA, SEC Cyber Rules) into scalable governance processes and workflows.
• Ability to collaborate cross-functionally across Security, Engineering, Legal, and Product teams to embed governance effectively.
• Exceptional documentation and reporting skills, with the ability to produce executive-level governance artefacts and metrics dashboards.
• Strong background with GRC tooling, control validation workflows, and scalable governance process design.

Don't feel that you meet all of the requirements? We encourage you to apply anyway because studies have shown that some strong candidates may self-select out of the interview process prematurely. We have a diverse, inclusive, equitable, and high-performing environment at Smarsh and want to continuously improve our ability to deliver for customers.

About Our Culture
Smarsh hires lifelong learners with a passion for innovating with purpose, humility and humor. Collaboration is at the heart of everything we do. We work closely with the most popular communications platforms and the world's leading cloud infrastructure platforms. We use the latest in AI/ML technology to help our customers break new ground at scale. We are a global organization that values diversity, and we believe that providing opportunities for everyone to be their authentic self is key to our success. Smarsh leadership, culture, and commitment to developing our people have all garnered Best Places to Work Awards. Come join us and find out what the best work of your career looks like.