About the role

We are seeking a Director, Head of InfoSec & Governance, Risk & Compliance (GRC) to lead the company’s efforts to build a secure, compliant, and resilient operating foundation across our software and cloud platforms. This leader will oversee Governance, Risk & Compliance, as well as the IT and Security functions — bringing together risk management, compliance, and security architecture under one cohesive strategy.

You will partner closely with Engineering, Product, and Security Architecture teams to embed compliance and security by design, develop scalable governance models, and ensure our technology and operations meet the standards of trust expected by our customers and regulators.

This is a hands-on leadership role for a seasoned operator who can bridge strategic risk management and technical depth — shaping enterprise-wide frameworks while staying engaged in the design and validation of real-world security and compliance solutions.

What you’ll be doing

Governance, Risk & Compliance Leadership

• Build and oversee the company’s enterprise-wide GRC framework, integrating risk, compliance, IT, and security disciplines.
• Partner with Finance, Legal, and Product teams to align governance and control frameworks with business objectives and growth strategy.
• Maintain a comprehensive enterprise risk register, performing ongoing assessments and scenario planning to inform leadership and board discussions.
• Ensure consistent documentation, evidence gathering, and audit readiness for key frameworks (SOC 2, ISO 27001, GDPR, CCPA, PCI, FedRAMP, etc.).

IT & Security Oversight

• Lead the IT and Security teams, driving a unified approach to infrastructure resilience, data protection, and compliance control implementation.
• Define and manage the Security Incident Management process, ensuring timely response, root cause analysis, and corrective actions.
• Oversee the design and implementation of key security capabilities such as key management, encryption, data masking, and access control.
• Stay current on emerging security threats and evolving cloud risks, applying insights to improve company posture and preparedness.

Engineering Partnership & Technical Integration

• Serve as a key business partner to Engineering, Product, and Security Architecture, ensuring compliance and risk management are built into software development lifecycles.
• Define, review, and refine compliance-related epics, user stories, and acceptance criteria in partnership with Product teams.
• Develop and communicate a multi-period security and compliance roadmap, aligned with company product releases and customer expectations.
• Collaborate with engineers to create repeatable, auditable compliance artifacts and automated control testing processes.
• Participate in architecture design discussions to identify and mitigate security and compliance risks in new solutions.

Compliance & Audit Management

• Oversee external and internal audit cycles, including SOC 2 Type 2, ISO 27001, and HIPAA readiness and remediation.
• Partner with external auditors and assessors to coordinate documentation, testing, and corrective actions.
• Ensure GRC tools and processes are streamlined, automated, and well-documented for efficiency and scalability.

Culture, Ethics & Collaboration

• Lead company-wide compliance and ethics programs, including Code of Conduct, training, and reporting mechanisms as it relates to information security.
• Build a culture of proactive risk awareness, transparency, and continuous improvement across all departments.
• Provide regular briefings to the executive team and Audit Committee on key risks, compliance status, and mitigation efforts.

What we’re looking for

• Bachelor’s or Master’s degree in Computer Science, Information Security, or related field.
• 8-10 years of progressive experience in GRC, IT Security, or compliance, with at least 3+ years in a leadership role within a software, SaaS, or cloud-based company.
• Strong understanding of cloud architectures and modern DevSecOps practices, including secure software development and CI/CD pipeline controls.
• Deep knowledge of compliance frameworks including SOC 2, ISO 27001, NIST, GDPR, CCPA, PCI, and related security standards.
• Proven ability to collaborate with Engineering and Product teams to translate compliance requirements into practical, sustainable controls.
• Strong risk assessment, audit management, and project management skills.
• Excellent communicator capable of simplifying complex technical and regulatory topics for executive and cross-functional audiences.

Bonus points if you have

• Professional certifications such as CISA, CISSP, CRISC, CISM, or CCEP.
• Experience implementing or managing GRC tools, control automation, or compliance monitoring systems.
• Customer-facing experience supporting security and compliance reviews.

What we offer

• Medical, dental and vision insurance
• 401(k) Plan
• Short term / long term disability and life insurance
• Pre-IPO stock options
• Flexible PTO
• 16 hours of volunteer time off
• 12 company paid holidays, including Juneteenth
• Remote work options
• Paid parental leave
• Employee Assistance Program (EAP)
• Biannual swag surprise

**Certain benefits are only allowed to full-time Dremio employees and may not be the same across all locations**