Product GRC SME

At Vanta, our mission is to help businesses earn and prove trust. We believe that security should be monitored and verified continuously, and we empower companies to practice better security and prove it with ease. Vanta has a kind and talented team, and while some have prior security experience, many have been successful at Vanta without it. As Vanta rapidly grows and moves upmarket, we’re working with increasingly sophisticated customers who have complex security and compliance needs across a wide range of industries and geographies. The GRC Subject Matter Experts play a critical role in delivering high-quality, scalable content and product guidance to help these companies effectively manage their GRC programs.As Vanta’s newest GRC Subject Matter Expert, you’ll be responsible for developing and maintaining multi-framework GRC solutions used by thousands of customers. Acting as a bridge between Product Management, Engineering, Design, Sales, and Customer Success, you’ll ensure our solutions align with key security, privacy, and risk frameworks and real-world customer needs. You’ll play a pivotal role in designing, validating, and improving compliance-related content and capabilities while providing strategic input to shape Vanta’s GRC product roadmap.You’ll join Vanta’s Security organization, which provides essential security operational services, is directly involved in the software development process, sets policies and standards regarding enterprise-wide security requirements, and offers advisory services to enable our business to thrive while effectively managing risk. If you’re someone who has high initiative and enjoys solving complex problems with real customer impact, we’d love to hear from you!What you’ll do as a GRC SME at Vanta:Build and maintain compliance frameworks - Lead the creation, enhancement, and lifecycle management of controls, evidence requirements, and implementation guidance for standards such as SOC 2, ISO/IEC 27001 & 27701, HIPAA, PCI DSS, NIST CSF, NIST SP 800-53, and regional regulations (e.g., GDPR/CCPA). Author clear control rationales, acceptance criteria, and customer-facing guidance.Design crosswalks and mappings (framework‑agnostic) - Create and steward an internal common‑control approach informed by industry catalogs (e.g., SCF, UCF, or similar). Maintain bidirectional crosswalks across industry leading security and privacy regulatory frameworks. Define canonical control IDs, mapping confidence, and evidence data dictionaries; version crosswalks with changelogs and traceability to source authority. Partner with Engineering to operationalize mappings in‑product (integrations, automated tests, exceptions/exemptions, continuous monitoring workflows).Elevate content quality and usability - Define standards for control wording, evidence specificity, testing method, and reviewer guidance. Establish content QA processes, audits, and metrics (e.g., adoption, time-to-evidence, completion rates) to continually improve outcomes.Drive end‑to‑end GRC product enablement - Build modular content, guidance, and templates for risk management (methodologies, scoring, KRIs), issue & corrective action management (POA&M), policy management (lifecycle, attestations), access reviews (SoD, recertification flows), customer trust / Trust Center artifacts, and third‑party risk management (TPRM) (due diligence, monitoring, contract clauses).Act as a product advisor across discovery & design - Partner with PM/Design to support feature discovery (customer interviews, JTBD, task analysis), review UI/UX for control, evidence, and review workflows, run usability tests, and author PRDs/acceptance criteria grounded in auditor and customer needs.Author automated tests & continuous monitoring - Translate controls/compliance knowledge and infrastructure contexts (cloud services, SaaS apps, on‑prem, endpoints, networks, CI/CD) into spec‑level automated tests and detectors in Vanta. Define test logic, data sources/integrations (AP ... (truncated, view full listing at source)