Security Compliance Manager

Title: Security Compliance Manager Location: Austin, TX / Dallas, TX / San Francisco Bay Area, CA / Morristown, NJ (hybrid) Reports To: Sr. Manager, Cybersecurity About Hippo Hippo exists to protect the joy of homeownership. We believe that insurance should protect the things you treasure through an intuitive, modern experience. We provide tailored insurance coverage and preventative maintenance plans that keep you protected throughout your homeowner journey. We’ll also help you find coverage for everything life brings—from auto to flood—reimagining how you care for your home. About the Role The Security Compliance Manager owns and evolves Hippo’s governance, risk, and compliance (GRC) program, ensuring the company maintains strong, defensible security controls and meets regulatory and audit requirements. This role leads the design, execution, and maturity of IT general controls (ITGC), SOX compliance, SOC 2 readiness and audits, and alignment with industry frameworks such as ISO 27001 and NIST. Partnering closely with Security Engineering, IT, Finance, Legal, and Internal and External Audit, the Security Compliance Manager delivers rigorous risk assessments, effective control testing, and clear assurance reporting. The role plays a critical part in ensuring regulatory compliance, including NYCRR 500, while continuously improving compliance efficiency through standardization and automation. About You You are a seasoned security compliance and risk professional with a strong command of audit, controls, and regulatory frameworks. You are comfortable owning complex compliance programs end-to-end and translating regulatory requirements into practical, scalable controls. You thrive in cross-functional environments, communicate clearly with both technical and non-technical stakeholders, and bring a structured, detail-oriented approach to risk management. You balance rigor with pragmatism, helping the organization meet compliance obligations while enabling the business to move efficiently and confidently. What You'll Do: Own and mature the end-to-end GRC program, including ITGC, SOX, SOC 2, ISO 27001 alignment, and NYCRR 500 compliance. Design, execute, and test IT general controls across access management, change management, operations, backup and disaster recovery, and vendor/SaaS environments. Lead SOX activities including scoping, walkthroughs, design and operating effectiveness testing, deficiency evaluation, and remediation tracking. Manage SOC 2 readiness and annual Type 1 and Type 2 audits, including control mapping, evidence collection, and exception management. Align security policies, standards, and procedures with ISO 27001 Annex A, NIST CSF, COBIT, and CIS Controls, ensuring regulatory applicability. Conduct enterprise and IT risk assessments, document risk treatment plans, and track remediation through closure. Establish continuous control testing and assurance practices, including testing scripts, sampling methodologies, and evidence standards. Develop and report on key risk and performance indicators (KRIs/KPIs) such as control pass rates, audit findings, evidence SLAs, and vendor risk trends. Serve as the primary point of contact for Internal Audit and external auditors, producing executive- and board-ready compliance reporting. Lead third-party and vendor risk assessments, including SIG/CAIQ reviews, contract control requirements, and ongoing monitoring. Map and validate cloud controls (AWS, Azure, GCP) against SOX, SOC 2, ISO 27001, and NYCRR 500 expectations. Maintain security policies, control catalogs, control narratives, and RACI documentation. Drive security awareness, control owner training, and process maturity, including identifying opportunities for automation and continuous monitoring. Must Haves: 6+ years of experience in security compliance, IT audit, or IT risk management. Hands-on ownership of ITGC, SOX, SOC 2, and policy frameworks such as ISO 27001. Strong expertise in ... (truncated, view full listing at source)