Senior Assurance Manager
Who You Are
We are seeking an experienced Senior Cyber Assurance Manager to build, manage, and mature our Governance, Risk, and Compliance (GRC) program. In this highly visible role, you will be responsible for managing all internal and external assurance obligations, taking full ownership of our compliance management platform (Vanta), and overseeing our enterprise risk management processes. This role is currently structured as a high-impact Individual Contributor (IC) position, requiring a 'builder' mindset with the potential to scale the team as the GRC program matures.
The ideal candidate is a hands-on leader who excels at automating compliance, managing audits from end-to-end, and translating complex security requirements—particularly those at the intersection of Generative AI/LLMs, Reinforcement Learning, and high-stakes industrial environments—into actionable, efficient business processes.
We are seeking a team member located within the United States of America.
In the United States, we are only able to accept applicants located in the following states: California, Colorado, Connecticut, Georgia, Florida, Indiana, Maryland, Minnesota, Missouri, Nebraska, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Washington.
What You'll Do (Key Responsibilities)
GRC Platform & Compliance Automation (Vanta Ownership)
Serve as the primary system owner and administrator for our compliance management platform, Vanta.
Configure, manage, and optimize the platform to align with our implemented control frameworks (e.g., SOC 2, ISO 27001).
Drive efficiency by deploying and maximizing automated testing, continuous monitoring, and evidence collection capabilities within the tool.
Manage platform workflows to ensure all controls, tests, documents, and policies are appropriately assigned to owners across the business and tracked to completion.
Audit & Assurance Management
Manage all internal and external audit activities (e.g., SOC 2, ISO 27001, NIS 2) and other compliance initiatives (like annual penetration tests).
Coordinate all audit-related tasks, including evidence gathering, managing auditor requests, facilitating interviews, and managing the remediation of any findings.
Ensure our compliance and continued accreditation with all required security and privacy programs.
Enterprise Risk Management
Develop, maintain, and manage the enterprise risk register, working with stakeholders to identify, assess, and prioritize security and AI-related risks.
Own and execute our risk and vulnerability assessment process.
Manage the end-to-end risk and control exception process, ensuring all exceptions are documented, reviewed, and approved.
Coordinate with the SRE and business teams on Business Continuity and Disaster Recovery (BCP/DR) planning and data backup systems.
Develop and manage the Third-Party Risk Management (TPRM) program.
Governance & Policy
Own, manage, and implement the full suite of security policies, standards, and procedures, maintaining all related handbook pages and documentation.
Define, establish, and track Key Performance Indicators (KPIs) and metrics to measure the effectiveness of the security program.
Monitor the external landscape for new and changing laws, regulations, and industry standards that impact the organization, including those related to AI governance (e.g., EU AI Act, NIST AI RMF) and AI security best practices (e.g., OWASP Top 10 for LLMs).
Contribute to the security budget, identifying and justifying tools and resources needed to scale the program.
Cross-Functional Collaboration & Enablement
Act as a key security representative for our customers; engage and present on our security posture as needed.
Lead the response to customer-facing risk assessments and security questionnaires, and maintain a central repository of standardized answers.
Lead, manage, and deliver the company-wide security awareness and training program.
Work regularly with cross-functional teams (e.g., Legal, SRE, Engineering, AI/ML, Data Science) to ensure assurance and AI governance considerations, including the Secure AI/ML Development Lifecycle, are integrated into all business processes.
Enable a culture of continuous improvement and innovation, identifying opportunities to enhance security posture and streamline processes.
Key Qualifications
Required:
5+ years of experience in a cyber GRC, IT audit, or security assurance role.
Deep, hands-on experience implementing and managing compliance programs based on common security frameworks (e.g., SOC 2, ISO 27001).
Proven experience building or managing assurance programs in a remote-first, cloud-native environment. You must understand the risk and control differences between traditional on-premise security (e.g., office networks, firewalls) and a modern, distributed workforce (e.g., endpoint security, identity-first auth, Zero Trust principles).
Strong working knowledge of security risk and governance frameworks (e.g., NIST Cybersecurity Framework, MITRE ATT&CK, NIS 2).
Knowledge of emerging AI governance frameworks and regulations (e.g., NIST AI RMF, ISO/IEC 42001, EU AI Act).
Proven experience securing and auditing public cloud environments (e.g., GCP, AWS, or Azure) as the primary corporate infrastructure.
Direct administrative experience managing a GRC or compliance automation platform. Vanta experience is preferred.
Proven experience managing the full lifecycle of external audits (e.g., scoping, evidence collection, auditor management).
Experience working directly with engineering and SRE teams to integrate security controls into the SDLC (Software Development Life Cycle) and CI/CD pipelines, and familiarity with secure-by-default concepts.
Strong understanding of cloud security principles, architectures, and securing containerized environments.
Familiarity with the AI/ML development lifecycle and a strong understanding of security and privacy risks associated with machine learning and Generative AI models (e.g., adversarial attacks, model poisoning, prompt injection, data leakage).
Knowledge of global data security and privacy laws (such as GDPR, CCPA/CPRA) and experience implementing their requirements.
Experience driving assurance initiatives from ideation to deployment across cross-functional teams.
Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner to a diverse audience.
A passion for problem-solving and using scalable solutions to solve repeat problems.
Shares our company values: curiosity, transparency & directness, outcome-based performance, and customer empathy.
Nice-to-Have (Preferred):
Experience developing assurance programs for Generative AI applications, particularly those involving sensitive or critical infrastructure data.
One or more relevant professional certifications (e.g., CISSP, CISM, CCSK, CISA, CRISC).
Hands-on experience implementing or auditing against an AI-specific framework (e.g., NIST AI RMF, ISO 42001).
Experience working in the industrial sector, and direct familiarity with the challenges of IT/OT/AI convergence, including applying security frameworks to OT or ICS environments (e.g., IEC 62443).
Development experience, including familiarity with common security libraries, security controls, and common security flaws.
Onboarding
In your first 30 days... Foundation and Familiarization: The first month will focus on learning the company culture, key stakeholders, technology stack, and current GRC posture.
Understand the Landscape
Build relationships with key stakeholders in Cyber Enablement, SRE, Engineering, Legal, Data Science, and customer-facing teams.
Gain a comprehensive understanding of Phaidra's existing GRC program, including all current security policies, handbook pages, and standards.
Familiarize yourself with the core technology stack, including a deep dive into the current Vanta configuration, GCP environment, and Rippling.
Review Phaidra's AI-powered control systems to understand the unique risk and compliance context, especially regarding the industrial sector and AI governance.
Initial Assessments
Conduct a full review of the current Vanta setup, including existing controls, automated tests, and owner assignments.
Review the current enterprise risk register, exception logs, and TPRM program.
Analyze past audit reports (SOC 2, ISO 27001) and penetration test results to identify historical gaps and recurring themes.
Review the existing security awareness training materials and sales enablement repository.
In your first 60 days... Taking Ownership and Driving Execution: The second month will shift from learning to taking full ownership of GRC platforms and processes, and initiating key compliance activities.
Program Ownership
Take full administrative ownership of the Vanta platform, beginning to optimize configurations, automate new tests, and address any gaps identified in the first 30 days.
Formally take ownership of the enterprise risk register and the risk exception process.
Assume control of the security awareness training program, planning the next campaign or training module.
Take ownership of all security policy and handbook pages, creating a plan for any necessary updates.
Initiating Assurance Activities
Begin planning for the next major audit cycle (e.g., SOC 2, ISO 27001), establishing timelines, communicating with stakeholders, and starting evidence collection workflows in Vanta.
Initiate a new risk assessment on a critical business process or system.
Partner with the sales and customer-facing teams to update the security questionnaire repository and address any immediate customer assurance requests.
Collaborate with the SRE team to review and document disaster recovery and data backup systems.
In your first 90 days... Driving Impact and Future Strategy: By the end of the first three months, the focus will be on demonstrating tangible improvements, showing measurable progress, and planning the future GRC roadmap.
Driving Initiatives
Be fully managing the compliance calendar and any active audit evidence collection, ensuring all stakeholders are on track.
Present an updated enterprise risk register to leadership, highlighting prioritized risks and proposed mitigation plans.
Demonstrate measurable improvements in compliance automation (e.g., new automated tests in Vanta) and report on GRC program KPIs.
Launch an updated security awareness training module or phishing campaign.
Strategic Contributions
Present a 6-12 month strategic roadmap for the GRC program, outlining key initiatives. This should include plans for maturing existing frameworks (SOC 2, ISO) and adopting new ones (e.g., NIST AI RMF, ISO 42001, NIS 2).
Propose and begin implementing updates to key security policies to align with AI governance and other emerging requirements.
Establish yourself as the key security partner for customer assurance and internal teams, showcasing how your work aligns with and upholds company values like transparency and customer empathy.
General Interview Process
All of our interviews are held via Google Meet, and an active camera connection is required.
Meeting with People Operations team member (30 minutes)
Meeting with Hiring Manager (45 minutes)
Meeting with our Senior Product Security Engineer (60 minutes)
Leadership Interview (60 minutes)
Culture fit interview with Phaidra’s co-founders (30 minutes)
Base Salary
US Residents:
Tier 1 (Largest highest-cost metros): $167,400 - $223,200
Tier 2 (Other major metros): $159,030.00 - $212,040
Tier 3 (Mid-sized metro areas): $150,660.00 - $200,880
Tier 4 (All other locations): $142,290 - $189,720
In addition to base salary, this position is eligible for equity. Final salary will be determined based on several factors, including a candidate’s qualifications, skills, competencies, experience, expertise, education and location. In some cases, final compensation may fall outside the posted range. Salary ranges are regularly reviewed and may be adjusted in response to market trends.
About the job
Apply for this position
Senior Assurance Manager
Who You Are
We are seeking an experienced Senior Cyber Assurance Manager to build, manage, and mature our Governance, Risk, and Compliance (GRC) program. In this highly visible role, you will be responsible for managing all internal and external assurance obligations, taking full ownership of our compliance management platform (Vanta), and overseeing our enterprise risk management processes. This role is currently structured as a high-impact Individual Contributor (IC) position, requiring a 'builder' mindset with the potential to scale the team as the GRC program matures.
The ideal candidate is a hands-on leader who excels at automating compliance, managing audits from end-to-end, and translating complex security requirements—particularly those at the intersection of Generative AI/LLMs, Reinforcement Learning, and high-stakes industrial environments—into actionable, efficient business processes.
We are seeking a team member located within the United States of America.
In the United States, we are only able to accept applicants located in the following states: California, Colorado, Connecticut, Georgia, Florida, Indiana, Maryland, Minnesota, Missouri, Nebraska, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Washington.
What You'll Do (Key Responsibilities)
GRC Platform & Compliance Automation (Vanta Ownership)
Serve as the primary system owner and administrator for our compliance management platform, Vanta.
Configure, manage, and optimize the platform to align with our implemented control frameworks (e.g., SOC 2, ISO 27001).
Drive efficiency by deploying and maximizing automated testing, continuous monitoring, and evidence collection capabilities within the tool.
Manage platform workflows to ensure all controls, tests, documents, and policies are appropriately assigned to owners across the business and tracked to completion.
Audit & Assurance Management
Manage all internal and external audit activities (e.g., SOC 2, ISO 27001, NIS 2) and other compliance initiatives (like annual penetration tests).
Coordinate all audit-related tasks, including evidence gathering, managing auditor requests, facilitating interviews, and managing the remediation of any findings.
Ensure our compliance and continued accreditation with all required security and privacy programs.
Enterprise Risk Management
Develop, maintain, and manage the enterprise risk register, working with stakeholders to identify, assess, and prioritize security and AI-related risks.
Own and execute our risk and vulnerability assessment process.
Manage the end-to-end risk and control exception process, ensuring all exceptions are documented, reviewed, and approved.
Coordinate with the SRE and business teams on Business Continuity and Disaster Recovery (BCP/DR) planning and data backup systems.
Develop and manage the Third-Party Risk Management (TPRM) program.
Governance & Policy
Own, manage, and implement the full suite of security policies, standards, and procedures, maintaining all related handbook pages and documentation.
Define, establish, and track Key Performance Indicators (KPIs) and metrics to measure the effectiveness of the security program.
Monitor the external landscape for new and changing laws, regulations, and industry standards that impact the organization, including those related to AI governance (e.g., EU AI Act, NIST AI RMF) and AI security best practices (e.g., OWASP Top 10 for LLMs).
Contribute to the security budget, identifying and justifying tools and resources needed to scale the program.
Cross-Functional Collaboration & Enablement
Act as a key security representative for our customers; engage and present on our security posture as needed.
Lead the response to customer-facing risk assessments and security questionnaires, and maintain a central repository of standardized answers.
Lead, manage, and deliver the company-wide security awareness and training program.
Work regularly with cross-functional teams (e.g., Legal, SRE, Engineering, AI/ML, Data Science) to ensure assurance and AI governance considerations, including the Secure AI/ML Development Lifecycle, are integrated into all business processes.
Enable a culture of continuous improvement and innovation, identifying opportunities to enhance security posture and streamline processes.
Key Qualifications
Required:
5+ years of experience in a cyber GRC, IT audit, or security assurance role.
Deep, hands-on experience implementing and managing compliance programs based on common security frameworks (e.g., SOC 2, ISO 27001).
Proven experience building or managing assurance programs in a remote-first, cloud-native environment. You must understand the risk and control differences between traditional on-premise security (e.g., office networks, firewalls) and a modern, distributed workforce (e.g., endpoint security, identity-first auth, Zero Trust principles).
Strong working knowledge of security risk and governance frameworks (e.g., NIST Cybersecurity Framework, MITRE ATT&CK, NIS 2).
Knowledge of emerging AI governance frameworks and regulations (e.g., NIST AI RMF, ISO/IEC 42001, EU AI Act).
Proven experience securing and auditing public cloud environments (e.g., GCP, AWS, or Azure) as the primary corporate infrastructure.
Direct administrative experience managing a GRC or compliance automation platform. Vanta experience is preferred.
Proven experience managing the full lifecycle of external audits (e.g., scoping, evidence collection, auditor management).
Experience working directly with engineering and SRE teams to integrate security controls into the SDLC (Software Development Life Cycle) and CI/CD pipelines, and familiarity with secure-by-default concepts.
Strong understanding of cloud security principles, architectures, and securing containerized environments.
Familiarity with the AI/ML development lifecycle and a strong understanding of security and privacy risks associated with machine learning and Generative AI models (e.g., adversarial attacks, model poisoning, prompt injection, data leakage).
Knowledge of global data security and privacy laws (such as GDPR, CCPA/CPRA) and experience implementing their requirements.
Experience driving assurance initiatives from ideation to deployment across cross-functional teams.
Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner to a diverse audience.
A passion for problem-solving and using scalable solutions to solve repeat problems.
Shares our company values: curiosity, transparency & directness, outcome-based performance, and customer empathy.
Nice-to-Have (Preferred):
Experience developing assurance programs for Generative AI applications, particularly those involving sensitive or critical infrastructure data.
One or more relevant professional certifications (e.g., CISSP, CISM, CCSK, CISA, CRISC).
Hands-on experience implementing or auditing against an AI-specific framework (e.g., NIST AI RMF, ISO 42001).
Experience working in the industrial sector, and direct familiarity with the challenges of IT/OT/AI convergence, including applying security frameworks to OT or ICS environments (e.g., IEC 62443).
Development experience, including familiarity with common security libraries, security controls, and common security flaws.
Onboarding
In your first 30 days... Foundation and Familiarization: The first month will focus on learning the company culture, key stakeholders, technology stack, and current GRC posture.
Understand the Landscape
Build relationships with key stakeholders in Cyber Enablement, SRE, Engineering, Legal, Data Science, and customer-facing teams.
Gain a comprehensive understanding of Phaidra's existing GRC program, including all current security policies, handbook pages, and standards.
Familiarize yourself with the core technology stack, including a deep dive into the current Vanta configuration, GCP environment, and Rippling.
Review Phaidra's AI-powered control systems to understand the unique risk and compliance context, especially regarding the industrial sector and AI governance.
Initial Assessments
Conduct a full review of the current Vanta setup, including existing controls, automated tests, and owner assignments.
Review the current enterprise risk register, exception logs, and TPRM program.
Analyze past audit reports (SOC 2, ISO 27001) and penetration test results to identify historical gaps and recurring themes.
Review the existing security awareness training materials and sales enablement repository.
In your first 60 days... Taking Ownership and Driving Execution: The second month will shift from learning to taking full ownership of GRC platforms and processes, and initiating key compliance activities.
Program Ownership
Take full administrative ownership of the Vanta platform, beginning to optimize configurations, automate new tests, and address any gaps identified in the first 30 days.
Formally take ownership of the enterprise risk register and the risk exception process.
Assume control of the security awareness training program, planning the next campaign or training module.
Take ownership of all security policy and handbook pages, creating a plan for any necessary updates.
Initiating Assurance Activities
Begin planning for the next major audit cycle (e.g., SOC 2, ISO 27001), establishing timelines, communicating with stakeholders, and starting evidence collection workflows in Vanta.
Initiate a new risk assessment on a critical business process or system.
Partner with the sales and customer-facing teams to update the security questionnaire repository and address any immediate customer assurance requests.
Collaborate with the SRE team to review and document disaster recovery and data backup systems.
In your first 90 days... Driving Impact and Future Strategy: By the end of the first three months, the focus will be on demonstrating tangible improvements, showing measurable progress, and planning the future GRC roadmap.
Driving Initiatives
Be fully managing the compliance calendar and any active audit evidence collection, ensuring all stakeholders are on track.
Present an updated enterprise risk register to leadership, highlighting prioritized risks and proposed mitigation plans.
Demonstrate measurable improvements in compliance automation (e.g., new automated tests in Vanta) and report on GRC program KPIs.
Launch an updated security awareness training module or phishing campaign.
Strategic Contributions
Present a 6-12 month strategic roadmap for the GRC program, outlining key initiatives. This should include plans for maturing existing frameworks (SOC 2, ISO) and adopting new ones (e.g., NIST AI RMF, ISO 42001, NIS 2).
Propose and begin implementing updates to key security policies to align with AI governance and other emerging requirements.
Establish yourself as the key security partner for customer assurance and internal teams, showcasing how your work aligns with and upholds company values like transparency and customer empathy.
General Interview Process
All of our interviews are held via Google Meet, and an active camera connection is required.
Meeting with People Operations team member (30 minutes)
Meeting with Hiring Manager (45 minutes)
Meeting with our Senior Product Security Engineer (60 minutes)
Leadership Interview (60 minutes)
Culture fit interview with Phaidra’s co-founders (30 minutes)
Base Salary
US Residents:
Tier 1 (Largest highest-cost metros): $167,400 - $223,200
Tier 2 (Other major metros): $159,030.00 - $212,040
Tier 3 (Mid-sized metro areas): $150,660.00 - $200,880
Tier 4 (All other locations): $142,290 - $189,720
In addition to base salary, this position is eligible for equity. Final salary will be determined based on several factors, including a candidate’s qualifications, skills, competencies, experience, expertise, education and location. In some cases, final compensation may fall outside the posted range. Salary ranges are regularly reviewed and may be adjusted in response to market trends.