Governance, Risk & Compliance (GRC) Engineer

Who are we?

Smarsh empowers its customers to manage risk and unleash intelligence in their digital communications. Our growing community of over 6500 organizations in regulated industries counts on Smarsh every day to help them spot compliance, legal or reputational risks in 80+ communication channels before those risks become regulatory fines or headlines. Relentless innovation has fueled our journey to consistent leadership recognition from analysts like Gartner and Forrester, and our sustained, aggressive growth has landed Smarsh in the annual Inc. 5000 list of fastest-growing American companies since 2008.

Summary

Smarsh is a global leader in digital communications capture, archiving, and oversight. Smarsh is committed to embedding security as a business enabler through governance process excellence and scalable control frameworks. As a GRC Engineer, you will play a critical role in advancing our governance, risk, and compliance programs. You’ll be responsible for defining, implementing, and optimizing security controls and risk processes that support operational alignment across the organization. This role requires an understanding of how governance can scale through automation, control validation workflows, and "Policy as Code" principles. You’ll collaborate closely with engineering, security, legal, and business teams to ensure our GRC practices mature in step with our growth.

How will you contribute?

• ISMS Governance & Controls Assurance: Lead the ongoing maintenance and enhancement of Smarsh’s ISO 27001-aligned ISMS, ensuring policies, controls, and governance processes are clear, actionable, and aligned with business operations. Author and maintain security control narratives, working closely with technical teams to ensure controls are designed with enforceability and operational alignment in mind. Oversee the Control Assurance Program, ensuring effective evidence collection, control testing, and continuous monitoring practices. Coordinate internal and external audit readiness (SOC 2, ISO 27001, FedRAMP, customer audits) through structured governance workflows.
• Risk Management & Governance: Manage the risk assessment lifecycle, ensuring comprehensive engagement across business, technical, and third-party risk domains. Facilitate risk acceptance workflows, maintaining governance rigor through well-defined documentation and approval processes. Ensure effective governance of risk treatment plans, enabling clear tracking and status reporting.
• Regulatory, Contractual & Client Assurance: Translate emerging regulations (e.g., DORA, SEC Cyber Rules, UK AI Act) into internal governance requirements and operational processes. Manage customer security assessments and DDQs, utilizing standardized assurance artefacts to deliver efficient, high-quality responses. Ensure external assurance artefacts are maintained and accessible through the Smarsh Trust Center.
• Third-Party & Supply Chain Risk: Lead third-party security reviews and ensure governance controls are extended across the vendor lifecycle. Partner with Procurement and Legal to align contractual security requirements and risk acceptance criteria.
• Policy Lifecycle & Governance Metrics: Own the policy lifecycle process, ensuring policies are regularly reviewed, updated, and tracked for compliance. Develop governance reporting and dashboards that provide clear visibility into control effectiveness, risk posture, and audit readiness. Support governance forums and leadership committees with data-driven insights and structured governance reports.
• GRC Operations & Enablement: Lead the continual refinement of GRC workflows, ensuring operational efficiency in documentation, evidence management, and status tracking. Collaborate with Engineering and Security teams to ensure controls are practically enforceable within operational workflows. Bring forward ideas and experience around scaling governance processes through automation and control validation techniques, supporting Smarsh’s long-term governance maturity.

What will you bring?

• 2–5 years’ experience in information security, risk management, or compliance.
• Working knowledge of security frameworks such as ISO 27001, SOC 2, GDPR, NIST CSF, or similar.
• Familiarity with GRC platforms and evidence lifecycle management
• Strong organizational skills with attention to detail in documentation and reporting.
• Effective communication skills with both technical and non-technical stakeholders.
• Curiosity and drive to grow into GRC Engineering with a focus on automation and scalability.

The above salary range represents Smarsh's good faith and reasonable estimate of the range of possible base compensation at the time of posting. Any applicable bonus programs will be discussed during the recruiting process.

The salary for this role will be set based on a variety of factors, including but not limited to, internal equity, experience, education, location, specialty and training.

Local cost of living assessments are done for each new hire at the time of offer.

About our culture

Smarsh hires lifelong learners with a passion for innovating with purpose, humility and humor. Collaboration is at the heart of everything we do. We work closely with the most popular communications platforms and the world’s leading cloud infrastructure platforms. We use the latest in AI/ML technology to help our customers break new ground at scale. We are a global organization that values diversity, and we believe that providing opportunities for everyone to be their authentic self is key to our success. Smarsh leadership, culture, and commitment to developing our people have all garnered Comparably.com Best Places to Work Awards. Come join us and find out what the best work of your career looks like.