Mô tả công việc
We're hiring a Senior Security Program Manager to run security and compliance as a program at TinyFish. You'll own the operational backbone — Vanta, audits, vulnerability SLAs, policy lifecycle, vendor risk, customer security reviews — so our Security Lead can stay focused on architecture and threat work, and security requirements run smoothly across our enterprise deals.
This is an IC role reporting to the Staff Program Manager, working closely with our Security Lead. You'll be the first hire whose full-time job is running the program rather than building the controls.
Why this role, why now
Today our Security Lead is doing two jobs — designing the controls and running the program that proves they work. That worked at our previous scale but doesn't scale to the next one, and it leaves architecture and threat work under-invested. You'll take the program side so he can take the design side. You'll also be the representative of TinyFish when an enterprise customer has questions about our security program.
What you'll own
Compliance lifecycle: Maintain ISO 27001 certification, prep for SOC 2 Type 1 and 2, manage auditor relationships, own evidence collection in Vanta. You'll know what's failing before the dashboard turns red, and the forecast of when the next certification is anticipated to complete.
Vulnerability management as a program: Own the SLA layer — weekly dashboard, breach escalation, exception tracking, monthly view to leadership. Engineers fix the bugs; you make sure they fix them on time.
Policy lifecycle: Annual reviews, new policies as scope expands, training rollout, attestation tracking, exception requests. We run reviews through an adversarial AI pipeline today; you'll own the cadence and the human decisions inside it.
People-ops security controls: Onboarding/offboarding evidence, access reviews, security awareness training, background-check tracking, permission-management security groups. Partner with HR on the workflow, own the auditable artifact.
Vendor risk: Vendor inventory, pre-procurement assessments, annual reassessments, DPA and sub-processor tracking.
Customer-facing security: Security questionnaires, CAIQs, custom RFPs, customer security calls. You're the named SPM in our trust center.
Product Terms of Service and Privacy Policy: Own the update cadence and the cross-functional process when product changes trigger policy revisions.
Risk and incident program ownership: Maintain the risk register, run quarterly reviews, own the incident runbook artifact (technical response stays with Security Engineering), schedule and run tabletop.
What success looks like
30 days: You've mapped every control, test, policy, and recurring cadence currently held in our Security Lead's head into a documented program. You know what's healthy and what's broken or inefficient.
90 days: Vanta dashboard health is your home. Customer-questionnaire backlog cleared and a templated response library exists. First dry-run of the next audit window complete.
6 months: ISO 27001 certified (if on track), SOC 2 Type 1 in flight, vendor risk program running with an actual inventory, security training completion above 95%, customer security reviews handled inside SLA without engineering pulled in.
12 months: You can answer a 200-line enterprise security questionnaire without consulting Slack. The program runs without the CTO needing to check on it.
Yêu cầu kinh nghiệm
About you
4-7 years in security or GRC program management, ideally at a B2B SaaS company that grew through early stages.
Lived experience running and owning ISO 27001 and SOC 2 audits end-to-end, including auditor management.
Deep fluency in Vanta (or Drata/Tugboat with willingness to switch). You know what the platforms do well and where you have to compensate manually.
Comfortable in front of customer security teams to both represent the capabilities of our security program as well as instill confidence in the team.
Strong written communication.
Good judgment on when a control gap is a real risk vs. a paperwork issue, and the ability to escalate issues quickly to the right audiences.
Bonus
AI/ML security experience, especially model providers, prompt injection, data handling in agentic systems.
Prior work at a company with a browser-based product (extensions, agents, scraping at scale).
Experience standing up an additional framework (HIPAA, FedRAMP, ISO 27017/27018, C5).
Background in pen-test coordination or bug bounty program management.