Security GRC Manager

About the role

Hex is looking for our first Security GRC Manager to build, scale, and own our security and privacy compliance programs. This role is pivotal in setting the foundation for how Hex meets regulatory, customer, and industry obligations across frameworks including SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and emerging requirements that matter to our customers.

As the inaugural GRC hire, you will architect the systems, processes, and culture that ensure Hex operates with integrity, earns customer trust, and maintains continuous audit readiness. You’ll partner closely with engineering, business operations, and our go-to-market teams to develop a world-class GRC function empowered by automation, thoughtful risk management, and clear communication.

This role is both strategic and hands-on: you’ll define long-term program roadmaps while also rolling up your sleeves to run audits, perform risk assessments, and answer customer security questionnaires. You must be technical enough to understand how Hex’s product works under the hood and translate that understanding into defensible compliance, clear documentation, and trust-building narratives for customers.

What you will do

Security, Privacy & Compliance Program Ownership

• Own and mature Hex’s security and privacy compliance program across SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, CCPA, PCI DSS, and other frameworks relevant to our business.
• Ensure continuous audit readiness: maintain controls, gather evidence, manage auditors, and implement improvements.
• Track regulatory and industry changes, advising Hex leadership on impact and recommended responses.
• Maintain and develop core security policies, standards, and procedures, tailoring them to Hex’s real operating environment.

Risk Assessment & Governance

• Own Hex’s risk management lifecycle: identify, assess, track, and drive mitigation of security, privacy, operational, and regulatory risks.
• Build lightweight but effective governance processes, ensuring clear ownership, documentation, and accountability.
• Partner with Engineering and Security to ensure technical controls map appropriately to compliance requirements.

Customer Trust & Sales Enablement

• Serve as the primary owner of customer and prospect security questionnaires, risk assessments, and contractual security provisions.
• Manage and improve Hex’s Trust Center / trust portal, ensuring accurate and compelling communication of Hex’s security posture.
• Collaborate with Sales, Customer Success, and Legal on security-related deal support, including negotiating security terms.
• Build defensible, scalable processes for handling increasing customer scrutiny.

Audit & Evidence Management

• Lead internal and external audits from planning through remediation.
• Establish automated or repeatable evidence collection processes, reducing manual toil and ensuring consistency.
• Coordinate cross-functional contributors to meet audit timelines and quality requirements.

Third-Party Risk Management

• Own Hex’s third-party risk management program, including vendor assessments, reviews, and ongoing monitoring.
• Build a lightweight but rigorous process aligned with Hex’s scale and risk profile.
• Partner with Procurement, Security, and IT to ensure defensible vendor decisions.

Security Culture, Enablement & Awareness

• Define and run security awareness training tailored to Hex’s environment.
• Evangelize GRC internally—driving a culture of risk-aware decision-making and operational excellence.
• Document processes, playbooks, and FAQs to make compliance and risk management accessible across the organization.

Program Automation & Tooling

• Evaluate, implement, and administer GRC tools (evidence automation, Trust Center platforms, access review tooling, vendor management systems).
• Build automation into compliance wherever possible—access reviews, evidence collection, user lifecycle processes, vendor workflows, and more.
• Partner with engineering teams to understand Hex’s infrastructure and embed compliance requirements into CI/CD, logging, monitoring, and cloud security controls.

Who you might be

Technical & Compliance Expertise

• 5–8+ years in GRC, compliance, security engineering, privacy, audit, or a related field.
• Deep familiarity with frameworks such as SOC 2, ISO 27001, ISO 27701, PCI DSS, HIPAA, GDPR, and associated security controls.
• Experience running or contributing significantly to audit cycles and certification processes.
• Technical literacy in cloud-native environments (AWS preferred), SaaS architectures, and modern security tooling.
• Ability to understand and explain product architecture, data flows, and control implementations to auditors and customers.

Program Building & Ownership

• Experience building or maturing GRC programs at a high-growth company.
• Strong project/program management skills: you can set roadmaps, drive timelines, and deliver on deadlines.
• Comfort creating order out of ambiguity—you design the playbook, not just follow one.

Customer-Facing & Cross-Functional Skills

• Exceptional communicator with the ability to translate complex topics into clear, concise, customer-ready language.
• Strong stakeholder management skills—you can collaborate with engineering, sales, legal, executives, and prospects with equal effectiveness.
• Empathic, diplomatic, and able to balance customer expectations with business realities.

Professional Competencies

• Highly organized and detail-oriented; rigorous in execution.
• Naturally curious with a continuous-improvement mindset.
• Thrives in distributed, fast-paced environments.
• Comfortable making risk-based decisions and presenting tradeoffs to leadership.

Preferred (but not required)

• Certifications such as CISA, CISM, CISSP, CRISC, ISO 27001 Lead Implementer/Auditor.
• Experience with GRC automation platforms (e.g., Vanta, Drata, Tugboat, SecureFrame) and Trust Center tools (e.g., Conveyor, SafeBase).
• Familiarity with data protection operations, privacy programs, DPIAs, or AI/ML compliance contexts.

Why you’ll love this role

• You’ll build a foundational function from scratch—your work defines how Hex earns and maintains customer trust.
• You’ll work across the entire company, influencing product decisions, customer outcomes, and security posture.
• You’ll shape a modern, automation-forward GRC program rather than inheriting legacy complexity.
• You’ll partner with world-class engineers and operators who care deeply about doing things the right way.
• You’ll have meaningful ownership, visibility, and impact as Hex continues to scale.

Our stack

Our product is a web-based notebook and app authoring platform. Our frontend is built with Typescript and React, using a combination of Apollo GraphQL and Redux for managing application state and data. On the backend, we also use Typescript to power an Express/Apollo GraphQL server that interacts with Postgres, Redis, and Kubernetes to manage our database and Python kernels. Our backend is tightly integrated with our infrastructure and CI/CD, where we use a combination of Terraform, Helm, and AWS to deploy and maintain our stack.

In addition to our unique culture, Hex proudly offers a competitive total rewards package, including but not limited to, market-benched salary & equity, comprehensive health benefits, and flexible paid time off.

The salary range for this role is: $182,000 - $295,000

The salary range shown may be a reflection of additional factors such as geographical location and skill ranges/levels we’re open to. Placement in the salary range will be decided upon completion of the interview process, taking into account factors like leaving room for growth, internal fairness & parity, your demonstrated skills, and the depth of your experience. Our Recruiting team will be able to provide more details during the interview process.

By submitting an application the candidate consents to the use of their personal information in accordance with the Hex Privacy policy: https://learn.hex.tech/docs/trust/privacy-policy.