GRC Senior Analyst (Remote - Canada or the United States)

Remote - North America

GitHub is seeking a highly experienced and detailed-oriented Individual Contributor to help build out the Governance, Risk Management, and Compliance (GRC) function within a young and rapidly growing organization. GitHub is committed to doing right by our customers. Developing a highly effective control environment and right sized compliance solutions are integral to this commitment.

Are you prone to fits of root cause analysis? Do you find yourself viewing the world through the lenses of primary and compensating controls? Do you create flowcharts to help your friends and family understand exactly how Thanksgiving dinner should come together and who's bringing what side dish? When trying to explain ideas over dinner, do you find yourself looking for post-it notes and a whiteboard? Can you spot over-engineered controls from a mile away? Do you suffer from compulsive list making? Maybe have a strong forest-from-trees project management perspective, and masterful "Way With the Project Plan".

Have you already answered the question "Why are we here?" with the GRC Truth, "Because Customers."

If so, you might be the person we are looking for.

As part of the team reporting into the Director of Security-GRC, you will work closely with multiple groups including infrastructure operations, legal, finance, HR, sales, and software engineering to develop sound process and implement necessary controls to meet customer needs, satisfy external audit requirements, and address internal business objectives.
This is an excellent opportunity for a strong Individual Contributor to have a hand in elevating compliance and security as business and sales enabler, and to integrate a deep understanding of product and business into the compliance space. This is a team effort, and so bringing your team members, leadership and customers along for the ride is integral to your success. Central to the team's culture is that of inclusion, transparency and team work - we lift each other up to be successful!

This role is a great opportunity for someone considering a career path change, and to learn new ways to leverage your mid-career experience in a new discipline. Software operations, QA, security ops, logistics, software program and project management skills and experience - come see if this role is a fit for you!

A large focus of this position will support:
•Interpret regulatory, industry compliance and audit requirements and develop easy-to-consume work definitions for the product, HR, legal, business systems, IT engineering and software development teams, and function as technical SME during external audits.
•Develop and track compliance and remediation project plans and track successful completion of work, ensuring alignment with product roadmap.
•Contribute to the development of customer facing materials covering topics related to security, compliance and audit to help customers manage their own audit efforts involving GitHub products more effectively.
•Support development of continuous compliance testing, design remediation and risk mitigation solutions, and collaborate cross functionally to establishing high levels of automated testing and evidence collection.
•Above all, you'll be getting your hands deep into the work and identifying new ways to solve problems and provide services inside our company.

Our ideal candidate takes an extremely pragmatic approach to GRC, functions as part of a growing team, and is able to balance the needs of a very dynamic engineering culture with that of protecting the company and customer data.

This job is U.S. based and open nation wide, however, semi-frequent travel (<15%) to our San Francisco, CA headquarters, will be necessary for a remote worker.

Required experience:

    • Ability to function as a strong business to technology "Human API", helping to bridge the business view and requirements to technologists building solutions.
    • 5+ years prior work experience in requirements development, program management, and/or process improvement efforts in a technical company, preferably at a large SaaS provider.
    • Experience with being a subject matter expert or lead, inside or outside of a compliance team, supporting audit and certification at a SaaS provider. SOC 1/SOC 2 audit and PCI compliance exposure of benefit.
    • 5+ years experience building project plans and tracking completion, negotiating commitments and escalating on blocking issues constructively.
    • Experience working in a customer facing capacity, addressing concerns pre and post sales cycle, in a SaaS/PaaS/IaaS business model.
    • Ability to develop and use metrics/KPIs to assess program performance.
    • CIA, CISA, or other relevant independent certification, or equivalent education.
    • The ability to partner with and effectively communicate to security, engineering and dev ops staff.
    • Adept at facilitation, interpretation, note taking and documentation.
    • Experience working on a remote team in an asynchronous workflow.
    • Exposure to software version control systems/Git and GitHub.
    • Must be legally authorized to work in the United States.

Preferred attitude:

    • Loves the opportunity to Fix It, Build It, Understand It.
    • Confidence in ability to learn new things - has the ability to state: "I don't know, but I will find out!"
    • High comfort level working under ambiguous situations, with natural drive to bring clarity.
    • Compulsive about getting it down on "paper".
    • Creative mindset; a willingness to try new approach, and challenge assumptions.
    • Highly team oriented personality.
    • An open, learning mindset.

Unicorn-level experience:

    • Deep experience at SaaS provider participating or leading teams through the entire SSAE 16/SOC 2 lifecycle from initial gap-assessment to receiving a favorable Type II report & letter of attestation, covering the Common Criteria and multiple Trust Service Principles, from a leading auditing firm.
    • Strong information security background in either software development or systems operations.
    • Software development, QA or Engineering experience.
    • Experience implementing and/or maintaining PCI compliance, HIPAA/HITECH compliance, or ISO 27001:2013 ISMS.
    • Experience implementing Sarbanes Oxley 404, supporting on-going compliance monitoring year over year, and including but not limited to working with independent auditors during validation and compliance testing phases.
    • Cloud Security Alliance and the STAR program including the CCM and CAIQ.
    • Exposure to FISMA/FedRAMP, and other industry and regulatory frameworks.
    • Experience using data analytics tools.
    • Prior technical program management and/or project management experience.

GitHub is committed to building a diverse workforce and strongly encourages applications from people of color and other groups currently underrepresented in tech. We are looking for candidates who:

    • Display a strong commitment to building an inclusive tech environment
    • Have demonstrated resilience and resourcefulness both in and outside of the workplace
    • Can bring a new perspective based on unique educational, professional, and lived experiences
    • Can effectively communicate with people from disparate backgrounds
    • Have experience mentoring/coaching/teaching, particularly in environments with diverse students/participants


GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Over ten million people use GitHub to build amazing things together. With the collaborative features of, our desktop and mobile apps, and GitHub Enterprise, it has never been easier for individuals and teams to write better code, faster.

We have a lot of exciting things to do, and we’re looking for the right people to grow with us!


Working at GitHub is, to put it simply, a special slice of the universe. We're committed to transparency, collaboration, experimentation, and always staying classy.

Because of this unique perspective, we've established one of the most flexible and well designed physical workspaces around that encourages you to work as you work best. Right now, over 60% of our employees are based outside of our San Francisco (SOMA) headquarters and work according to how they get their best stuff done.

Ensuring that GitHubbers are healthy, motivated, focused and creative is how GitHub stays awesome. Part of this is ensuring that our benefits* are out of this world.

In a nutshell, we've built and are growing a place where we truly love working, and we think you will too.

GitHub is made up of people with many different backgrounds and lifestyles, and we like it that way. We invite applications from people of all stripes. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, pregnancy status, veteran status, or any other differences that people imagine to discriminate against one another. Also, if you have a disability, please let us know if there's anything we can do to make the interview process better for you; we're happy to accommodate.

*Please note that benefits vary by country, if you have any questions don't hesitate to ask your recruiter!