Smarsh is a global leader in digital communications capture, archiving, and oversight. Our Governance, Risk, and Compliance function is built to scale through systems, automation, and engineering-driven control frameworks.
This role focuses on building and operating the systems that make governance real in a production environment. You will work at the intersection of Security, Engineering, and GRC to design, implement, and validate controls as part of normal system operation rather than after-the-fact compliance activities.
You will be responsible for developing control validation workflows, improving evidence automation, and ensuring strong alignment between policy intent and system behavior. The role requires strong systems thinking and the ability to translate compliance requirements into practical, testable implementations.
Core Responsibilities
Control Engineering & Validation
- Design and implement security controls as testable, system-aligned mechanisms across cloud and application environments
- Translate regulatory and framework requirements into measurable control logic and validation checks
- Build and operate control validation workflows, including continuous testing and monitoring
- Identify and resolve gaps between documented controls and actual system behavior
GRC Automation & Tooling
- Develop and improve GRC tooling integrations and platform capabilities
- Automate evidence collection from cloud platforms, security tools, and internal systems
- Design scalable workflows for continuous control monitoring and audit readiness
- Improve data quality, structure, and traceability across GRC systems
Evidence & Audit Engineering
- Design reusable, structured evidence models aligned to control requirements
- Build automated evidence pipelines that support audit readiness
- Ensure evidence is generated at the source and remains consistent over time
- Maintain audit trails that demonstrate control effectiveness
Risk & Control Integration
- Integrate control assurance outputs into risk management systems
- Maintain clear linkage between controls, risks, and remediation activities
- Improve visibility into control health and organizational risk posture
- Support structured remediation workflows with clear ownership and tracking
Governance Systems & Process Design
- Design and refine governance workflows that align with engineering practices
- Contribute to Policy as Code and structured governance approaches
- Standardize how policies and controls are implemented across systems
- Improve consistency and repeatability across GRC operations
Regulatory & Compliance Engineering
- Translate regulatory requirements into system-aligned control implementations
- Ensure compliance obligations are implemented as measurable and testable mechanisms
- Partner with Legal and Security to align regulatory interpretation with technical execution
Third-Party & External Assurance
- Support third-party security assessments using scalable and repeatable evaluation approaches
- Align vendor risk processes with internal control frameworks
- Contribute to client assurance through standardized, automation-ready evidence
What We’re Looking For
Experience
- 6 to 8 years of experience in GRC, security engineering, or control assurance within SaaS or regulated environments
- Experience designing and implementing security controls in technical environments
- Hands-on experience with automation, evidence systems, or control validation workflows
- Strong understanding of cloud platforms and modern application architectures
Technical & Analytical Capability
- Ability to translate compliance frameworks such as ISO 27001, SOC 2, and NIST into system-level implementations
- Experience working with APIs, logs, or structured data to validate controls
- Comfort with scripting or automation such as Python or similar
- Strong systems thinking and ability to connect controls, risks, and infrastructure
Ways of Working
- Focus on building scalable, repeatable solutions instead of manual processes
- Ability to collaborate across Engineering, Security, and GRC teams
- Clear and structured communication in both technical and governance contexts
- Bias toward ownership and continuous improvement