About the position
Mattermost is seeking a GRC Manager to lead and modernize its governance, risk, and compliance program for both federal and commercial markets. This role involves a modern, engineering-led approach to compliance, utilizing GRC engineering and AI to reduce manual effort and scale programs. The GRC Manager will be responsible for the end-to-end compliance posture, including federal readiness and commercial certifications, aiming for automated, continuously monitored, and AI-native processes. The position requires hands-on compliance work, coordination with internal stakeholders (engineering, infrastructure, IT), external auditors, and customers. As the program grows, the role will involve building and leading a team.
Responsibilities
• Own and modernize Mattermost's compliance programs across federal and commercial markets
• Lead readiness, certification, and surveillance cycles across both programs
• Operate the risk management program end to end — from identification and assessment through treatment and acceptance
• Own the third-party and vendor risk management program, including security assessments and supply chain risk
• Apply GRC engineering and automation to replace manual evidence collection with continuous controls monitoring
• Build AI-native workflows to accelerate and improve the quality of recurring compliance work
• Maintain the control library, system security plans, POA&Ms, and policies
• Coordinate external audits from scoping through remediation
• Accelerate deal cycles by owning customer security questionnaires, trust center content, and reusable compliance artifacts
• Grow and lead the GRC team as the program scales
Requirements
• Bachelor's degree in computer science, information security, or related field — or significant professional GRC and compliance experience
• Proven senior-level experience in governance, risk, and compliance, security compliance, or IT audit, including direct ownership of a certification or authorization program
• Experience with U.S. Federal standards including CMMC and NIST series (800-171 / 800-53)
• Experience with ISO 27001 and SOC 2 Type II
• Experience operating a formal risk management program
• Experience running a third-party and vendor risk management program
• Experience owning customer-facing security assurance, including security questionnaires and trust center content
• Working knowledge of security controls for cloud environments (AWS, GCP, and/or Azure)
• Excellent written and verbal communication skills
• U.S. citizenship
• Located in the United States and eligible to obtain and maintain a U.S. government security clearance
• Meet eligibility requirements for access to export-controlled information as defined by U.S. export control laws, including EAR and ITAR
Nice-to-haves
• Professional GRC certifications such as CISA, CRISC, CISM, CISSP, or CIPP
• Experience working with AI platforms such as Claude, OpenAI, or Gemini
• Experience with compliance automation tooling such as Vanta or Drata, and continuous controls monitoring
• Direct experience applying AI or LLM-based workflows to GRC tasks
• Proficiency in no-code automation or scripting languages
• Past success in critical infrastructure industries including defense, cybersecurity, communications, or manufacturing
Benefits
• Mission-driven work
• Remote-first culture
• Open source at the core
• AI-forward environment
• Unique scope