GitHub is committed to doing right by our customers and being worthy custodians of their data. Developing a highly effective control environment and right sized compliance solutions are integral to this commitment. GitHub’s GRC team reports into Security leadership at GitHub, and we strive to take a fresh tact on compliance and risk work. GitHub is seeking a highly motivated, senior people manager with a proven track record in the Compliance domain to join the Governance, Risk and Compliance (GRC) organization. This role will lead a team chartered with continuous testing and monitoring of control health, internal assessment for audit readiness and engagement with external auditors.

This is an ideal opportunity for a creative and analytical thinker with a customer first mindset who understands the role of compliance in business enablement. You are highly team oriented and enjoy the dynamic nature of projects that can pull in team members from across the entire enterprise, with both technical and non-technical business processes owners. You can find comfort working under ambiguous situations and have a natural drive to bring clarity. You are confident in your ability to say "I don't know, but I will find out!"

This role will have a primary focus on:

Manage the development and deployment of the Continuous Testing Program for technology audits.
Develop easy-to-consume control health reporting and metrics for Control Owners and leadership the of Security, Product, IT Infrastructure and Product Engineering teams as well as non-technical teams.
Partner with the Audit and Compliance Service Architect to consult and advise Control Owners on alignment of audit and compliance requirements to operational processes.
Provide design oversite to compliance testing efforts, audit framework alignment.
Contribute compliance-centric feature use cases and user stories for Product Development.
Manage Audit and Compliance tooling and define improvements to compliance testing and monitoring workflow.
Execute testing when necessary.
Other duties as required.
This job is U.S. based, however, infrequent travel (+/-10%) will be necessary.

Required experience:

4 to 6 years demonstrated people management experience in a remote first work environment.
8 to 10 years prior work experience in as an Audit and Compliance Professional in large SaaS/IaaS/PaaS providers, with a track record of establishing and operationalizing compliance frameworks.
Understanding and awareness of different company personas and unique communications patterns for those personas.
Demonstrated ability to execute the test once, use multiple times approach across multiple audit frameworks and effectively operationalize compliance requirements.
Demonstrated ability to develop, use and communicate metrics/KPIs to assess program performance.
The ability to partner with and effectively communicate to engineering, non-technical and executive staff.
Has successfully lead a SaaS provider through ISO 27001 certification, FedRAMP ATO, and SSAE 16/SOC 2 from initial gap-assessment to receiving report/certification/ATO.
Must be legally authorized to work in the United States.

Preferred experience:

Strong information security background in either software development or systems operations.
Experience with software development and systems engineering life cycles including design, development, testing, and release, and maintenance.
Prior software development experience with Go, Ruby, bash, python, or similar languages.
Experience using data analytics tools.
Exposure to software version control systems/Git and GitHub.com, and comfort using core features such as Issues and Pull Requests.
Experience working on a remote team in an asynchronous workflow.

Who We Are:

GitHub is the developer company. Over 36 million people use GitHub to build amazing things together across 100 million repositories. We make it easier for developers to be developers: to work together, to solve challenging problems, to create the world’s most important technologies. We foster a collaborative community that can come together—as individuals and in teams—to create the future of software and make a difference in the world.

What We Value:

Collaboration: We believe the best work is done together.
Empathy: We believe in putting people first.
Quality: We believe in setting the standard for excellence.
Positive Impact: We believe in making the world a better place through our work.
Shipping: We believe in creating things for the people using them.

Why You Should Join:

At GitHub, we constantly strive to create an environment that allows our employees (Hubbers) to do the best work of their lives. We've designed one of the coolest workspaces in San Francisco (HQ), where over half of our Hubbers work, snack, and create daily. The other half of our Hubbers work remotely in 18 countries across the globe. Here is a complete list of where we can hire!

We are also committed to keeping Hubbers healthy, motivated, focused and creative. We've designed our top-notch benefits program with these goals in mind. In a nutshell, we've built a place where we truly love working, we think you will too.

GitHub is made up of people from a wide variety of backgrounds and lifestyles. We embrace diversity and invite applications from people of all walks of life. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences. Also, if you have a disability, please let us know if there's any way we can make the interview process better for you; we're happy to accommodate!

Where We Can Hire

Please note that benefits vary by country, if you have any questions, please don't hesitate to ask your Talent Partner.

#LI-POST

Apply for this Job

* Required

First Name *

Last Name *

Email *

Phone

Location (City) *

Resume/CV *

Attach Dropbox Google Drive Paste

Cover Letter

Attach Dropbox Google Drive Paste

LinkedIn Profile

Website

GitHub Handle

Are you legally authorized to work in one of the following: Australia, Austria, Canada, Croatia, Denmark, France, Germany, Ireland, Japan, New Zealand, Netherlands, Spain, Sweden, Switzerland, United Kingdom (England, Northern Ireland, Scotland, and Wales), United States? *

If you answered yes, please provide more information, and specify which countries you are eligible to work in. *

Please provide your current location: *

Why do you want to work at GitHub? *

Why do you feel you would be a fit for this role? *

Have you ever worked remotely before? *

What do you suppose are the challenges of working remotely, and how would you address them? *

How did you hear about this job? *

Have you ever worked for LinkedIn, Microsoft, or any of Microsoft's affiliates in any capacity? *

Please check all that may apply. *

  I currently work at Microsoft
  I previously worked at Microsoft
  I currently work at LinkedIn
  I previously worked at LinkedIn
  None of the above

If yes, in what capacity?

What interests you most about GitHub's products and mission, and how does your area of expertise empower the company to succeed? *

What do you enjoy most about working in a GRC role? What do you see as the benefit GRC as a service can bring to a company? If you have not held a GRC role previously, what do you find exciting about a career change, and how do you see your experiencing adding benefit to the work? *

GitHub is not only a SaaS provider, but also a consumer of other IaaS, PaaS, and SaaS offerings. With reports of large scale breaches and journalists asking, "Is the cloud secure"� becoming common place in the last few years, what is your approach to identifying and managing the risks associated with the cloud and more traditional service provider integrations? What key elements would you build into a risk management program? *

You've likely encountered the cynical view that security compliance frameworks (e.g. SSAE 16/SOC 2) have marginal value and are little more than a list of "checkboxes" that don't provide meaningful security improvement. How would briefly make the argument, to both the executive tier and the engineer or administrator tasked with implementing controls, that compliance frameworks can provide tangible benefit to an organization? *

Project/Program management capability: Often times, the people you need to count on to move your work forward have a lot on their plate. Aside from everyday tasks, they have multiple projects they are working on. As GRC risk is never a means to its own end, can you provide insight into how you organize and track work items across other teams and individuals that do not report to you, and how would work to collaborate and inspire others, while at the same time showing respect to the limited time and creative resources they have? *

Customer compliance management capability: Customers often have their own interpretation of compliance, security, and privacy. Say you're working with a large customers’ compliance department who has performed a security controls review of the GitHub.com service, and came out with their own list of gaps. As you work with them, you find that they have a different interpretation of how you should prioritize and remediate the open gaps. How would you handle a customer that insists that GitHub implement a certain type of control that to the best of your knowledge, is not relevant to GitHub's environment? *

The GRC team is a service organization to GitHub and to GitHub's users and customers. We frequently have to respond to asks from our internal partners for assistance, review, research, and/or to help develop a customer facing position rapidly. Provide your thoughts on providing service, how to field unexpected requests and an example of how you have had to respond to and handle a rapid change - on a project, on a customer engagement, due to a reorg, or due to unplanned work that catches fire! *

Security Risk and Compliance isn’t always the team winning popularity contests within a rapidly-paced organization where shiny new product features and efficiencies of speed may be prized over exacting due diligence or regimented regulatory requirements. Can you give an example of where you implemented a required, but relatively unpopular project/process/system, at least at the outset, and yet still managed to win friends and influence people, even when the new solution challenged their own priorities or perspectives? *

Risk and Compliance is all about continuous improvement, and improving often means change, particularly in young organizations driven by a leadership striving quickly for maturity. Pushing change to an organization can be challenging, and sometimes frustrating as ships never turn quite as quickly as we’d like them to. How do you manage change effectively while remaining sensitive to others’ concerns that could present as challenges to achieving your goals? *

Lastly, but not least, we are a growing team providing a growing set of services to GitHub. Sometimes this means you will wear several hats during the week, and sometimes during the same day. How would you look to contribute to a team that is testing and tuning it's approach to providing services, with an eye towards expanding support to improve GitHub employee and customer experience over time? *

U.S. Equal Opportunity Employment Information (Completion is voluntary)

Individuals seeking employment at GitHub are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. You are being given the opportunity to provide the following information in order to help us comply with federal and state Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

Gender

Are you Hispanic/Latino?

Please identify your race

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Veteran Status

Form CC-305

OMB Control Number 1250-0005

Expires 1/31/2020

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

Because we do business with the government, we must reach out to, hire, and provide equal opportunity to qualified people with disabilities¹. To help us measure how well we are doing, we are asking you to tell us if you have a disability or if you ever had a disability. Completing this form is voluntary, but we hope that you will choose to fill it out. If you are applying for a job, any answer you give will be kept private and will not be used against you in any way.

If you already work for us, your answer will not be used against you in any way. Because a person may become disabled at any time, we are required to ask all of our employees to update their information every five years. You may voluntarily self-identify as having a disability on this form without fear of any punishment because you did not identify as having a disability earlier.

How do I know if I have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

Blindness
Deafness
Cancer
Diabetes
Epilepsy
Autism
Cerebral palsy
HIV/AIDS
Schizophrenia
Muscular dystrophy
Bipolar disorder
Major depression
Multiple sclerosis (MS)
Missing limbs or partially missing limbs
Post-traumatic stress disorder (PTSD)
Obsessive compulsive disorder
Impairments requiring the use of a wheelchair
Intellectual disability (previously called mental retardation)

Disability Status

Reasonable Accommodation Notice

Federal law requires employers to provide reasonable accommodation to qualified individuals with disabilities. Please tell us if you require a reasonable accommodation to apply for a job or to perform your job. Examples of reasonable accommodation include making a change to the application process or work procedures, providing documents in an alternate format, using a sign language interpreter, or using specialized equipment.

¹Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

Security-GRC Audit and Continuous Testing Manager