GitHub is looking for an experienced GRC professional with a technical bent to champion compliance for GitHub Enterprise. This role will be uniquely positioned to build relationships and serve as a liaison across GitHub and will work in close collaboration with GRC and security management. GitHub is committed to developing a compliance program that enables rapid product development while reliably exceeding our customers' high expectations for security and compliance. 

As part of the team reporting into the Security-GRC Staff Manager, you will work closely with multiple groups across the GitHub and Azure Compliance teams, including infrastructure, operations, legal, finance, HR, sales, and software engineering to develop sound process and implement necessary controls to meet customer needs, satisfy external audit and regulatory requirements, and address internal business objectives.

If you have a demonstrated record in compliance program management, have experience collaborating with product owners, engineering teams, and diverse business organizations in order to drive enterprise objectives and want to contribute to making the world's largest software development platform more secure, we want to hear from you!

About the Role:

As part of the Audit and Compliance team, this role will lead compliance efforts for GitHub’s products that target the highest levels of compliance and security assurance, including FedRAMP High and DISA IL4/5. You will work closely with multiple groups including software engineering, infrastructure, product, management, and audit to develop security architectures that meet customer needs and advance internal business objectives. You will contribute to the strategic roadmap for GitHub’s audit and compliance story across our products. This role is expected to anticipate problems, identify possible solutions, lead the business to a decision, and drive implementation. 

This is an excellent opportunity for a strong Individual Contributor to have a hand in elevating compliance and security as a business and sales enabler, and to integrate a deep understanding of product and business into the compliance space. Our ideal candidate takes a pragmatic approach to compliance, functions as part of a growing team, and is able to balance the needs of a dynamic engineering culture with that of protecting the company and customer data. Compliance at GitHub is a team effort, so bringing your team members, leadership, and customers along for the ride is integral to your success. Central to the team's culture is that of inclusion, transparency, and teamwork we lift each other up to be successful.

Past experience leading significant compliance results in IT, Software, Finance, Government or other complex organizations will stand out. 


A large focus of this position will be to:

  • Engage with GitHub team members and Azure Compliance partners in detailed research and analysis of technical and process-centric audit requirements in support of new initiatives, continuous improvement, and remediation efforts. 
  • Contribute to GitHub’s continuous monitoring strategies, both those focused across products and frameworks and those focused specifically on Public Sector customers.
  • Review new features, functionality, and products and lead their integration into existing certifications.
  • Collaborate and partner with internal Security-GRC management to lead Internal Audit and Customer Audit of services and solutions as necessary.
  • Contribute to ongoing efforts to standardize and improve audit readiness testing techniques and program-level process/documentation.
  • Develop paved path compliance solutions for GitHub’s use of Azure; integrate these solutions with existing tools and processes
  • Provide feedback to business stakeholders on regulatory/industry better practices with regard to establishment and operation of internal controls.
  • Act as lead for your function area in development and tracking of audit readiness and remediation project plans; assist in tracking successful completion of work, ensuring alignment with product roadmap.
  • Contribute to the development of customer-facing materials covering topics related to security, compliance, and audit to help customers manage their own audit efforts involving GitHub products more effectively.
  • Dive deep into the work and identify new ways to solve problems and provide services inside our company.

This job is U.S.-based and open nationwide, however, semi-frequent travel (<10%) to our San Francisco, CA headquarters, or Seattle, WA, will be necessary for a remote worker. 


  • Demonstrated ability to function as a strong business to technology "Human API," helping to bridge the business view and requirements to technologists building solutions.
  • 7+ years experience with progressive responsibility and scope expansion in requirements development, program management, and process improvement efforts in a technical company, preferably at a large SaaS provider.
  • 7+ years experience with progressive responsibility and scope expansion performing compliance and audit testing with demonstrated ability to execute activities all along the audit life cycle (e.g. planning, audit execution, reporting and wrap up, remediation). Demonstrated ability using project plans to track and negotiate commitments, with experience escalating blocking issues constructively.
  • Experience developing and executing multi-year compliance roadmaps
  • Experience briefing customers on complex compliance topics.
  • Experience writing proposals for major initiatives, programs, or proposed changes
  • Ability to design and work effectively against metrics/KPIs which assess program performance.
  • Ability to partner and effectively communicate with security, engineering, and devops staff.
  • Experience briefing senior management.
  • Experience working on a remote team in an asynchronous workflow.
  • Exposure to software version control systems/Git and GitHub.
  • Must be legally authorized to work in the United States.

Preferred Attitude:

  • Loves the opportunity to Fix It, Build It, Understand It.
  • Confidence in ability to learn new things - has the ability to state: "I don't know, but I will find out and circle back.”
  • Very high comfort level working under ambiguous situations, with natural drive to bring clarity.
  • Compulsive about getting it down on "paper".
  • Creative mindset; a willingness to try a new approach, and challenge assumptions.
  • Highly team-oriented personality.
  • An open, learning mindset.

Application Written Questions:

The first step in the interview process is for you to take a look at the questions below and give us your thoughts on each topic. These responses will be shared with the hiring manager for the role. 

Why a written response? GitHub is the work platform for developers, and Hubbers (developer and non-developer alike) use GitHub for all critical path work, all day everyday! This plus our remote-first culture makes the written word our primary form of communication. 

How much effort should you spend on this? Thoughtfully crafted answers are appreciated, but we know your time is valuable, so please DO NOT feel it necessary to provide long, in depth responses. This is not expected to be an academic dissertation. We want to see how you reflect yourself in your own voice and style.

(Colorado only*) Minimum salary of $148,000 to maximum $168,400 + bonus + equity + benefits.
· Note: Disclosure as required by sb19-085 (8-5-20) of the minimum salary compensation for this role when being hired in Colorado. 

Who We Are:

GitHub is the developer company. We make it easier for developers to be developers: to work together, to solve challenging problems, and to create the world’s most important technologies. We foster a collaborative community that can come together—as individuals and in teams—to create the future of software and make a difference in the world.

Leadership Principles:

Customer Obsessed - Trust by Default - Ship to Learn - Own the Outcome - Growth Mindset - Global Product, Global Team - Anything is Possible - Practice Kindness

Why You Should Join:

At GitHub, we constantly strive to create an environment that allows our employees (Hubbers) to do the best work of their lives. We've designed one of the coolest workspaces in San Francisco (HQ), where many Hubbers work, snack, and create daily. The rest of our Hubbers work remotely around the globe. Check out an updated list of where we can hire here:

We are also committed to keeping Hubbers healthy, motivated, focused and creative. We've designed our top-notch benefits program with these goals in mind. In a nutshell, we've built a place where we truly love working, we think you will too.

GitHub is made up of people from a wide variety of backgrounds and lifestyles. We embrace diversity and invite applications from people of all walks of life. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences. Also, if you have a disability, please let us know if there's any way we can make the interview process better for you; we're happy to accommodate!

Please note that benefits vary by country. If you have any questions, please don't hesitate to ask your Talent Partner.


Apply for this Job

* Required

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in GitHub’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.