Sr. Director, Security Governance, Risk and Compliance

Senior Director, Security Governance, Risk, and Compliance (GRC)

Docusign brings agreements to life. Over 1.5 million customers and more than a billion people in over 180 countries use Docusign solutions to accelerate the process of doing business and simplify people's lives. With intelligent agreement management, Docusign unleashes business-critical data that is trapped inside of documents. Until now, these were disconnected from business systems of record, costing businesses time, money, and opportunity. Using Docusign's Intelligent Agreement Management platform, companies can create, commit, and manage agreements with solutions created by the #1 company in e-signature and contract lifecycle management (CLM).

As the most trusted brand in our industry, Docusign recognizes the profound importance of maintaining and enhancing customer trust in our products. Docusign's security program is vital to that trust, and this role is a critical leadership position driving our success. The Senior Director, Security Governance, Risk, and Compliance (GRC) will be a technically proficient, business savvy leader who manages all aspects of the GRC program and multiple facets of product and enterprise security. Security GRC will embed within Product, Technology, Digital Technology, and Sales teams to proactively identify and reduce security risks - transforming legacy GRC practices into a more contemporary, productized capability and replacing document-centric compliance with scalable security controls built directly into engineering and business workflows. The Senior Director, GRC will tailor and implement Docusign's security controls framework to protect the platform, company, and customers through a risk-based approach to security. They will enhance engineering and development capabilities within the GRC team; implement contemporary, cost-effective tools and practices to automate historically manual activities; and leverage AI and ML where appropriate to optimize efficiencies while delivering at scale and with speed while managing emerging risk and supporting product and business innovation. This position will leverage leading security frameworks like NIST, ISO, and BSIMM as foundations for the overall security program while driving continuous improvement. The role will ensure that security governance mechanisms and documentation are implemented and effective. The Senior Director will also be responsible for driving revenue growth through direct support to Sales teams, managing customer security assurance, ensuring audit readiness in preparation for certification and global regulatory and customer requirements. Ultimately, the Senior Director will be responsible for managing GRC product innovation, development, engineering, and delivery. The role will deepen security within the platform and across the enterprise, while enhancing customer trust. They will be charged with optimizing the GRC user experience - serving as the product owner for the security controls framework and security risk mitigation; ensuring policies, standards, procedures, and controls are designed for adoption, automated by default, and measured through real-time data; and driving revenue growth through GRC support to the business.

This position is a people manager role reporting to the Group Vice President, Chief Information Security Officer.

Responsibility

• Lead and manage the global GRC team and program, including core components: GRC engineering, governance, risk, compliance, and customer security assurance
• Manage a high-performing, product-driven team focused on measurable outcomes and continuous improvement. Implement tailored program goals, objectives, milestones, key results, and key performance indicators to drive consistent progress and outcomes
• Define and drive a multi-year product vision and roadmap for security governance, risk, and compliance (including GRC engineering and development) focused on adoption and measurable risk reduction
• Establish the architectural blueprint that transforms GRC into a scalable product platform and service
• Set vision, strategy, and leadership for how governance, risk, and compliance are engineered and automated across the company, translating requirements into a technology-driven automation strategy
• Manage architecting of scalable platforms for GRC automation and evidence production, while growing the team's technical skills sets and ensuring engineering and development best practices
• Manage delivery and prioritization while ensuring timely delivery of GRC product, engineering, and risk reduction capabilities
• Maintain expertise in components and capabilities of the product ecosystem as well as company infrastructure, environments, data, and security controls
• Maintain expertise in security threats, trends, technologies, and industry best practices (existing and emerging)
• Serve as a trusted leader/advisor to the CISO, other executives, and teams – translating technical risk into business impact, providing clear updates, trade-offs, and advice
• Manage collaboration and effective relationships with cross-functional teams to ensure frictionless security and paved path approaches with leadership across the business
• Manage the GRC budget and resourcing
• Ensure security practices and controls meet internal security policy and standards, industry frameworks, and regulatory and customer requirements
• Implement contemporary tooling and automation to optimize insights, efficiency, and efficacy while enhancing technical security rigor
• Contribute to technical requirements, architectural design and modification documents, and educational resources
• Serve as a senior escalation point for complex or high risk security issues; drive architectural, process, and implementation improvements from lessons learned
• Implement the GRC strategy for using AI across GRC teams and responsibilities; maintain a high level of individual proficiency in using AI to perform daily and longer term tasks
• Manage and continuously improve the company-wide Docusign security controls framework, ensuring controls are appropriately tailored and effective across all domains
• Manage compliance requirements relevant to modern software development, enterprise security, and trust and safety protections against platform abuse
• Serve as Security's primary liaison between technical teams and regulatory/audit bodies
• Work closely with third-parties on assessments, audits, attestations, and in shaping security programs, roadmaps, and deliverables

What You Bring

Basic

• 15+ years' working experience in Security GRC, Product Security, Application Security, Engineering, Trust and Safety or closely related security and engineering disciplines, with 8+ years in technical leadership roles
• Bachelor's degree in computer science, data science, artificial intelligence, machine learning, cybersecurity, risk management, or a related technical field
• Experience designing and leading security programs, including but not limited to security risk management, governance (especially under NIST, ISO, and FedRAMP frameworks), compliance, engineering/secure development, customer security assurance, product security, enterprise security, and trust and safety
• Experience with NIST CSF, NIST SDF, NIST AI RMF, ISO 27001, SOC, BSIMM, IL5, FedRAMP High, and other, more narrowly tailored or geographically focused security frameworks
• Experience driving automation strategies, predictive analytics, and data-driven insights
• Experience in implementing or improving security tools where they previously did not exist, did not perform to expectations, and/or better options emerged (e.g., workflow tools, case management systems, agents developed and trained to meet mission)
• Experience designing and embedding security controls across the business, plus validating efficacy
• Experience defining security KPIs, metrics pipelines, and executive reporting frameworks
• Experience with cross-functional collaboration and stakeholder engagement across technical and business relationships, especially with Product, Technology, Digital Technology, Sales, Security, and executive teams

Preferred

• Master's degree or higher
• Deeply technical with strong strategic vision, tactical acumen, excellence in execution
• Forward looking and acting with the ability to understand and address current and future threats and business requirements exceedingly well and manage products and their team to suit
• Growth and product mindset; oriented to action and delivery; professional teammate
• Excellent leadership, communications, and presentation skills
• Certifications: CISSP, CCISO, CISM, CRISC, CGRC, CCSP, CSSLP, GSLC, GSEC, or equivalent
• Substantial experience in implementing best practices and compliance obligations for AI product security and AI enterprise security
• Demonstrated experience with modern security frameworks applied to cloud-native environments and SaaS products
• Experience embedding GRC requirements into CI/CD pipelines (shift-left security)
• Extensive technical knowledge, including network infrastructure, automated workflows, secure coding practices, cryptography basics, threat modeling, and data systems architecture
• Strong experience with project management that includes a track record of success

Wage Transparency

Pay for this position is based on a number of factors including geographic location and may vary depending on job-related knowledge, skills, and experience.

Based on applicable legislation, the below details pay ranges in the following locations:

California: $244,000.00 - $390,575.00 base salary

Washington, Maryland, New Jersey and New York (including NYC metro area