Associate Manager, Security Compliance (GRC)

About Us 

dbt Labs is the pioneer of analytics engineering, helping data teams transform raw data into reliable, actionable insights. Since 2016, we’ve grown from an open source project into the leading analytics engineering platform, now used by over 50,000 teams every week. 

As of February 2025, we’ve surpassed $100 million in annual recurring revenue (ARR) and serve more than 5,400 dbt Cloud customers, including JetBlue, HubSpot, Vodafone New Zealand, and Dunelm. We’re backed by top-tier investors including Andreessen Horowitz, Sequoia Capital, and Altimeter. At our core, we believe in empowering data practitioners:

About the Security Team:

The mission of the Security Compliance (GRC) team at dbt Labs is to provide clear, opinionated security guidance and scalable, secure-by-default offerings to engineers for the purpose of securing software development and enabling pragmatic risk decisions at dbt.

Our small team size and wide scope of responsibilities require that we work intelligently to address the security needs of dbt’s products. We aim to put yesterday’s problems behind us through a mix of OSS/COTS solutions for commodity problems and using ingenuity to solve the rest.

What we’re looking for

The Associate Manager of Security Compliance (GRC) plays a crucial role in safeguarding dbt Labs' operations through effective risk management and regulatory compliance. This position is responsible for developing, implementing, and maintaining comprehensive GRC frameworks that align with industry standards and organizational objectives. The GRC team is responsible for conducting risk assessments, compliance audits, customer trust activities (e.g. Security Questionnaires/Due Diligence), and more. The ideal candidate will bring a strategic mindset and practical experience in navigating complex customer regulatory environments.

In this role, you can expect to:

• Contribute to strategy, roadmap, and lifecycle management of GRC tooling, including third-party platforms and custom-built solutions.
• Partner with appropriate teams to embed GRC controls early in the software development lifecycle, fostering a culture of proactive risk management and secure-by-design thinking.
• Identify opportunities for automating and integrating risk and compliance activities within engineering and business workflows.
• Set clear performance expectations, provide ongoing coaching, and cultivate a culture of innovation, collaboration, and excellence.
• Ensure the GRC technology stack aligns with enterprise architecture standards, data governance policies, and security best practices.
• Drive the sales cycle by producing great documentation and answering customer questions efficiently.
• Deliver key projects on time such as;
  • Owning & maintaining continuous monitoring activities
  • Reviewing control language & policy updates
  • Implementing key controls with organizational stakeholders
• Develop, maintain, and track remediation of items on the risk register.
• Document, track, and follow up on security-related findings (e.g., policy non-compliance, privacy and security awareness training completion, risk register maintenance).
• Coordinate external audits and evidence collection for SOC2, ISO27001, ISO27701, and other future frameworks.
• Assist with customer assurance activities, such as completing security questionnaires.
• Manage vendor security evaluations for both existing and new vendors.

You are a good fit if you have:

• Strong understanding of GRC frameworks such as NIST, ISO 27001, ISO 42001, ISO 27017, ISO 27018, ISO 27701, SOC 2, SOX, or CIS Controls.
• 5+ years of experience, with demonstrated ability to lead technical teams.
• Experience managing a remote team in fast paced & growing company.
• Strong understanding of GRC domains including IT risk, compliance, audit, and policy management.
• Excellent interpersonal and communication skills, with the ability to influence across all levels of the organization.

You'll have an edge if you have:

• Experience managing frameworks in a multi-cloud environment
• Certifications such as CISSP, CISM, or CRISC
• Working knowledge of data breach notification laws, international privacy regulations, HIPAA, and current or upcoming AI frameworks
• Experience working in fast-paced or hyper-growth companies
• Have operated in a “GRC Engineering” first mentality

dbt Labs is an equal opportunity employer, committed to building an inclusive team that welcomes diverse perspectives, backgrounds, and experiences. Even if your experience doesn’t perfectly align with the job description, we encourage you to apply—we value potential just as much as a perfect resume.

Want to learn more about our focus on Diversity, Equity and Inclusion at dbt Labs? Check out our DEI page.

dbt Labs reserves the right to amend or withdraw the posting at any time. For employees outside the United States, dbt Labs offers a competitive benefits package. Equity or comparable benefits may be offered depending on the legal or country limitations.