Senior GRC Analyst

Who Are We?

Postman is the world’s leading API platform, used by more than 35 million developers and 500,000 organizations, including 98% of the Fortune 500. Postman is helping developers and professionals across the globe build the API-first world by simplifying each step of the API lifecycle and streamlining collaboration—enabling users to create better APIs, faster.

The company is headquartered in San Francisco and has an office in Bangalore, where it was founded. Postman is privately held, with funding from Battery Ventures, BOND, Coatue, CRV, Insight Partners, and Nexus Venture Partners. Learn more at postman.com or connect with Postman on X via @getpostman.

P.S: We highly recommend reading The "API-First World" graphic novel to understand the bigger picture and our vision at Postman.

The Opportunity

The Senior GRC Analyst role will be part of the Security GRC team at Postman.  The Security GRC team is responsible for the overall security posture of Postman by ensuring compliance with applicable regulations and contractual obligations and maintaining effective and efficient governance, risk, and compliance programs.  In addition, the Security GRC team is directly involved with supporting and enabling Sales and driving security and compliance initiatives to further the growth of Postman.

We seek a Senior GRC Analyst with extensive experience implementing, managing, and maturing compliance programs, including but not limited to SOC 2, ISO 27xxx, HIPAA, GDPR, CCPA, and FedRAMP.  This role must possess a significant level of technical knowledge that allows for clear communication with engineering stakeholders and the ability to provide actionable guidance and recommendations on processes (e.g. translate risk language to engineering requirements).

As a senior member of the Security GRC team, this role will be instrumental in guiding the strategy of the GRC program in partnership with senior management. In addition to technical acumen, the role requires an individual who is results-oriented and pragmatic and demonstrates effective problem-solving and communication skills. The Senior GRC Analyst often serves as a subject matter expert for colleagues and line-of-business managers, and experience with multiple technologies, compliance requirements and risk management methodologies is crucial.

What you’ll do

• Lead and coordinate high visibility projects for our risk & compliance roadmap, including: SOC2, ISO 27XXX, HITRUST, and FedRAMP.
• Contribute to the development, management, and ongoing improvement of the company risk program, compliance initiatives, and overall security risk posture.
• Lead the development and maturity of critical risk domains such as third party risk management and business resilience.
• Lead critical control activities with stakeholders across the business, quantifying risks, evaluating mitigations, and driving action to measurably reduce risk.
• Lead, participate, and innovate on processes to streamline compliance audit activities with external auditors and internal control owners to ensure successful completion of audit requirements with minimal toil.
• Establish and contribute to risk and compliance activities with an eye toward continuous controls monitoring automation.
• Act as a mentor, advisory, and escalation point for team members and stakeholders.

About You

• 7+ years of hands-on experience in cybersecurity governance, risk, and compliance, preferably within fast-paced technology companies.
• Bachelor’s degree in computer science, information security/cybersecurity, or related field or relevant work experience.
• Relevant certifications such as CISSP, CRISC, CISA, or CISM a plus.
• Knowledge of and experience implementing, managing, and maturing GRC programs with a bias to action, ability to design effective but pragmatic solutions with an ability to balance short term and long term goals.
• Proficient technical knowledge and familiarity with management information systems, cybersecurity, audits and internal controls.
• Experience working with engineering and non-engineering stakeholders to drive successful risk activities.
• Experience with establishing and maturing third party risk management programs, with a proven ability to balance third party risk with business need.
• Experience identifying gaps, creating and tracking correction action and mitigation plans to closure at scale.
• Self-motivated and well-organized to accomplish goals and tasks completely and on time.
• Experience successfully driving risk & compliance programs in globally distributed organizations.

The reasonably estimated base salary for this role ranges from $200,000 to $250,000, plus a competitive equity package. Actual compensation is based on the candidate's skills, qualifications, and experience.

What Else?

In addition to Postman's pay-on-performance philosophy, and a flexible schedule working with a fun, collaborative team, Postman offers a comprehensive set of benefits, including full medical coverage, flexible PTO, wellness reimbursement, and a monthly lunch stipend. Along with that, our wellness programs will help you stay in the best of your physical and mental health. If you have little ones in your family, the creche allowance can help in supporting your work-life balance. Our frequent and fascinating team-building events will keep you connected, while our donation-matching program can support the causes you care about. We’re building a long-term company with an inclusive culture where everyone can be the best version of themselves. 

At Postman, we embrace a hybrid work model. For all roles based out of San Francisco Bay Area, Boston, Bangalore, Noida, Hyderabad, and New York, employees are expected to come into the office 3-days a week. We were thoughtful in our approach which is based on balancing flexibility and collaboration and grounded in feedback from our workforce, leadership team, and peers. The benefits of our hybrid office model will be shared knowledge, brainstorming sessions, communication, and building trust in-person that cannot be replicated via zoom.

Our Values

At Postman, we create with the same curiosity that we see in our users. We value transparency and honest communication about not only successes, but also failures. In our work, we focus on specific goals that add up to a larger vision. Our inclusive work culture ensures that everyone is valued equally as important pieces of our final product. We are dedicated to delivering the best products we can.

Equal opportunity

Postman is an Equal Employment Opportunity and Affirmative Action Employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender perception or identity, national origin, age, marital status, protected veteran status, or disability status. Headhunters and recruitment agencies may not submit resumes/CVs through this website or directly to managers. Postman does not accept unsolicited headhunter and agency resumes. Postman will not pay fees to any third-party agency or company that does not have a signed agreement with Postman.