Back to jobs
New

Principal Security Engineer – GRC Team Lead (Remote Eligible)

Bellevue, WA, USA

For over 20 years, Smartsheet has empowered teams to manage work seamlessly and scale solutions smarter. Now, in our most ambitious chapter yet, we are uniting human teams with AI agents. By orchestrating the work agents do best, automating manual tasks and uncovering insights at scale, we create the space for people to focus on what truly matters: judgment, creativity, and big thinking. That is magic at work, and it’s what we show up for every day.

Smartsheet's GRC function is at an inflection point. As we scale our compliance programs across multiple frameworks (SOC 2, ISO 27001, FedRAMP, HIPAA, and emerging regulations), the manual work is becoming unsustainable. We need a technical GRC leader—someone who understands both compliance deeply and how to engineer solutions. As GRC Team Lead, you'll architect the technical foundation for how Smartsheet manages risk and compliance at scale. You'll design policy-as-code systems, build custom control frameworks aligned with our unique architecture, manage full audit cycles, and lead process improvements that make our GRC function a scalable engine. This is a principal-level role combining compliance expertise with technical execution. You'll be responsible for the strategy and delivery of GRC automation, evidence collection systems, audit readiness, risk management workflows, and technical control implementation. You'll work across security, engineering, and product teams to embed compliance into operations and reporting. This is an excellent opportunity to define how a world-class SaaS company approaches GRC in 2026 and beyond.

What You Will Do

  • Own the end-to-end GRC strategy and roadmap: Lead the planning and prioritization of GRC initiatives that drive compliance maturity, reduce audit risk, and improve operational efficiency.
  • Design and implement policy-as-code systems: Translate compliance frameworks (SOC 2, ISO 27001, FedRAMP, HIPAA) into enforceable code, leveraging Infrastructure-as-Code (Terraform, CloudFormation) and automated compliance validation.
  • Build custom control frameworks: Design Smartsheet-specific Unified Control Frameworks (UCF) and Secure Control Frameworks (SCF) that map to our cloud architecture, multi-framework requirements, and organizational risk appetite.
  • Lead full audit cycles: Manage preparation, execution, and resolution for SOC 2 Type II, ISO 27001, FedRAMP, and other certification audits. Own evidence gathering, audit readiness tracking, and post-audit remediation.
  • Architect GRC platform strategy: Evaluate, select, configure, and integrate GRC tooling (Vanta, Drata, or similar) with our cloud infrastructure, identity systems, ticketing systems, and CI/CD pipelines to enable continuous compliance monitoring.
  • Design automated evidence collection and validation: Build data pipelines and integrations that automatically collect compliance evidence from AWS, application logs, identity systems, and operational tools; validate accuracy and reduce manual verification.
  • Translate compliance requirements into technical implementations: Work with engineering and security teams to express policies and regulatory requirements in a way they can execute and monitor—breaking down silos between compliance and technical teams.
  • Establish risk management and governance processes: Design and operate risk registers, control effectiveness assessments, continuous monitoring workflows, and escalation processes that provide leadership with real-time visibility into compliance posture.
  • Build and lead the GRC team: Mentor and develop your team, establish technical and operational practices, define the playbooks for compliance execution, and create a culture of continuous improvement.

What You Have

  • 10+ years of experience in GRC, compliance, security engineering, or related roles, with 5+ years in a technical or leadership capacity managing compliance programs at scale.
  • A degree in Computer Science, Computer Engineering, Cybersecurity or a related field or equivalent practical experience.
  • Deep hands-on expertise in running full audit cycles across multiple frameworks, particularly SOC 2 Type II, ISO 27001, and FedRAMP. You've managed evidence preparation, control testing, audit remediation, and continuous monitoring.
  • Strong technical foundation in cloud architecture and compliance: Working knowledge of AWS/GCP/Azure, infrastructure-as-code (Terraform), CI/CD pipelines, identity and access management, encryption, and logging—sufficient to design control implementations and validate technical posture.
  • Hands-on experience with GRC platform administration and customization (Vanta, Drata, ServiceNow GRC, or equivalent), including integration design and workflow automation.
  • Proficiency in policy-as-code and compliance-as-code principles: Experience implementing automated controls, policy enforcement, and continuous compliance validation through code and configuration.
  • Fluency in multiple compliance frameworks: Deep knowledge of SOC 2 Trust Service Criteria, ISO 27001 control objectives, NIST 800-53 (or 800-171 for government), and experience with HIPAA, GDPR, and industry-specific frameworks.
  • Scripting and automation skills: Comfortable with Python, Bash, or similar for building integrations, data pipelines, and automated control validation.
  • Excellent communication and program management: Ability to distill complex compliance concepts for both technical and business audiences, manage multi-workstream programs, and drive alignment across teams.
  • Some federal/government sector experience is valuable but not required: Understanding of FedRAMP processes, government compliance nuances, and federal contractor requirements is a plus.
  • US Person Status: Must be a U.S. Citizen, U.S. National to meet federal compliance requirements.

Nice to Have

  • Professional certifications: CISSP, CISM, CISA, CRISC, GRCP, or AWS Certified Security – Specialty.
  • Experience with AI governance frameworks (NIST AI RMF, ISO 42001) as emerging compliance requirements.
  • Background in DevSecOps or security operations with hands-on CI/CD and Infrastructure-as-Code experience.
  • Experience with SaaS-scale operations and rapid compliance scaling in high-growth environments.

Current US Perks & Benefits:

  • Employer subsidized medical/vision and dental coverage for full-time employees
  • 401k Match to help you save for your future (50% of your contribution up to the first 6% of your eligible pay)
  • Monthly stipend to support your work and productivity
  • Flexible Time Away Program, plus Sick Time Off
  • US employees are automatically covered under Smartsheet-sponsored life insurance, short-term, and long-term disability plans
  • US employees receive 12 paid holidays per year
  • Up to 24 weeks of Parental Leave
  • Personal paid Volunteer Day to support our community
  • Opportunities for professional growth and development including access to Udemy online courses
  • Company Funded Perks, including a counseling membership, local retail discounts, and your own personal Smartsheet account
  • Teleworking options from any registered location in the U.S. (role specific)

Smartsheet provides a competitive base salary range for roles that may be hired in different geographic areas we are licensed to operate our business from. Actual compensation is determined by several factors including, but not limited to, level of professional, educational experience, skills, and specific candidate location. In addition, this role will be eligible for a market competitive incentive opportunity.

US Base Salary Pay Range

$205,000 - $275,000 USD

 

Get to Know Us:

At Smartsheet, your ideas are heard, your potential is supported, and your contributions have real impact. You’ll have the freedom to explore, push boundaries, and grow beyond your role. We welcome diverse perspectives and nontraditional paths—because we know that impact comes from individuals who care deeply and challenge thoughtfully. When you’re doing work that stretches you, excites you, and connects you to something bigger, that’s magic at work. Let’s build what’s next, together.

Equal Opportunity Employer:

Smartsheet is an Equal Opportunity (EEO) employer committed to fostering an inclusive environment with the best employees. It is our policy to provide equal employment opportunities to all qualified applicants in accordance with applicable laws in the US, UK, Australia, Germany, Costa Rica, Japan, Bulgaria, India, and Singapore. All qualified applicants will receive consideration without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information. 

If there are preparations we can make to help ensure you have a comfortable and positive interview experience, please let us know.

 

#LI-Remote

Create a Job Alert

Interested in building your career at Smartsheet? Get future opportunities sent straight to your email.

Apply for this job

*

indicates a required field

Phone
Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Cover Letter

Accepted file types: pdf, doc, docx, txt, rtf


Education

Select...
Select...
Select...

Select...

Before you submit your application, please read and acknowledge receipt of the Applicant Privacy Notice.

If yes, please include name(s) and the nature of the relationship(s). If no, please type no. 

Select...
Select...
Select...
Select...

Voluntary EEOC Demographics

At Smartsheet, we strive to build an inclusive environment that encourages, supports, and celebrates the diverse voices of our team members. Individuals seeking employment at Smartsheet are considered without regards to race, ethnicity, color, age, sex, religion, national origin, ancestry, pregnancy, sexual orientation, gender, gender identity, gender expression, genetic information, physical or mental disability, registered domestic partner status, caregiver status, marital status, veteran or military status, citizenship status, or any other legally protected category in the US, UK, and Australia.

Below is a set of voluntary demographic questions. If you choose to complete them, your responses will be used in aggregate to help us identify areas for improvement in our programs. Your responses, or your choice to not respond, will not be considered in the hiring process. Any information that you provide will be recorded and maintained confidentially.

For definitions of any of the following terms or to read more about your rights, please visit the EEOC website here

Select...
Select...
Select...
Select...
Select...

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Smartsheet’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.



We use Greenhouse’s AI-powered Talent Matching tool to compare your application against our job requirements.

Learn more