Senior GRC Engineer

At Docker, we make app development easier so developers can focus on what matters. Our remote-first team spans the globe, united by a passion for innovation and great developer experiences. With over 20 million monthly users and 20 billion image pulls, Docker is the #1 tool for building, sharing, and running apps—trusted by startups and Fortune 100s alike. We’re growing fast and just getting started. Come join us for a whale of a ride!

As an experienced Senior GRC Engineer, you’ll be a trusted advisor, collaborating closely with engineering and product teams to ensure security and compliance is a cornerstone of every product. You’ll partner with leadership to shape product strategy, advocate for strong security controls and influence future product iterations. By leveraging your deep industry knowledge, and expertise in programming and automation, you’ll drive the development and implementation of Governance, Risk and Compliance frameworks. You will develop and optimize automated solutions to streamline compliance processes, improve risk management workflows, and integrate GRC tools supporting Docker’s systems. This is a unique opportunity to make a foundational impact on the security of an innovative, fast-growing company by building scalable, proactive solutions that protect both our platform and the customers who trust us.

Responsibilities:

• Design, develop, and maintain automation automation workflows to streamline GRC processes such as compliance monitoring, controls, reporting and risk assessments

• Implement and customize GRC platforms using programming languages and APIs

• Develop scripts and tools to automate repetitive GRC tasks, such as audit evidence collection and control testing

• Build and maintain dashboards for real-time risk and compliance monitoring using data visualization tools

• Monitor, assess, and mitigate risks by leveraging automated systems and data-driven insights.

• Support internal and external audits by providing automated solutions for data collection and evidence generation.

• Cross collaborate between multiple security disciplines, supporting security engineering initiatives

• Establish partnerships with internal/external auditors, regulators, business stakeholders develop security requirements and controls.

• Perform critical data security reviews over newly released products and features.

• Oversee and maintain the Risk Register and Risk Management program to document, measure, and report assessments, risks, controls findings, and remediation activity

• Develop and maintain security metrics, using automated and manual processes to produce relevant KPIs about the governance program

• Draft and maintain corporate Information Security policies and departmental procedures and maps them to relevant control standards

• Builds and maintains company awareness and education progress around compliance

• Stay current with regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, NIST) and ensure compliance requirements are met

• Manage Dockers vendor due diligence process ensuring compliance and security controls are met.

Qualifications:

• Have 6 to 8 years of experience in Information Technology, Security Engineering, Governance, Risk and Compliance

• Proven experience in GRC engineering with a strong focus on automation and programming

• Proficiency in programming languages such as Python, and Golang

• Will have familiarity setting up APIs and Webhooks, at least one scripting language, and at least one public cloud architecture and control tool

• Hands-on experience with cloud environments, (e.g., AWS, Azure, Google Cloud) and their compliance automation tools

• Experience with DevSecOps practices and integrating security compliance into CI/CD pipelines

• In-depth knowledge of security framework controls as they apply to public cloud (AWS, GCP), and SaaS environments

• Have knowledge of information security risk management and information security technologies (e.g: SIEM, vulnerability management, data loss prevention and /or endpoint protection)

• Strong project management skills with the ability to lead and execute security assessment projects, vendor evaluations and initiatives on time with multiple stakeholders

• Solid understanding of regulatory and compliance standards (e.g., GDPR, ISO 27xxx, SOC 2)

• Ability to communicate complex technical and compliance information effectively to both technical and non-technical audiences

• Serve as the subject matter expert and advisor on complex security risks issues.

• Ability to participate in our incident response team on-call rotation

• Thrive in fast-paced environments and can adapt quickly in the face of constantly evolving cybersecurity challenges

• Nice to Have: Relevant industry certifications such as CISSP, CISA, CRISC

What to Expect

First 30 days

• Learn Docker’s compliance landscape, key frameworks and risk posture

• Meet with key stakeholders: Security, Legal, IT and Engineering teams

• Gain access to compliance platforms, security tools and documentation

• Review company policies, existing controls, and regulatory frameworks

• Understand risk management strategies and how compliance is integrated into engineering, security and business operations

First 90 days

• Conduct a maturity assessment of the compliance program to assess how well policies are being followed

• Begin a risk assessment project (vulnerability management, cloud security risks)

• Review the latest internal/external audits, compliance reports, and gap analyses

• Identify high-priority risks, open compliance issues, and pending security assessments

• Begin mapping key compliance frameworks to the organization’s policies and controls

• Understand vendor risk management processes and review third-party security assessments

• Work with engineering teams to integrate security & compliance controls into do the SDLC

• Update policies or controls to align with compliance frameworks

One Year Outlook

• Become the leader of compliance engineering

• Own and manage the Compliance GRC roadmap

• Automate compliance monitoring and controls

• Start contributing to audit preparation or certification processes (SOC 2, ISO 27xxx)

• Improve compliance automation within security engineering

• Develop and maintain a Compliance Risk Register with mitigation plans

• Support audit readiness (SOC 2, ISO 27xxx)

• Ensure third-party vendors meet compliance standards

• Create incident response playbooks for compliance standards

• Lead tabletop exercise for security incident response simulations

• Prepare the company for external audits and regulatory updates

• Drive a culture of compliance by advocating for security best practices in engineering

Docker does not offer visa sponsorship for this role.

We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on April 13, 2024.

Please see the independent bias audit report covering our use of Covey here.

Perks

• Freedom & flexibility; fit your work around your life

• Designated quarterly Whaleness Days plus end of year Whaleness break

• Home office setup; we want you comfortable while you work

• 16 weeks of paid Parental leave

• Technology stipend equivalent to $100 net/month

• PTO plan that encourages you to take time to do the things you enjoy

• Training stipend for conferences, courses and classes

• Equity; we are a growing start-up and want all employees to have a share in the success of the company

• Docker Swag

• Medical benefits, retirement and holidays vary by country

• Remote-first culture, with offices in Seattle and Paris

Docker embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our company will be.

#LI-REMOTE