• As a Senior GRC Analyst, you will report to the Security Engineering Manager – GRC and own the buildout and operation of Docker’s risk management program
• You will design and implement enterprise risk management processes, including security risk assessments, third-party risk management, and the risk register
• You will also lead Docker’s AI governance initiative, developing the policies, assessments, and controls needed to ensure responsible AI use across the company
• This role requires a builder’s mindset: someone who can take ambiguous problem spaces, define what good looks like, and deliver operational programs that scale
• You will collaborate cross-functionally with Engineering, Product, Legal, IT, and Security Engineering to embed risk awareness into Docker’s decision-making processes
• Own and drive the compliance program roadmap, aligning framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) with business objectives and product strategy
• Lead cross-functional compliance initiatives with Engineering, Product, Legal, and IT, serving as the authoritative voice on governance and risk matters
• Design and maintain Docker’s unified control framework, including cross-mapping to NIST 800-53 and identifying control gaps across multiple standards
• Plan and execute internal audits end-to-end: scoping, evidence collection, control testing, findings management, and external auditor coordination
• Advise GRC Engineering on correct integrations to configure and controls that require automated monitoring
• Perform and lead risk assessments across systems, processes, third-party tools, and cloud configurations, translating findings into actionable risk treatment plans
• Own the vendor risk management program, evaluating third-party vendors against compliance and security standards and driving remediation of identified gaps
• Draft, review, and maintain corporate security policies and map them to relevant control standards, ensuring alignment across frameworks
• Establish and report on compliance metrics and KPIs, providing data-driven visibility into program maturity to leadership
• Stay current with evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively assess their impact on Docker’s compliance posture
• First 30 days
• Learn Docker’s risk landscape, key business processes, and existing risk documentation
• Meet with key stakeholders across Security, Legal, IT, Engineering, and Product
• Gain access to GRC platforms, risk management tools, and relevant documentation
• Review the current risk register, vendor inventory, and third-party assessment process
• Understand Docker’s compliance frameworks (ISO 27001, ISO 27701, SOC 2) and how risk management integrates with assurance activities
• First 90 days
• Conduct a maturity assessment of the risk management program and identify priority gaps
• Begin operationalizing the risk register with consistent scoring, ownership assignment, and treatment tracking
• Take ownership of third-party risk management, including the vendor assessment queue
• Kick off the AI governance initiative: inventory existing AI use cases and draft an AI governance policy
• Design an initial GRC metrics framework and deliver the first iteration of risk reporting to leadership
• Support audit activities as needed, providing evidence and coordinating with control owners
• First year
• Own and mature Docker’s enterprise risk management program with documented processes, regular risk reviews, and executive reporting
• Deliver a fully operational third-party risk management program with defined SLAs, assessment workflows, and remediation tracking
• Establish Docker’s AI governance program, including policy, assessment process, and alignment toward ISO 42001 readiness
• Deliver recurring GRC metrics and dashboards that provide leadership visibility into risk posture and program health
• Contribute to audit readiness and evidence collection for SOC 2, ISO 27001, and ISO 27701 cycles
• Serve as a trusted advisor on risk matters across cross-functional teams

Benefits

• Flexible Time Off Policy
• 100% company paid medical premiums for employees and dependents
• “Whaleness” Days — At least 1 company wide day off per month
• Generous Maternity and Parental Leave
• Employer Paid Holidays
• Training Allowances
• Virtual and In-Person Social Events
• Life and Disability Insurance
• Docker Swag
• Retirement Plans
• Monthly Technology Stipend
• Home Office Set Up Budget
• Quarterly Hackathons
• Virtual Coffee with Co-Workers- Nice to Have: Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar)
• Working knowledge of security frameworks and standards including ISO 27001, SOC 2, NIST 800-53, and GDPR
• Nice to Have: Experience with automation or scripting for risk management workflows
• Experience designing metrics and reporting for GRC programs, including dashboards and executive-level summaries
• Familiarity with cloud environments (AWS, GCP, Azure) and their risk and compliance implications
• Familiarity with AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a demonstrated ability to learn and apply new frameworks quickly
• Strong written and verbal communication skills with the ability to translate risk and compliance topics for both technical and non-technical audiences
• Nice to Have: Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK
• Demonstrated experience building or operating an enterprise risk management program, including risk assessments, risk registers, and risk treatment planning
• Experience with third-party risk management, including vendor security assessments and due diligence
• Track record of building and maturing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows
• 4 to 6 years of experience in Information Security, Governance, Risk, and Compliance
• Self-motivated with experience thriving in remote-first, fast-paced environments