latchhire

Security Engineer, GRC

Plaid · San Francisco HQ, Seattle Office, New York City Office (Hybrid)
Hybrid$156–213kNew mid security engineer
Apply on Plaid →
We believe that the way people interact with their finances will drastically improve in the next few years. We’re dedicated to empowering this transformation by building the tools and experiences that thousands of developers use to create their own products. Plaid powers the tools millions of people rely on to live a healthier financial life. We work with thousands of companies like Venmo, SoFi, several of the Fortune 500, and many of the largest banks to make it easy for people to connect their financial accounts to the apps and services they want to use. Plaid’s network covers 12,000 financial institutions across the US, Canada, UK and Europe. Founded in 2013, the company is headquartered in San Francisco with offices in New York, Washington D.C., London and Amsterdam. The Security Governance, Risk, and Compliance (GRC) team is part of Plaid’s security organization, focused on enabling the business by proactively managing information security risks and maintaining effective controls. Our mission is to reduce the likelihood and impact of security risks while operating a robust assurance program that builds trust with our customers, consumers, and data partners. We own Plaid’s security compliance frameworks, run our audits and risk programs, and partner across the company to keep Plaid’s platform secure, resilient, and aligned with industry and regulatory expectations. GRC Engineering is how we make all of that scale — turning compliance into code, evidence into telemetry, and audits into a continuous, automated capability. The Role: You will own GRC Engineering at Plaid — a foundational, high-ownership role defining an emerging discipline from the ground up. Today most of our compliance work is manual and point-in-time; you will turn it into an engineered system that is continuous, data-driven, and scalable, and set the technical direction for the field. You will: Define the discipline and the architecture — how GRC Engineering works at Plaid, not just execute within it. Build the foundation the function runs on — a codified source of truth for controls, policies, and evidence, fed by live pipelines and continuous controls monitoring. Be the engineering backbone for Security Assurance & Trust Enablement, Third-Party Ecosystem Risk, and Risk Management Make risk visible and data-driven — turning control and risk data into real-time signals for the team and leadership. Pioneer where compliance is heading — compliance-agents-as-code in the SDLC, AI- and agent-driven workflows, and machine-readable continuous compliance (FedRAMP 20x). This role is perfect for you if: You think in systems: you'd rather design the thing that eliminates a whole class of manual work than automate one task at a time. You love building and shipping internal tools and solutions that people actually use. You're relentlessly curious — you poke, you investigate, and you dig into how controls can silently fail, drift, or get bypassed so you can catch it automatically. You treat every roadblock as just an obstacle to route around — you don't back down, because there's always a path. You like range — juggling several problems across security, risk, compliance, and engineering beats grinding on a single one. You're energized by turning compliance from a documentation exercise into demonstrable, continuous, machine-readable evidence. Responsibilities: Architect GRC's Engineering Foundation: Build the pipelines and codified source of truth the function runs on — controls, policies, and framework mappings captured as structured, version-controlled data and fed by live control and system state — so one control maps evidence across SOC 2, ISO, NIST, and beyond instead of being re-collected for every audit. Build Continuous Controls Monitoring: Automate evidence collection, control testing, and monitoring across cloud and internal systems, and write and tune the detection that flags drift and misconfiguration against baseline — so audit readiness is continuous and gaps surface the moment they appear, not at audit time. Turn Data into Risk Signal: Build dashboards and SQL-driven reporting that turn raw control and risk data into KPIs, giving the team and leadership real-time visibility into risk posture. Drive Data-Informed Risk Assessments: Conduct security and technology risk assessments and recommend mitigations using data — keeping the risk management program running while cutting its manual overhead. Automate Operational Toil : Eliminate the recurring manual work the team carries — evidence pulls, access and vendor reviews, questionnaires, risk-register upkeep, status reporting — with durable automation that gives time back across every workstream. Shift Compliance Left with Code and AI : Embed compliance checks into the CI/CD flow as policy-as-code so controls are validated as code ships, prototype self-healing policies reconciled against live infrastructure, and scale agentic / AI-assisted workflows across the function. Future-proof for Continuous Compliance: Build toward machine-readable, continuously validated evidence (FedRAMP 20x-style Key Security Indicators), positioning Plaid to meet continuous-compliance expectations as we enter new markets and pursue new authorizations. Qualifications: Software & Data Engineering Foundations: Strong Python and SQL, with a proven track record of building API/webhook integrations that connect disparate systems. Experience owning an internal tool or service end to end — design, build, operate, and maintain — with real users depending on it. Hands-on experience with AWS and cloud-native security controls, including the ability to query cloud, GitHub, and SaaS logs. Proficiency with dashboarding / data-visualization tools (e.g., Mode) to turn control and risk data into KPIs and signal. Applied GRC Engineering: Experience building and operating continuous controls monitoring end to end — collecting signal from live systems, writing and tuning the detection logic that compares state to a baseline, alerting, and driving remediation. Demonstrated ability to model controls, policies, and framework mappings as structured, version-controlled data rather than docs and spreadsheets. Hands-on experience with IaC (Terraform) and policy-as-code (OPA/Rego, Sentinel), including embedding compliance checks into CI/CD. Proven ability to eliminate recurring operational toil — evidence pulls, access and vendor reviews, questionnaires, risk-register upkeep, status reports — with durable automation rather than one-off scripts. Compliance & risk knowledge: Working knowledge of SOC 2, ISO 27001/27701, and NIST CSF/800-53, with the ability to map controls to evidence and crosswalk a single control across frameworks. Experience conducting security or technology risk assessments and translating findings into data-driven mitigation. Familiarity with the shift to continuous compliance (FedRAMP 20x, machine-readable Key Security Indicators) and how it changes evidence and control design. AI fluency & tooling: Demonstrated ability to build and scale agentic / AI-assisted workflows (Claude, OpenAI) as leverage for the whole team. Cross-functional effectiveness: Ability to work independently and cross-functionally across security, infrastructure, and engineering, with strong prioritization and the ability to influence without authority. Nice to have: Direct experience with FedRAMP or FedRAMP 20x, or other public-sector / continuous-compliance authorizations. Experience with audit ›/ compliance automation platforms (Anecdotes, Drata, Vanta, Paramify, or similar). Exposure to security incident response and triage. Experience in a high-growth fintech or financial-services environment. Degree in Computer Science, Cybersecurity, or a related field. Our mission at Plaid is to unlock financial freedom for everyone. To support that mission, we seek to build a diverse team of driven individuals who care deeply about making the financial ecosystem more equitable. We recognize that strong qualifications can come from both prior work experiences and lived experiences. We encourage you to apply to a role even if your experience doesn't fully match the job description. We are always looking for team members that will bring something unique to Plaid! Plaid is proud to be an equal opportunity employer and values diversity at our company. We do not discriminate based on race, color, national origin, ethnicity, religion or religious belief, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender, gender identity, gender expression, transgender status, sexual stereotypes, age, military or veteran status, disability, or other applicable legally protected characteristics. We also consider qualified applicants with criminal histories, consistent with applicable federal, state, and local laws. Plaid is committed to providing reasonable accommodations for candidates with disabilities in our recruiting process. If you need any assistance with your application or interviews due to a disability, please let us know at accommodations@plaid.com. Please review our Candidate Privacy Notice here . Additional compensation in the form(s) of equity and/or commission are dependent on the position offered. Plaid provides a comprehensive benefit plan, including medical, dental, vision, and 401(k). Pay is based on factors such as (but not limited to) scope and responsibilities of the position, candidate's work experience and skillset, and location. Pay and benefits are subject to change at any time, consistent with the terms of any applicable compensation or benefit plans.
Posted 2026-07-16