UP.Labs is a venture studio looking for a Sr. Security Controls & Compliance Engineer to establish a robust security control foundation across various applications. The role involves hands-on execution of security measures, ensuring compliance with enterprise customer requirements, and preparing applications for SOC 2 readiness.
Responsibilities:
- Build, implement, and operate security and compliance controls across multiple venture applications and supporting systems
- Translate enterprise customer security, data handling, and TPRM requirements into practical technical controls, operational workflows, evidence requirements, and remediation plans
- Create a reusable security control baseline that can be applied across current and future venture applications
- Configure and operate compliance automation platforms such as Vanta, Drata, Secureframe, or similar tools
- Configure evidence integrations across systems such as cloud platforms, GitHub, identity providers, ticketing systems, device management tools, productivity platforms, and security tooling
- Implement identity and access controls, including SSO, MFA, role-based access, least-privilege permissions, access review workflows, and offboarding evidence
- Implement secure SDLC controls, including branch protection, required code reviews, code scanning, dependency scanning, secret scanning, vulnerability management workflows, and release/change management evidence
- Implement or configure cloud security controls, including IAM policies, encryption settings, logging, monitoring, backup settings, network restrictions, and security alerting
- Implement operational security workflows, including vendor review, risk review, change management, policy attestation, incident response evidence, exception tracking, and recurring control reviews
- Maintain a centralized control library mapped to SOC 2 Trust Services Criteria, customer-specific requirements, and relevant frameworks such as ISO 27001, NIST CSF, or CIS Controls
- Support SOC 2 readiness activities, including control mapping, evidence requirements, gap tracking, audit preparation, and control verification
- Identify launch-blocking security gaps and close them directly where possible
- Partner with product engineering only where application-specific code, architecture, or deeper infrastructure changes are required
- Write clear technical requirements and acceptance criteria for any security work that must be completed by product engineering
- Review and verify control implementation to ensure controls are actually operating and producing evidence
- Support customer security questionnaires, audits, evidence requests, and enterprise security reviews with accurate technical detail
- Track control gaps, remediation status, launch blockers, and compliance risk for leadership
- Help create a repeatable security implementation playbook that future ventures can inherit as they mature or spin out
Requirements:
- 5+ years of experience in security engineering, cloud security, DevSecOps, security operations, security compliance, GRC, or a related field
- Hands-on experience implementing security controls in cloud/SaaS application environments
- Experience supporting SOC 2 readiness, SOC 2 audits, or similar compliance programs
- Strong understanding of security controls, audit evidence, policy requirements, control testing, and control operation
- Experience translating customer or enterprise security requirements into practical technical controls
- Ability to configure and operate security and compliance systems directly, not just document requirements
- Experience with identity and access controls, including SSO, MFA, RBAC, least privilege, access reviews, and offboarding controls
- Experience with secure SDLC controls, including source control permissions, code reviews, branch protection, vulnerability management, dependency scanning, secret scanning, and change management evidence
- Experience with cloud security controls such as IAM, encryption, logging, monitoring, backups, network restrictions, and alerting
- Experience with compliance automation or GRC tools such as Vanta, Drata, Secureframe, OneTrust, Tugboat Logic, or similar platforms
- Familiarity with tools such as GitHub, Jira, Linear, Okta, Google Workspace, Slack, AWS, Azure, GCP, or similar systems
- Strong written communication skills for policies, procedures, audit documentation, technical requirements, and customer-facing security responses
- Ability to operate in an ambiguous, fast-moving startup or venture environment
- Experience supporting enterprise customers with strict security, data handling, or TPRM requirements
- Experience in venture-backed startups, SaaS companies, enterprise software, or venture studio environments
- Familiarity with SOC 2 Trust Services Criteria, ISO 27001, NIST CSF, CIS Controls, or similar frameworks
- Experience implementing security controls across AWS, Azure, GCP, or multi-cloud environments
- Experience with GitHub security features, CI/CD security controls, vulnerability management tools, and cloud security monitoring tools
- Experience with identity platforms such as Okta, Google Workspace, Microsoft Entra ID, or similar
- Experience with logging, monitoring, incident response, vendor risk, evidence automation, and security questionnaire support
- Relevant certifications such as CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer, AWS Security Specialty, Security+, or similar