GRC Program Manager

GRC Program Manager

Barcelona
- Hybrid, Madrid
- Hybrid Full-time Permanent employee

We're seeking a GRC Program Manager to own a defined set of compliance, risk, and security operations frameworks end-to-end. You won't spend your time on routine evidence collection or manual audit checklists—we automate that. Instead, you'll own the complexity: the stakeholder coordination, the conceptual design of how frameworks apply to our environment, and the human judgment calls that automation can't make.

Your scope extends beyond traditional GRC into the program and organizational aspects of Security Operations—ensuring detection, response, and operational processes are governed, measured, and continuously improved. Success means your frameworks run smoothly, auditors get what they need without chasing people, and control owners across the business understand what's expected of them—because you designed it that way. As a GRC Program Manager, you are the reference person for your assigned frameworks—spanning compliance, risk, and security operations.

You own them from interpretation through implementation—designing how controls map to our systems, coordinating across teams to ensure accountability, and managing external auditor relationships. You also own the programmatic and organizational side of Security Operations: how we structure detection and response processes, measure operational effectiveness, and ensure continuous improvement. Routine operational work is handled through AI and automation; your value is in the complexity that requires human judgment.

• Own assigned compliance frameworks (e.g., SOC 2, ISO 27001, GDPR, AI regulations) end-to-end—from interpreting requirements and designing control mappings to ensuring audit readiness
• Act as the single point of accountability for your frameworks: auditors, control owners, and leadership come to you for answers
• Coordinate cross-functional stakeholders (Engineering, Product, Legal, People) to ensure controls are embedded in their workflows—not bolted on as afterthoughts
• Manage external auditor relationships, including scoping discussions, audit planning, finding resolution, and certification delivery
• Anticipate how regulatory changes affect your frameworks and proactively adapt the control environment
• Own the program structure of Security Operations—defining how detection and incident response processes are organized, governed, and reported on

• Design how abstract regulatory requirements translate into concrete, testable controls for our specific technology stack and business model
• Make judgment calls on control applicability, risk acceptance recommendations, and framework interpretation where guidance is ambiguous
• Define the conceptual structure of vendor assessments for your domain—what matters, what doesn't, and where to draw the line
• Design and maintain the organizational framework for security operations—playbook governance, escalation structures, SLA definitions, and operational metrics
• Author and maintain policies that are enforceable and aligned to how the business actually operates—not compliance theater

• Enable control owners to be self-sufficient: design clear expectations, provide context on why controls exist, and remove friction from their compliance responsibilities
• Coordinate remediation across teams when gaps are identified—driving accountability without micromanaging execution
• Communicate compliance posture and framework status to leadership in business terms
• Resolve ambiguity and competing priorities between business velocity and compliance obligations—finding paths that serve both

• Design and maintain automated evidence collection, monitoring, and reporting workflow so routine compliance work runs without manual intervention
• Continuously identify where human effort in your programs can be replaced by automation, AI-assisted review, or platform configuration
• Use AI tools as a force multiplier for research, gap analysis, policy drafting, and audit preparation—the expectation is that you operate at a level only…