GRC Engineer

Method has built the most modern way to connect to consumer financial accounts. Combining real-time liability connectivity with instant payment execution, Method’s API is designed to make it easy for people to connect their financial accounts to the apps and services they want to use.
We have helped 45+ million users connect 350+ million liability accounts credential-less and processed over $2.5B in payments, helping users save millions in interest. One in every three credit cards in the United States is in the Method ecosystem and leading financial institutions like SoFi, Bilt, Cleo, Sezzle, Figure & Aven rely on our APIs to build magical experiences for millions of consumers.
We’re a team of 50+ people spread across offices in Austin, SF, New York City, and Washington D.C! We’re excited to continue the momentum working alongside our investors and advisors from Andreessen Horowitz, Emergence Capital, Y Combinator, Avra, and Ardent. To learn more about us, check out our blog!

We're hiring a GRC Engineer to help build and operationalize Method's Security and Compliance function. You'll play a critical role in enabling trust for our customers by designing, implementing, and maintaining compliance programs for a modern financial platform used across a wide range of regulated industries.

This is a hands-on role with broad ownership and real impact. You'll own the day-to-day governance, risk, and compliance operations — maintaining audit readiness, responding to enterprise security reviews with confidence, and scaling our compliance footprint as the business grows. That means understanding applicable frameworks, translating requirements into practical and scalable controls, and partnering across the company to embed compliance into our products, systems, and operations.

You'll work closely with Engineering, Finance, Legal, and Go-to-Market teams to ensure our security controls are not only documented but operationalized. You'll have the opportunity to apply your expertise directly, influence technical and business decisions, and grow alongside a fast-moving organization as our compliance and security programs continue to evolve.

• Partner cross-functionally to design, implement, and maintain compliance programs, including SOC 2, PCI-DSS, and others as needed.

• Own and maintain the compliance platform (Drata), including control mapping, evidence collection, continuous monitoring, and audit workflows.

• Oversee audits, certifications, third-party assessments, and vulnerability management to maintain compliance and operational credibility.

• Manage control documentation, policies, procedures, and supporting artifacts across multiple compliance frameworks.

• Perform risk assessments, vendor security reviews, and control gap analyses, and track remediation through to completion.

• Build and maintain vendor risk management processes, including onboarding evaluations, annual reviews, risk scoring, and data sensitivity assessments.

• Partner with Finance and Legal to implement structured vendor and customer risk profiling programs.

• Partner with Security, IT, and Engineering teams to ensure technical and administrative controls align with documented policies and compliance requirements, including hands-on testing.

• Support Go-To-Market teams with customer security questionnaires, audits, and compliance packaging for sales cycles.

• Conduct periodic user access reviews and assist with access governance and RBAC validation.

• Develop and maintain compliance reporting, metrics, and executive-ready summaries.

• Identify process gaps and implement scalable governance improvements, including automation and tooling to scale with the business.

• Oversee security awareness training and compliance education initiatives.

• Participate in incident response activities, providing risk analysis and remediation support as needed.

• 3–5+ years of experience in IT Audit, Governance, Risk & Compliance, and/or Information Security, ideally in a startup or growth-stage environment.

• Direct experience with SOC 2; PCI-DSS experience strongly preferred.

• Comfortable working directly with auditors, managing audit timelines, and driving evidence collection across teams.

• Strong understanding of cloud infrastructure (AWS), identity systems (Okta), and SaaS environments.

• Understand APIs and integration patterns conceptually: REST APIs, webhooks, authentication flows, polling vs. push architectures, and can evaluate systems based on how well they expose data and support automation, even if you're not writing the integration code yourself.

• A systems thinker first. You understand how complex environments work: how data flows between systems, where integration points exist, what breaks when systems don't talk to each other. Your strength is designing the right architecture and environment for security monitoring, not necessarily implementing it yourself.

• Experience with GRC platforms, security questionnaire tools, or compliance automation tooling is a plus.

• Highly organized and process-oriented, with strong written communication skills.

• Low ego, collaborative, and pragmatic — someone teammates genuinely want to work with.

• Hands-on coding or scripting experience (e.g., automation, tooling, or security-related development).

• Experience building or scaling a GRC program from the ground up.

• Security industry qualification (CISSP, CISM, CISA, or similar).

• Cloud-specific certifications (CCSP, AWS Certified Security Specialty, CCSK, etc.).

--

The annual US base salary range for this role is: $125,000-$160,000