Staff Security Engineer – Cyber Governance & Automation

This role is designed for a stafflevel security practitioner with deep Cyber Governance Risk and Compliance (GRC) expertise who shapes the vision strategy and outcomes of GEICOs cyber governance automation capabilities. The Staff Security Engineer owns the endtoend automated cyber governance program including defining and delivering the roadmap for continuous control monitoring and validation scalable evidence collection and realtime audit readiness across GEICOs hybrid cloud and onprem environments.

This position partners closely with engineering and platform teams to translate complex regulatory policy and control requirements into prioritizedwell-definedautomation capabilities ensuring solutions are scalable sustainable and aligned to enterprise risk priorities. Success in this role means turning governance requirements into durableoutcome drivenproducts thatdemonstratecontrol effectiveness and reduce audit friction.

Cyber Governance Product & Program Ownership

• Contribute to the vision strategy and roadmap for GEICOs cyber governance automation capabilities driving delivery through prioritized execution and continuous improvement.

• Define how policies standards regulatory frameworks and technical controls are operationalized and continuously validated through automated evidence collection.

• Own governance automation platforms endtoend as the system of record for control health evidence and audit readiness across cloud and onprem environments.

• Drive near100% automation coverage including designing scalable onprem automation strategies and governing compensating controls where full automation is not feasible while maintaining audit defensibility.

• Define and enforce governance standards for automation coverage targets evidence SLAs control performance metrics and telemetry requirements.

• Own the governance automation roadmap prioritizing work based on risk reduction regulatory requirements and operational efficiency.

• Establish and operationalize a standardized riskbased remediation lifecycle including severity classification timelines escalation paths closure criteria and enforced SLAs.

• Maintain ownership of remediation scheduling frameworks and forwardlooking visibility into upcoming deadlines.

• Ensure all noncompliance is consistently tracked prioritized and driven to closure through scalable workflows.

• Partner with compliance risk audit and engineering leaders to ensure governance capabilities align with enterprise risk priorities and regulatory obligations (e.g. NYDFS PCI DSS NIST CSF SOC ISO).

• Act as the single point of accountability for governance automation outcomes including executivelevel risk remediation and auditreadiness reporting with forecasting.

Technical Strategy & Product Stewardship

• Own theproduct strategyanddirectionfor GEICOs Automated Cyber Governance capabilities ensuring clearsystemofrecorddefinitions scalability expectations and alignment tolongtermenterprise needs.

• Partner with engineering and platform teams todefine and prioritize governance automation capabilities providing product requirements architectural guardrails and acceptance criteria rather than performing direct system development.

• Define andmaintainintegration principles system boundaries and data standardsto ensure reliable secure and consistent evidence flows across cloud platforms security tools and internal systems.

• Evaluate and guide the responsible use of AI capabilities within governance platforms(e.g. evidence classification control mapping suggestions risk summarization) ensuring explainability auditability and alignment with regulatory expectations.

• Serve as theprimary point of accountability for governance automation outcomes working with engineering leaders to resolve complex platform challenges and ensuresolutionsremainreliable sustainable and fit for purpose.

• Ownership of100% source system adoptionfeeding governance evidence (e.g. cloud IAM logging asset inventory)

• Accountability foridentifyingand closing:Missing telemetry Integration gaps Inconsistent or unreliable data sources Enforcement of standardized telemetry and data requirements across teams

• Ownership of automated control quality assuranceincludingFalse positive / false negative reduction Control tuning Drift detection

• Ensuring all automated evidenceisAuditdefensible Traceable Aligned to regulatory intent

• Ownership ofcontrol change managementfor new and modified controls

• Translating regulatory policy and control changes into:Engineering requirements

• Implementation guidance Evidence expectations

• Proactive stakeholder communication:What is changingWhyit matters Compliance deadlines Tracking and escalatingcontrol adoption readiness risks

Automation & Continuous Control Monitoring

• Define how security policies standards and control requirements aretranslated into automated continuouslymonitoredcontrol capabilities including clear requirements success criteria andevidenceexpectations.

• Establish standards and expectations forautomated detection of controlnonadherence and partner with engineering and remediation teams to ensureappropriate remediationguidance workflows or integrations are in place.

• Ensure evidence outputs areauditready traceable repeatable and aligned to regulatory intent materially reducing reliance onpointintime manual evidence collection.

• Apply AIassisted techniques to improve control validation and evidence quality such as anomaly detection evidence completeness checks control drift identification and signal prioritization across large control populations.

• Leverage AIenabled insights to reduce noise and surface material control failures ensuring governance automation focuses on true risk rather than generating lowvalue alerts.

CrossFunctionalLeadership & Enablement

• Serve as atrusted partner and advisorto engineering infrastructure cloud and security teams by providing clarity on governance requirements regulatory intent and how they are operationalized through scalable solutions.

• Influence partner teams to adopt aproductandautomation firstapproachto governance compliance and policy adherence reducing manual effort and improving consistency across the enterprise.

• Communicate complex technical and regulatory concepts clearly to a broad range of stakeholders including engineers risk and audit partners and executive leadership.

• Contribute to raising the organizationsgovernance automation and product maturitythrough guidance enablement andcrossfunctionalcollaboration.

Program Maturity & Continuous Improvement

• Continuously assess governance automation capabilities processes and supporting tools toidentifyopportunities toscale adoption increase automation coverage and improve effectiveness.

• Own the definition and evolution ofcyber governance metrics and reporting including dashboards that provide clear visibility into control health automation coverage audit readiness and risk posture for executive and stakeholder audiences.

• Track product and program outcomesidentifygaps against regulatory and riskobjectives andprioritize improvement initiativesthat advance maturityquarter over quarter.

• IncorporateAIdriveninsights into governance metrics and reporting such as trend analysis control health forecasting or remediation prioritization to improve executive visibility anddecision-making.

• Promote continuous learning andbest practicesharing across cyber governance risk audit and engineering communitiesto improve consistency effectiveness andlong-termsustainability.

Metrics Reporting & Executive Insight

• Establishesand enforces the cyber governance metric model that directly drives control effectiveness remediation accountability and enterprise risk reduction. The Staff Security Engineer has clear ownership of defining standardizing and operationalizing metrics that are automationbacked auditable and actively used to hold teams accountable

Accountable for defining and owning core governance metrics including:

• Automation coverage (%) across regulatory and internal control sets

• Continuous vs. manual control execution ratio

• Evidence freshness and SLA adherence for automated controls

• Control failure rates and recurrence trends

• Remediation mean time to resolution (MTTR)

• Tool control and automation adoption and utilization rates

• SLA adherence by severity tier for policy control and regulatory findings

Executive reporting produced by this role:

• Clearly ties automation outcomes tomeasurable risk reduction

• Demonstrates sustained realtimeaudit readinessand control health

• Quantifiesoperational efficiency gainsfrom automation including reduced manual effort faster remediation and fewer auditdriven escalations

Required Qualifications

• 6 years of experience across Cyber Governance Risk and Controls (GRC) withdemonstratedownership ofcomplexcross functionalprograms or productsthat deliver measurable compliance and risk outcomes.

• Proven experiencedefining scaling and evolving governance automation or compliance platforms including ownership of outcomes such as control validation evidence quality and audit readiness.

• Strong technical fluency with cloud platforms integrations and automation concepts with the ability topartner effectively with engineering teamsto define requirements and evaluate implementation approaches (without direct system development responsibility).

• Deep understanding of major security and compliance frameworks (e.g. NIST CSF NYDFS 500 PCI DSS SOC ISO 27001) and the ability totranslate regulatory expectations into scalable governance capabilities.

• Demonstrated ability tolead and align complex initiativesacross GRC engineering risk and audit stakeholders with accountability for outcomes adoption and longterm sustainability.

Technical Skills

• Strong technical fluency across modern engineering concepts with the ability topartner effectively with engineering teamson the design and delivery of scalable governance automation capabilities.

• Experience owning and scalingofftheshelfautomated governance and compliance platforms(e.g.Drata Vantaor similar) including defining control mappings evidence models automation coverage targets and integration strategy.

• Working knowledge of APIs authentication mechanisms (e.g. OAuth SAML) and common data formats (e.g. JSON XML) sufficient todefine requirements evaluate approaches and assess integration feasibility.

• Familiarity with cloud platforms (AWS Azure and/or GCP) and an understanding of how security controls areimplementedvalidated andevidencedwithin cloud environments.

• Exposure to containerscloudnativeservices and CI/CD environments to support informeddecisionmakingand collaboration (nice to have).

• Experience applying or governing AIassisted capabilities within security cyber governance or risk platforms with an understanding of model limitations data quality considerations and audit implications

What Success Looks Like

• Cyber governance controls and evidence arecontinuouslymonitored validated andauditready with minimal reliance on manual orpointintimeprocesses.

• Engineers and control owners experiencereduced audit friction clear expectations and repeatable governance workflows embedded into standard operating practices.

• Leadership hasclear reliable visibilityintocontrolhealth risk posture and remediation progress through consistent trusted metrics.

• Governance automation capabilitiesscale with the businessand adapt quickly to changing regulatory requirements risk priorities and technology evolution.