Director of Governance, Risk & Compliance (GRC)Location: Remote Role Overview
The Director of Governance, Risk & Compliance (GRC) is responsible for formalizing and scaling the GRC function as both a client-facing, revenue-generating service line and the foundation for internal compliance maturity. This role transforms previously informal compliance activities into a structured, repeatable practice. It serves as a bridge between commercial growth and operational credibility by both delivering GRC services to clients and leading internal SOC 2 readiness efforts.
Operational Mission: Build the GRC practice from the ground up — create the services, deliver for top clients, enable the broader team with playbooks, and achieve SOC 2 readiness.
Key Responsibilities
Client-Facing GRC Services Development & Delivery
- Design, build, and formalize the GRC services offering to support major frameworks (CIS Controls, NIST CSF, SOC 2, CMMC, HIPAA, PCI-DSS)
- Deliver GRC assessments, gap analyses, and remediation roadmaps for top-tier and complex clients
- Develop methodologies, templates, scoring tools, and playbooks for broader team execution
- Own the policy and compliance dimension of client framework assessments
- Create client deliverables such as:
- Compliance readiness reports
- Risk registers
- Policy gap matrices
- Remediation roadmaps
- Support sales in scoping and pricing GRC engagements
Internal GRC Maturity & SOC 2 Readiness
- Lead SOC 2 readiness program targeting audit readiness by Q1 2027 (minimum three trust service criteria)
- Conduct internal gap assessments and develop remediation plans
- Draft, implement, and maintain internal policies and procedures
- Establish evidence collection and control monitoring processes
- Coordinate with external auditors and consultants
- Position internal compliance maturity as a differentiator in sales efforts
Strategic Business Review (SBR) & Client Roadmap Support
- Contribute governance, risk, and compliance insights to client SBRs
- Translate compliance requirements into actionable policies and procedures for clients
- Track client compliance posture and risk remediation progress
- Support CIS Essentials mapping within SBRs
Practice Development & Scalability
- Build a scalable GRC practice with standardized deliverables and processes
- Develop training materials for Solutions Architects
- Track and report on service line performance (revenue, engagement volume, client outcomes)
- Identify opportunities to productize GRC services into repeatable packages
Leadership Expectations
- Operate as a builder, establishing a new function from the ground up
- Balance internal compliance initiatives with client-facing revenue generation
- Communicate progress, risks, and resource needs to leadership
- Stay current on evolving compliance requirements and translate them into practical guidance
- Design scalable processes, templates, and deliverables
Core Outcomes
GRC Service Line
- Formalized, repeatable service catalog generating revenue
- Defined pipeline and measurable revenue contribution
- Productized service packages for sales enablement
SOC 2 Readiness
- On track for Q1 2027 audit across 3+ trust service criteria
- Fully implemented internal policy library
- Operational evidence collection and control monitoring processes
Client Impact
- High-quality assessments delivered to top-tier clients
- Adoption of compliance playbooks across broader client portfolio
- Ongoing tracking of client compliance posture
Practice Scalability
- Documented methodologies, templates, and tools
- Trained Solutions Architect team capable of independent delivery
- Practice positioned for future team growth
Performance Metrics (Scorecard)
- GRC Service Revenue: Measurable revenue with growth trajectory
- SOC 2 Readiness: On track for Q1 2027 audit (3+ trust service criteria)
- Client Assessments: Delivered for top-tier clients; playbook adoption across broader portfolio
- Internal Policy Library: Comprehensive, approved, and implemented
- GRC Pipeline: Active pipeline of opportunities with sales team
Qualifications Required
- Minimum 5 years of experience in governance, risk, and compliance
- At least 3 years focused on security frameworks and compliance program development
- Deep knowledge of CIS Controls v8, NIST CSF 2.0, and SOC 2
- Hands-on experience with gap assessments and remediation planning
- Experience contributing to or leading SOC 2 audit preparation
- Ability to translate compliance requirements into business-friendly guidance
- Experience building scalable GRC deliverables and toolkits
- Strong project management skills across multiple initiatives
- Excellent written communication skills
Preferred
- Industry certifications such as CISA, CISM, CRISC, CISSP, CCSK, or CompTIA Security+
- Experience with CMMC 2.0, HIPAA, PCI-DSS, or data privacy regulations
- Background in GRC within an MSP or IT consulting firm
- Familiarity with GRC platforms and compliance automation tools (e.g., Drata, Vanta, ScalePad, AuditBoard)
If you are an experienced GRC professional who thrives in building scalable programs, delivering client impact, and driving compliance maturity, this role offers the opportunity to define and lead a critical function from the ground up.
Why Join LayerCake?
LayerCake, a Blue Alliance company, is a trusted managed services provider (MSP) supporting manufacturing, logistics, and municipal organizations with critical IT operations. Since 2008, we’ve helped clients make smart, high-impact technology investments, backed by consistent, expert support from teams they know and trust. Our pod-based staffing model ensures clients receive reliable service from people who understand their environment. It’s a personalized approach that delivers long-term value and measurable outcomes. We’ve always believed small businesses deserve enterprise-level solutions, and that belief starts with our team. We hire for passion and cultural fit, then invest in growth. As a fully remote company from the start, we’ve built a strong, connected culture where people support each other, stay accountable, and thrive together.
