ForgeApply
Try it free

ForgeApply · Job listing

Security & Trust Lead (USA Only - 100% Remote)

Close

Remote · US

Apply in about a minute — without sacrificing quality.

ForgeApply autofills this application and tailors your resume to this exact posting. You review everything before it's sent. Free trial, no card required.

About this role

ABOUT US

Since 2013, we’ve been building a CRM that gets out of your way and helps your team sell more, faster. Now we’re building AI into every part of it, so Close does the busywork and your team does the selling. No manual data entry, no 10-click workflows. Just communication-first, AI-powered sales software designed to help you succeed and scale.

We're bootstrapped and profitable, which means we answer to our customers and play by our own rules. We're proud of our 120-person, 100% remote team, focused on building Close so that no small, scaling business fails because it can't figure out sales.

ABOUT THE ROLE

We have 11k+ customers, which means we have a lot of data in our care. Earning and keeping their trust — rigorous security and privacy practices, plus the compliance and audit work that verifies it to customers — has so far been spread across engineering leadership, our founders, and our ops team. It's high time this had a real owner.

You'll be the first person at Close whose full-time job is protecting our customers' data and our company: GRC (security governance, risk, and compliance), internal security (identity, devices, access, vendors), incidents, and the customer-facing resources that prove we do this well. Your mandate is to build this like an engineer — automate the evidence, codify the processes, use AI aggressively. We recommend giving grc.engineering http://grc.engineering a read; this is the mentality we're hiring for.

YOU ARE

- A hands-on operator, with 5+ years of building Security & Trust programs. You've personally run security and compliance programs, ideally at a 50–300 person company. You’ve been the one configuring SSO, running access reviews, answering the SOC 2 auditor's questions.

- Technical enough to know how our systems work. You can reason about SSO/IAM configuration details, trace how customer data flows through third-party tools, and dig through logs (e.g., in Loki) to run down an incident yourself.

- Automation and efficiency minded. You'll happily grind through manual work when it's needed - screenshotting evidence, searching logs - but you refuse to still be doing it by hand a year later, so you automate it away with scripts, APIs, and AI.

- AI-positive. You see AI as something to help us adopt faster, not just a risk to manage. Your instinct is to find the safe path to yes and you can tell the difference between exposure and vibes.

YOU WILL

- Run our GRC program — then automate it. Vanta day to day (controls, policies, alerts, evidence, vendor reviews), leading our SOC 2 Type 2 audits, annual risk assessments, and evaluating additional frameworks (ISO 27001, HIPAA). Wherever a recurring check, evidence pull, or list (like our GDPR subprocessors) can come from code or an API instead of by hand, make it so.

- Own how customer data moves through our stack. Audit what flows to third-party tools (and stop what shouldn't), and build a real process for deletion requests across our analytics stack.

- Be the security gate for new tools and vendors. Confirm SOC 2 status, get the DPA signed, add them in Vanta, update the subprocessor list — with a process that lets the team adopt new tools (AI especially) quickly and safely. Procurement and spend stay with finance/ops; the security and privacy review is yours.

- Make Close best-in-class at communicating trustworthiness. Own trust.close.com http://trust.close.com and our security/privacy/GDPR pages, and turn them into the place where customers' security questions can answer themselves.

- Coordinate product security audits. Run pen tests and audits of our product jointly with Engineering — vendor selection, scoping, and the artifacts we need for customers and partners (e.g., Google OAuth restricted scopes). Engineering fixes what's found; you make sure the audits happen and produce what we need.

- Investigate and clean up security incidents. When something looks off, you're the one who digs in to run it down and contain it — work that currently falls to Engineering by default.

- Own our identity and device security. SSO/IAM strategy and configuration, MDM across the fleet, the security side of onboarding/offboarding, and regular access reviews so no one keeps a key they shouldn't. You make the call on where we require SSO and what we'll pay for it.

- Run our employee security program. Training people actually remember, phishing simulations to keep us honest, and ongoing monitoring (e.g., 1Password Watchtower) with follow-through.

WHAT THIS ROLE IS NOT

- Product or application security engineering. You'll coordinate audits of our product and drive incident investigations, but you won't ship code to our product, own its architecture, or be responsible for implementing fixes — that belongs to our engineering org.

- Infrastructure. Our AWS and production infrastructure belong to our DevOps/SRE team. Where your work touches production, you drive the investigation; engineering implements what needs production access.

- Legal. Privacy policy, DPAs, and legal interpretation of GDPR/CCPA will sit with our legal function. You own the operational side and partner closely with them.

- Only IT support. You'll help with the occasional IT request — it comes with owning devices, identity, and tooling — but it's a small slice of the job, and you'll automate the routine parts. If helpdesk work is the whole of your background, this isn't the fit.

BENEFITS

- Compensation: Competitive pay plus an organization-wide goal-based bonus

- Paid Time Off: ~5 weeks of PTO to start. Plus a 1-week all-company Winter Holiday Break and paid US holidays. You'll earn 2 extra days for every year you're with Close.

- 80% Work Option: Work with your manager to choose between a standard 5-day week or a 4-day week at 80% pay

- Parental Leave: Paid leave for primary and secondary caregivers

- Sabbatical: A 1-month paid sabbatical every 5 years with the team

- Healthcare (US residents): Two

Ready to apply to Close?

Apply in about a minute

Similar jobs

More like this: More jobs at Close · Browse all jobs