Security Compliance Manager

Title: Security Compliance Manager Location: Austin, TX / Dallas, TX / San Francisco Bay Area, CA / Bedminster, NJ (hybrid) Reports To: Sr. Manager, Cybersecurity About Hippo Hippo exists to protect the joy of homeownership. We believe that insurance should protect the things you treasure through an intuitive, modern experience. We provide tailored insurance coverage and preventative maintenance plans that keep you protected throughout your homeowner journey. We’ll also help you find coverage for everything life brings—from auto to flood—reimagining how you care for your home.

About the Role

The Security Compliance Manager owns and evolves Hippo’s governance, risk, and compliance (GRC) program, ensuring the company maintains strong, defensible security controls and meets regulatory and audit requirements. This role leads the design, execution, and maturity of IT general controls (ITGC), SOX compliance, SOC 2 readiness and audits, and alignment with industry frameworks such as ISO 27001 and NIST. Partnering closely with Security Engineering, IT, Finance, Legal, and Internal and External Audit, the Security Compliance Manager delivers rigorous risk assessments, effective control testing, and clear assurance reporting. The role plays a critical part in ensuring regulatory compliance, including NYCRR 500, while continuously improving compliance efficiency through standardization and automation. About You You are a seasoned security compliance and risk professional with a strong command of audit, controls, and regulatory frameworks. You are comfortable owning complex compliance programs end-to-end and translating regulatory requirements into practical, scalable controls. You thrive in cross-functional environments, communicate clearly with both technical and non-technical stakeholders, and bring a structured, detail-oriented approach to risk management. You balance rigor with pragmatism, helping the organization meet compliance obligations while enabling the business to move efficiently and confidently. What You'll Do:

• Own and mature the end-to-end GRC program, including ITGC, SOX, SOC 2, ISO 27001 alignment, and NYCRR 500 compliance.
• Design, execute, and test IT general controls across access management, change management, operations, backup and disaster recovery, and vendor/SaaS environments.
• Lead SOX activities including scoping, walkthroughs, design and operating effectiveness testing, deficiency evaluation, and remediation tracking.
• Manage SOC 2 readiness and annual Type 1 and Type 2 audits, including control mapping, evidence collection, and exception management.
• Align security policies, standards, and procedures with ISO 27001 Annex A, NIST CSF, COBIT, and CIS Controls, ensuring regulatory applicability.
• Conduct enterprise and IT risk assessments, document risk treatment plans, and track remediation through closure.
• Establish continuous control testing and assurance practices, including testing scripts, sampling methodologies, and evidence standards.
• Develop and report on key risk and performance indicators (KRIs/KPIs) such as control pass rates, audit findings, evidence SLAs, and vendor risk trends.
• Serve as the primary point of contact for Internal Audit and external auditors, producing executive- and board-ready compliance reporting.
• Lead third-party and vendor risk assessments, including SIG/CAIQ reviews, contract control requirements, and ongoing monitoring.
• Map and validate cloud controls (AWS, Azure, GCP) against SOX, SOC 2, ISO 27001, and NYCRR 500 expectations.
• Maintain security policies, control catalogs, control narratives, and RACI documentation.
• Drive security awareness, control owner training, and process maturity, including identifying opportunities for automation and continuous monitoring. Must Haves:
• 6+ years of experience in security compliance, IT audit, or IT risk management.
• Hands-on ownership of ITGC, SOX, SOC 2, and policy frameworks such as ISO 27001.
• Strong expertise in risk assessments, control testing, assurance practices, and audit methodologies.
• Practical knowledge of enterprise and cloud control domains, including IAM, SDLC/change management, vulnerability management, logging and monitoring, incident response, and BC/DR.
• Experience interpreting and applying regulatory requirements such as NYCRR 500 or similar industry regulations.
• Proven ability to lead cross-functional initiatives with Security, IT, Finance, Legal, and Audit teams.
• Excellent written and verbal communication skills, with experience delivering executive-level reporting. Nice to Have:
• Security or audit certifications (CISA, CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CIA, CPA).
• Experience with GRC and compliance tooling (e.g., OneTrust, Drata, Vanta, Secureframe, Jira, Confluence).
• Financial services or insurance industry experience, including GLBA, NAIC, and customer security questionnaires (SIG, CAIQ). Benefits and Perks: Hippo treats its team members

Apply tot his job Apply To this Job