Staff Security Strategist GRC

About the Team

Uber's Engineering Security team works to ensure the security of information for our full set of users - riders, eaters, drivers and partners. Our ultimate goal is to ensure that every experience with Uber is simple, secure, and safe. We are seeking a talented Senior Security Strategist, GRC to join our Tech Risk and Assurance team within Engineering Security.

About the Role

The Senior Security Strategist, GRC partners with engineering, security, and cross-functional risk stakeholders to strengthen Uber's cybersecurity posture through scalable cyber risk management, risk governance, and control design programs. This role is responsible for driving and implementing security, compliance, and risk management programs on the ServiceNow eGRC platform at Uber, working with the engineering team to develop and enable technical solutions that satisfy a variety of risk and compliance processes.

This role operates at the intersection of technical security, process design, and risk governance. The successful candidate will translate control gaps, threat and business context, and compliance requirements into practical risk treatment plans that engineering teams can execute, while driving consistent risk analysis, decision-making, and follow-through. The role must be able to deliver work products required by Agile development methodologies for software development delivery as defined.

What you will do

• Own cyber risk intake, triage, and prioritization, ensuring clear accountability, well-formed risk statements, and timely treatment decisions.
• Develop product strategy and lead project execution for multiple major components of Uber's Risk and Compliance technology solutions.
• Manage different solutions on Uber's internal eGRC platform (ServiceNow) and collaborate with stakeholders to implement their program improvements.
• Partner with engineering teams to define risk treatment plans, identify sustainable fixes, and drive mitigation or remediation to the last mile rather than stopping at documentation.
• Gather business and functional requirements from partner teams and deliver a product/release that meets the needs presented. Develop technical specifications documentation.
• Lead or materially contribute to control design reviews, risk assessments, and risk decisions that require judgment, stakeholder alignment, and tradeoff management.
• Drive and evangelize vision for overall GRC strategy across engineering and security organizations.
• Analyze and fully understand user stories and internal procedures in order to improve system capabilities, automate process workflows, and address scheduling limitations throughout the development and delivery of the eGRC platform.
• Work with developers to implement workflows from customer requirements including workflows, UI actions, client scripts, business rules, etc.
• Load, manipulate, and maintain data between the eGRC platform and other systems as needed.
• Build and maintain risk reporting for leaders and partner teams, including KRIs, exposure trends, risk acceptance aging, decision status, and escalation triggers.
• Design and develop dashboards, home pages, performance analytics data collectors, and reports as needed to support program requirements.
• Improve the efficiency of risk workflows through automation, better tooling, clearer operating models, and reusable knowledge assets.
• Perform system and integration testing with sample and live data.
• Review product performance and provide a continuous improvement path through leveraging industry standard tools and capabilities as well as building new ones.
• Serve as a bridge between cybersecurity, engineering, audit, privacy, and compliance stakeholders so that security risk becomes practical engineering action.
• Mentor analysts and junior security partners on risk analysis, risk statement quality, treatment planning, stakeholder communication, and operational rigor.

Basic Qualifications:

• Bachelor's or Master's degree in Computer Science, Computer Engineering, Information Systems, Cybersecurity, Risk Management, or related field, or equivalent practical experience.
• 10+ years of experience in security, cyber risk, GRC, assurance, security operations, or related technical risk roles.
• Security certifications e.g. CISA, CISSP, CISM, or other relevant certifications.
• Demonstrated success managing security risk programs, treatment decisions, and cross-functional execution end to end.
• Strong understanding of security controls, risk treatment, and how to work with engineering on implementation details.
• Experience operating across multiple stakeholders, handling ambiguity, and driving accountability.
• Ability to effectively and autonomously accomplish outcomes across cross-functional teams in ambiguous situations with minimal supervision.
• Excellent written and verbal communication skills, including the ability to present risk, status, and decision points to leadership and technical audiences.

Preferred Qualifications:

• CRISC, ISO 27001 Lead Auditor, or comparable additional certifications.
• Hands-on experience with ServiceNow eGRC platform, including configuration, workflow development, and integration.
• Experience with other GRC/ERM tooling such as AuditBoard, Archer, OpenPages, or SAP GRC.
• Big 4 accounting firm and/or internet/technology industry experience.
• Process management experience, including process redesign and optimization.
• Proven track record in driving security risk treatment to closure across multiple engineering teams.
• Ability to leverage AI, data analytics, and workflow automation to improve risk program performance and reporting.
• Experience with risk quantification methodologies and risk lifecycle tooling.
• Strong knowledge of control frameworks and standards such as NIST CSF, NIST 800-53, ISO 27001, NIST RMF, SOC 2, and CIS.
• Proficiency in Python, SQL, dashboards, or similar tools for data analysis and reporting.
• Ability to thrive in environments of uncertainty.

For San Francisco, CA-based roles: The base salary range for this role is USD$211,000 per year - USD$234,000 per year.

For Sunnyvale, CA-based roles: The base salary range for this role is USD$211,000 per year - USD$234,000 per year.

For all US locations, you will be eligible to participate in Uber's bonus program, and may be offered an equity award & other types of comp. All full-time employees are eligible to participate in a 401(k) plan. You will also be eligible for various benefits. More details can be found at the following link https://jobs.uber.com/en/benefits.

Uber's mission is to reimagine the way the world moves for the better. Here, bold ideas create real-world impact, challenges drive growth, and speed fuels progress. What moves us, moves the world - let's move it forward, together.

Uber is proud to be an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to sex, gender identity, sexual orientation, race, color, religion, national origin, disability, protected Veteran status, age, or any other characteristic protected by law. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you have a disability or special need that requires accommodation, please let us know by completing this form.

Offices continue to be central to collaboration and Uber's cultural identity. Unless formally approved to work fully remotely, Uber expects employees to spend at least half of their work time in their assigned office. For certain roles, such as those based at green-light hubs, employees are expected to be in-office for 100% of their time. Please speak with your recruiter to better understand in-office expectations for this role.