Information Security Program Manager - Governance, Risk, & Compliance (GRC) at Upstart

**Who this is for** Upstart is seeking an Information Security Program Manager specializing in Governance, Risk, and Compliance (GRC). This role is ideal for an

Work type: remote

Location: United States | Remote

Salary: $115,800 – $160,100/yr

Type: Full-time

Summary

**Who this is for** Upstart is seeking an Information Security Program Manager specializing in Governance, Risk, and Compliance (GRC). This role is ideal for an experienced professional passionate about building scalable approaches to security governance, risk management, and regulatory compliance to protect customer trust. **Key highlights** This fully remote position will involve owning and executing GRC programs, acting as a trusted partner to enable teams to move faster and more securely. You'll be responsible for ensuring audit readiness, managing security due diligence, strengthening security governance through policy management, and reducing third-party risk. **You might be a good fit if you...** - Have 5+ years of experience in information security, GRC, or IT/Information Security audit. - Possess demonstrated experience operating GRC programs, including supporting audits and risk assessments. - Are skilled in policy management, including drafting, maintaining, and reviewing information security policies. - Can effectively manage third-party risk through vendor assessments and risk tracking.

Job Description

About Upstart

At Upstart, we’re united by a mission that matters: to radically reduce the cost and complexity of borrowing for all Americans. Every day, we bring creativity, experimentation, and advanced AI to reshape access to credit, helping millions move forward financially with clarity and confidence.

As the leading AI lending marketplace, we partner with banks and credit unions to expand access to affordable credit through technology that’s both radically intelligent and deeply human. Our platform runs over one million predictions per borrower using more than 1,800 signals, powering smarter, fairer decisions for millions of customers. But the numbers only hint at the impact. Every idea, every voice, and every contribution moves us closer to a world where credit never stands between people and their financial progress.

We’re proudly digital-first, giving most Upstarters the flexibility to do their best work from wherever they thrive, alongside teammates across 80+ cities in the US and Canada. Digital-first doesn’t mean distant. We’re intentional about in-person connection through team onsites, planning sessions, and moments that spark creativity and trust. And whether you choose to work primarily from home or collaborate in-person from one of our offices in Columbus, Austin, the Bay Area, or New York City (opening Summer 2026), you’ll have the support to work in the way that works best for you.

If you’re energized by tackling meaningful problems, excited to innovate with purpose, and motivated by work that truly matters, we’d love to hear from you.

The Team:Upstart’s Information Security Governance, Risk, and Compliance (GRC) team is passionate about building clear, scalable approaches to security governance, risk management, and regulatory compliance. We believe effective security governance should enable innovation, move at the speed of the business, and support informed, risk-based decision-making. Our team’s mission is to protect customer trust and meet regulatory and contractual commitments by defining, assessing, and maintaining strong security controls across our product platforms and enterprise. We achieve this through thoughtful automation, close collaboration with engineering and business partners, and a focus on delivering a low-friction, positive experience for Upstarters.

As an Information Security Program ManagerwithinGRC, you will own and execute defined GRC programs that help protect customer trust, support regulatory requirements, and enable secure business growth. You will work closely with technical, operational, and business partners to assess risk, support compliance initiatives, and help embed security practices into day-to-day operations.

How you’ll make an impact

• Enable teams to move faster and more securely by acting as a trusted GRC partner, translating audit, risk, and compliance requirements into practical guidance.

• Ensure audit readiness and successful outcomes by coordinating core assurance activities, including SOX IT and SOC 2, across engineering, IT, and business teams.

• Protect customer and partner trust by managing security due diligence requests from prospective and existing business partners, delivering clear and timely responses.

• Strengthen security governance by owning policy management, including drafting, maintaining, reviewing, and driving awareness of information security policies and standards.

• Reduce third-party risk by supporting and executing the information security third-party risk management program, including vendor assessments, risk tracking, and remediation follow-up.

• Improve the efficiency and consistency of GRC operations through process improvement and thoughtful use of automation and tooling.

• 5+ years of experience in information security, GRC, or IT/Information Security audit.

• Demonstrated experience operating GRC programs (supporting audits, risk assessments, control testing activities, policy management, 3rd party security risk) in a regulated technology or financial services environment.

• Working knowledge and ability to apply common security and compliance frameworks (SOC 2, NIST CSF 2.0, NIST SSDF, NYDFS, etc.).

• Strong written and verbal communication skills with both technical and non-technical audiences.

• Ability to design metrics, KRIs, and reporting for diverse stakeholders.

• Experience in cloud-native environments (AWS preferred).

• Experience using GRC automation tools.

• Relevant certifications (CISSP, CISA, CRISC, CISM).

• Scripting or light coding skills to automate workflows and system integrations is a plus.

• Familiarity with privacy and data protection requirements (e.g., GDPR, CCPA).

Time zone requirements The team operates on the East Coast/Central/Mountain/West Coast time zones.

Travel requirements As a digital first company, the majority of your work can be accomplished remotely. The majority of our employees can live and work anywhere in the U.S but are expected to still spend high quality time in-person collaborating via regular onsites. The in-person sessions’ cadence varies depending on the team and role; most teams meet once or twice per quarter for 2-4 consecutive days at a time.

#LI-REMOTE

#LI-Associate

At Upstart, your base pay is one part of your total compensation package. The anticipated base salary for this position is expected to be within the below range. Your actual base pay will depend on your geographic location–with our “digital first” philosophy, Upstart uses compensation regions that vary depending on location. Individual pay is also determined by job-related skills, experience, and relevant education or training. Your recruiter can share more about the specific salary range for your preferred location during the hiring process.

In addition, Upstart provides employees with target bonuses, equity compensation, and generous benefits packages (including medical, dental, vision, and 401k).

United States | Remote - Anticipated Base Salary Range
$115,800—$160,100 USD

What you'll love

At Upstart, our benefits are designed to support your health, financial well-being, family, and personal growth. Here’s what you can expect:

• Competitive compensation, including base pay, bonus opportunities, and annual equity grants that vest quarterly

• Generous 401(k) plan with Upstart matching $2 for every $1 contributed, up to $15,000 per year

• Employee Stock Purchase Plan (ESPP) with discounted stock purchase options for eligible employees

• Affordable medical, dental, and vision coverage, with multiple plan options - Upstart covers 90% to 100% of the cost depending on the plans you choose

• Health Savings Account contributions from Upstart for eligible plans

• Income protection benefits, including company-paid Basic Life, AD&D, and Short- and Long-Term Disability coverage, with options to purchase supplemental coverage

• Paid time off, sick and safe time, and company holidays

• Paid family and parental leave to support caregiving and major life moments

• Family-centered benefits through Carrot and Cleo, supporting fertility, parenthood, and caregiving

• Employee Assistance Program (EAP) offering mental health support and life-centered resources

• Financial wellness resources, including access to financial planning tools and a financial concierge service

• Annual wellness allowance to support your physical and emotional well-being and personal development, based on what matters most to you

• Annual productivity allowance to invest in relevant tools and resources you need to do your best work, no matter where you work from

• Connection and community through team events and onsites, all-company updates, and employee resource groups (ERGs)

• Onsite perks, including catered lunches and fully stocked micro-kitchens when working from one of our four offices, located in the Bay Area, Austin, Columbus, and New York City (opening Summer 2026!).

If you require reasonable accommodation in completing an application, interviewing, completing any pre-employment testing, or otherwise participating in the employee selection process, please email[candidate_accommodations@upstart.com](mailto:candidate_accommodations@upstart.com)

[https://www.upstart.com/candidate_privacy_policy](https://www.upstart.com/candidate_privacy_policy)

View this job on nocollar jobs