engineering
Posted 3 hours agoStaff Trust & Assurance Engineer
at Kikoff
San Francisco, United StatesOn-site
Responsibilities
- Own Kikoff's SOC 2 Type II program end-to-end, including scoping, control design, evidence collection, walkthroughs, and external auditor management.
- Maintain Kikoff's PCI DSS self-attestation, including annual SAQ completion, scope analysis to ensure cardholder data remains with our payment processors, payment-vendor oversight, and monitoring product and engineering changes that could expand scope.
- Own the customer and vendor security questionnaire pipeline, including reusable evidence libraries and a self-serve trust portal.
- Design and operate the internal cybersecurity control testing and continuous monitoring program in partnership with Security Engineering.
- Build policy-as-code, compliance-as-code, and AI-driven evidence automation that scales with the engineering organization.
Requirements
- We value extreme ownership, clear communication, a strong sense of craftsmanship, and the desire to create lasting work and work relationships.
- The function is engineering-led, with a strong emphasis on automation, code-backed control operations, and AI-assisted evidence workflows.
- experience in security compliance, GRC, or technical audit, with a primary focus on cloud-native environments.
- experience with PCI DSS, including SAQ environments and tokenization-driven scope reduction.
- Able to read and modify code, infrastructure-as-code, and IAM policies. Comfortable working in Git-based engineering workflows and shipping changes through CI/CD.
- Understanding of cloud infrastructure and modern AI-native technologies. Demonstrated
- experience managing external auditors and translating control
- experience as a control owner supporting SOX IT general controls audits in a pre-IPO or newly public company. •
- Experience building or operating AI- or LLM-driven GRC automation, including custom agents, MCP servers, or evidence-collection pipelines.
- Background in IPO readiness or newly public company environments.
- Familiarity with ISO 27001, ISO 42001, FedRAMP, CMMC 2.x, or NIST 800-53.