Staff GRC Engineer-PCI/HIPPA-Austin or San Antonio, TX

H-E-B is a leading innovator in technology, and recently we've been investing in our customers' digital experience. Our Digital Technology Partners collaborate to design, construct, implement, and support technology solutions, using the best available technologies to deliver modern engagement, reliability, and scalability to meet customer needs.

As a Staff Governance, Risk, & Compliance (GRC) Engineer, you'll assess and document H-E-B information asset compliance and risk posture. You'll also coach and mentor.

Once you're eligible, you'll become an Owner in the company, so we're looking for commitment, hard work, and focus on quality and Customer service. 'Partner-owned' means our most important resources--People--drive the innovation, growth, and success that make H-E-B The Greatest Omnichannel Retailing Company.

Do you have
HEART FOR PEOPLE... strong interpersonal skills?
HEAD FOR BUSINESS... ability to stay current on technology trends?
PASSION FOR RESULTS... drive to develop / implement risk management?

We are looking for:
- 7+ years of related experience Information Security, IT Risk Management, IT Compliance GRC as a senior, lead or principal engineer role.

- Extensive experience in securing and auditing IT systems, adhering to industry frameworks and regulations (e.g., NIST 800-53, PCI DSS, HIPAA/HITECH)

- Experience in programming languages such as Java or Python

-Familiarity with GRC and IRM platforms like ServiceNow GRC, Drata, or TrustCloud.

- One or more professional security certifications (e.g., CISSP, CISA, CISM, CRISC)

What is the work?
Analytics / Information Technology / Auditing:
- Contributes to development / continuous improvement of H-E-B security program goals and objectives.
- Leads development / implementation of system-wide risk management function to ensure information security risks are identified / monitored.
- Serves as SME and advisor to help manage risk at an acceptable level.
- Collaborates to define information security policies, standards, and procedures, and to ensure controls are adequate, appropriate, and effective.
- Establishes / maintains control objectives and procedures; maintains a risk register to identify / evaluate / prioritize / monitor risk findings to be reported to executive committee.
- Performs internal risk assessments; validates effectiveness of security controls; recommends appropriate actions to mitigate risks; assesses / evaluates / makes recommendations related to adequacy of security controls.
- Supports vendor due-diligence process; helps define overall third-party risk management efforts.
- Supports internal and external audit processes for related compliance requirements.
- Supports vulnerability management efforts (e.g., remediation tracking, status reporting, enhancements)
- Liaises with external auditors on regulatory assessments.
- Stays current on developing regulatory concerns and changing IT and InfoSec trends.
- Ensures robust reporting processes related to security topics.
- Coaches / mentors team Partners

What is your background?

- A related degree or comparable formal training, certification, or work experience. Complex retail, merchant, and healthcare environments experience ideal.
- 7+ years of experience in Information Security, IT Risk Management, IT Compliance GRC as a senior, lead or principal role.
- Experience working with hybrid cloud infrastructures. Ability to interpret and translate technical security controls across public, private cloud and on-prem environments.

- Experience with secure network protocols and communications encryption between networked hosts.
- Experience supporting internal and external audits, including driving continuous compliance and remediation efforts.
- Strong understanding and experience in policy development, designing information security controls and managing risk registers, control libraries and compliance metrics.

- Extensive experience in securing and auditing IT systems, adhering to industry frameworks and regulations (e.g., NIST 800-53, PCI DSS, HIPAA/HITECH)

-Familiarity with GRC and IRM platforms like ServiceNow GRC, Drata, or TrustCloud.

-Experience integrating automated evidence collection and ticketing (e.g., Jira, Confluence, Splunk, Wiz) and creating testing to ensure adherence to regulatory and compliance requirements.
- One or more professional security certifications (e.g., CISSP, CISA, CISM, CRISC)

Do you have what it takes to be an H-E-B Staff GRC Engineer?
- Advanced working knowledge of security issues for desktop, virtual, cloud services, and network infrastructures; of risk management methodologies, frameworks, principles (e.g., NIST, ISO 27001, ITIL, PCI, CCPA, SOC 2, SOX, etc.), and IT GRC / IRM platforms
- Advanced interpersonal and relationship-building skills
- Advanced communication and presentation skills
- Advanced problem-solving skills
- Strong time management and prioritization skills; detail-oriented
- Ability to quickly connect business requirements with GRC functional capabilities.
- Ability to professionally handle confidential information.
- Ability to meet deadlines and prioritize appropriately on concurrent projects.
- Ability to analyze for potential future issues.
- Ability to stay current on technology trends and quickly learn new technologies.
- Ability to communicate and collaborate at all levels.

JDSECURITY

DEV3232