OpenGov is the leader in AI and ERP solutions for local and state governments in the U.S. More than 2,000 cities, counties, state agencies, school districts, and special districts rely on the OpenGov Public Service Platform to operate efficiently, adapt to change, and strengthen the public trust. Category-leading products include enterprise asset management, procurement and contract management, accounting and budgeting, billing and revenue management, permitting and licensing, and transparency and open data. These solutions come together in the OpenGov ERP, allowing public sector organizations to focus on priorities and deliver maximum ROI with every dollar and decision in sync. Learn about OpenGov’s mission to power more effective and accountable government and the vision of high-performance government for every community at OpenGov.com.

Job Summary:

Own and mature OpenGov’s core GRC programs across audit/compliance, risk, vendor security, and security awareness. Lead end-to-end SOC 2 audit cycles, drive multi-framework control mapping (SOC 2, NIST 800-53/CSF, ISO 27001; StateRAMP/TX-RAMP/FedRAMP exposure strongly preferred), and partner with Security Operations, IT, Engineering, Legal, and Customer teams to reduce risk and maintain certifications. Mentor junior analysts and raise the bar on control quality, evidence automation, and measurable outcomes.

Responsibilities:

• Lead planning, scoping, walkthroughs, sampling, and issue closure for SOC 2; coordinate external auditors and internal control owners; drive on-time, predictable delivery.

• Design/upgrade controls for SaaS/cloud environments; define test plans, perform operating effectiveness tests, and implement continuous control monitoring; close gaps with accountable owners.

• Multi-Framework Mapping: Maintain crosswalks (SOC 2 ↔ NIST 800-53/CSF ↔ ISO 27001; align where applicable with GovRAMP/TX-RAMP/FedRAMP).

• Run risk assessments (inherent/residual scoring, KRIs), keep the risk register current, and drive mitigation plans with deadlines and measurable impact.

• Own third-party risk, including: vendor tiering, questionnaires/attestations, evidence reviews, findings tracking, and contractual security addenda in partnership with Legal & Procurement.

• Enable customer trust by authoring authoritative, reusable security responses; support customer calls and security reviews for strategic deals and renewals.

• Shape regular security awareness plan, metrics, and content (including phishing/targeted training with SecOps/IT); measure and improve behavior change, not just completion.

• Own the GRC platform tooling and evidence workflows; integrate with ticketing/doc systems (e.g., Jira/Confluence categories) to reduce manual effort and improve traceability.

• Ensure incidents and vuln findings translate into tracked corrective actions with evidence (post-incident reviews, pen-test/scan follow-through).

• Publish clear metrics and reporting, including KPIs/KRIs (control health, audit readiness, vendor status, risk posture) for leadership; call issues early and escalate when needed.

• Coach junior analysts; tighten templates, SOPs, and documentation so the program scales.

Requirements and Preferred Experience:

• Experience: 5–8+ years in GRC, IT audit, or security compliance with hands-on SOC 2 Type II ownership; ISO 27001 audit/implementation experience preferred; public-sector programs (StateRAMP/TX-RAMP/FedRAMP) highly valued.

• Strong grasp of identity/SSO/MFA, endpoint/EDR, logging/SIEM, vulnerability mgmt, CI/CD & SDLC controls, network and data protection; able to translate tech stacks into defensible controls and evidence.

• Proven ability to run multi-team programs to deadlines, manage auditors and exec stakeholders, and close gaps decisively.

• Demonstrated ownership of end-to-end third-party risk workflows (tiering, due diligence, findings/SLAs, contract language inputs).

• Comfortable representing Security with customers and auditors; crisp written responses and executive-level summaries.

• Proficiency with GRC/evidence platforms and ticketing/documentation systems (categories such as GRC suites, Jira/Confluence).

• Certifications (Preferred): One or more of CISA, CISM, CISSP, ISO 27001 Lead Auditor/Implementer, CGRC/CRISC, CCSP.

• Bachelor’s in Information Systems, Information Security, IT, CS, or related; equivalent practical experience considered.

• Able to collaborate across time zones; occasional travel for audits/team meetings.

Why OpenGov?

A Mission That Matters.

At OpenGov, public service is personal. We are passionate about our mission to power more effective and accountable government. Government that operates efficiently, adapts to change, and strengthens public trust. Some people say this is boring. We think it’s the core of our democracy.

Opportunity to Innovate

The next great wave of innovation is unfolding with AI, and it will impact everything—from the way we work to the way governments interact with their residents. Join a trusted team with the passion, technology, and expertise to drive innovation and bring AI to local government. We’ve touched 2,000 communities so far, and we’re just getting started.

A Team of Passionate, Driven People

This isn’t your typical 9-to-5 job; we operate in a fast-paced, results-driven environment where impact matters more than simply clocking in and out. Our global team of 800+ employees is united in our commitment to challenge the status quo. OpenGov is headquartered in San Francisco and has offices in Atlanta, Boston, Buenos Aires, Chicago, Dubuque, Plano, and Pune.

A Place to Make Your Mark

We pride ourselves on our performance-based culture, where every employee is encouraged to jump in head-first and take action to help us improve. If you have a great idea, we want to hear it. Excellent performance is recognized and rewarded, and we love to promote from within.