Location: USA or Canada—Work from home #LI-Remote
About SOVRA
SOVRA is a leading public procurement platform serving over 7,000 government agencies and connecting them with more than 1 million suppliers across North America. SOVRA offers comprehensive, end-to-end solutions tailored for the public sector.
SOVRA's solutions are purpose-built to address the unique challenges of public procurement, ensuring compliance, enhancing efficiency, and promoting transparency. Our commitment to innovation has been recognized with the Achievement of Excellence in Procurement (AEP) Certification from the National Procurement Institute, affirming our platform's adherence to the highest standards in efficiency and vendor accessibility.
By leveraging SOVRA's advanced tools and expansive supplier network, public agencies can optimize every tax dollar spent, drive better procurement outcomes, and deliver exceptional services to their communities.
You can find more info about SOVRA at SOVRA.com
What will your primary responsibilities look like?
In this role, you will be led to:
- Lead audit readiness and annual cycles for SOC 2 Type 2, PCI DSS, and FISMA RMF.
- Plan, run, and close out internal and external audits, including evidence strategy, control walkthroughs, and remediation tracking.
- Operate and continuously improve the customer trust portal, including curating artifacts and meeting SLAs for security questionnaires.
- Run vulnerability management across cloud, endpoints, applications, and containers with measurable risk reduction.
- Develop vulnerability metrics that demonstrate coverage, effectiveness, and remediation time to present to leadership.
- Maintain the control inventory and map controls to frameworks and obligations, including NIST SP 800 53, FedRAMP, GovRAMP, PCI DSS, and FISMA.
- Drive policy and standard lifecycle, including authorship, reviews, approvals, and rollout.
- Risk management, including register hygiene, assessments, and treatment plans.
- Partner with Legal, Privacy, Engineering, IT, and Product to meet regulatory and contractual obligations.
- Coordinate incident response readiness runbooks, tabletop exercises, and post-incident improvements.
- Influence architecture and SDLC to embed security by design and automation-first practices.
- Coordinate security awareness activities for internal users on best practices.
- Manage vendor third-party risk management due diligence, contractual requirements, and monitoring.
- Ensure that identity and access management standards are consistently respected across all systems.
What elements of your professional background will be necessary and useful in this role?
- Minimum 10 years of experience in information security, including hands-on GRC and technical depth.
- Deep knowledge of SOC 2 Type 2, PCI DSS at SAQ or ROC scale, and FISMA RMF programs end-to-end.
- Certifications such as CISSP, CISM, CISA, CRISC, PCI ISA, CCSP.
- Implementer or Lead Auditor, or comparable certifications, are an asset.
- Expert in trust portal development and management.
- Expert in vulnerability management and remediation.
- Required: Authorized to work in the US – unfortunately, we cannot sponsor work visas or transfers at this time.
What are the assets that would make you stand out?
- Excellent interpersonal and communication skills with auditors, customers, executives, and engineers.
- Motivated, proactive, autonomous, well organized with a strong ownership mindset.
- Comfortable operating independently and within large cross-functional teams.
- Deep knowledge of SOC 2, PCI DSS, FISMA RMF, NIST SP 800 53, OWASP, and ISO 27001.
- Knowledge of AWS, including IAM, segmentation, KMS, logging, and container security.
- Technical expertise in the setup and management of vulnerability discovery and remediation triage using platforms such as Tenable, Qualys, Snyk, or equivalent.
- Proficiency with SIEM, EDR, CSPM, ticketing, and workflow automation.
- Deep knowledge in the setup and management of trust portals, customer questionnaires and due diligence.
- Expert with GRC tools such as Drata, Vanta, Tugboat, Secureframe, Conveyor, Whistic, or OneTrust;
- Strong writing skills for policies, standards, customer FAQs, and executive briefings.
- Able to work under pressure while maintaining judgment and attention to detail.
I appreciate your interest in SOVRA. However, only selected candidates will be contacted.
At SOVRA, we are committed to fostering an inclusive and equitable workplace. We are an equal opportunity employer and do not discriminate against any employee or applicant for employment based on race, colour, religion, gender, sexual orientation, gender identity or expression, national origin, age, disability, marital status, veteran status, or any other characteristic protected by applicable laws. We provide a work environment free from discrimination and harassment. In addition, we are committed to ensuring pay equity across our organization and regularly review our compensation practices.
SOVRA, through its wholly owned subsidiary International Data Base Corp., doing business as BidNet, participates in E-Verify. If selected for employment, you will be required to provide your Form I-9 information to confirm that you are authorized to work in the United States.
SOVRA a través de su subsidiaria de propiedad total International Data Base Corp., que opera bajo el nombre comercial BidNet, participa en E-Verify. Si es seleccionado para empleo, se le solicitará proporcionar la información de su Formulario I-9 para confirmar que usted está autorizado para trabajar en los Estados Unidos.
