Lead Technical Governance Analyst

Toast creates technology to help restaurants and local businesses succeed in a digital world, helping business owners operate, increase sales, engage customers, and keep employees happy.

The Lead Technical Governance Analyst is a high-impact, autonomous role responsible for designing and driving the foundational architecture of our world-class GRC program. 

A day in the life (Responsibilities) 

In this role, you will play an integral part in building the frameworks, systems, and transformation programs that enable scale and efficiency across all security and compliance and risk domains. In addition, you will be responsible for supporting the ongoing oversight of certain workforce-related security initiatives and policies, and will collaborate closely with our Security and Business Technology and Transformation teams to ensure the security of Toast’s sensitive data and critical infrastructure. This role requires a proactive and strategic approach to identifying and mitigating risks, as well as a deep understanding of the evolving cybersecurity landscape.

• Drive Security and Technical Governance Risk and Compliance Initiatives:
• GRC Platform Ownership: Serve as the primary admin and product owner for the GRC platform (AuditBoard). You will move beyond administration to design advanced workflows, automation, and metrics that centralize risk and compliance data.
• Common Controls Framework (CCF) Stewardship: Own and evolve the Common Controls Framework. You will map and maintain complex regulations (NIST CSF, SOC 2, PCI DSS, ISO 27001) to a single source of truth, directly driving compliance efficiencies
• Lead Strategic Initiatives: Independently lead complex, cross-functional "zero-to-one" security programs, taking them from concept to operational maturity.
• Customer Trust Optimization: Drive the strategy for our Trust Center, operationalizing our ability to address customer and partner security questionnaires in a more efficient manner,reducing manual efforts and shortening lead times.
• Develop and implement governance policies, controls, and best practices to enhance the security posture across corporate IT and workforce systems. 
• "Compliance by Design" Advisory: Champion the "Shift Left" strategy by co-developing standards that embed GRC checkpoints into the SDLC and Product innovation pipelines, ensuring security is baked in, not bolted on.
• Change Events Governance: Define and standardize the process for assessing GRC impacts during major system changes, ensuring consistent intake and triage across all compliance programs.
• Track and report on security governance KPIs and risk metrics, driving continuous improvement. 

• Collaborate with IT and Security:
• Partner closely with the IT team to ensure corporate systems are managed appropriately and meet security objectives. 
• Work with the Security team to implement monitoring and detection capabilities that support workforce security objectives. 
• Promote Security Culture:
• Foster a strong security culture within the organization through training, awareness programs, and ongoing communication. . 

What you'll need to thrive (Requirements)

Core Program & Technical Experience

• 8+ Years of progressive experience in Information Security GRC, Audit, or Technical Program Management. 
• CCF & Framework Expertise: Hands-on experience designing and operationalizing a Common Controls Framework (CCF) to map and consolidate controls across multiple regulatory frameworks (SOX, PCI DSS, SOC 2, NIST CSF, ISO 27001).
• GRC Platform Mastery: Proven experience serving as an Administrator, Architect, or primary owner of a modern GRC tool (e.g., AuditBoard, ServiceNow GRC, Workiva), including advanced workflow design, configuration, and maintenance.
• Policy Architecture: Expert ability to define, manage, and enforce a clear hierarchy of governance documentation (Policy, Standard, Procedure) and maintain security baselines for corporate IT and workforce tools.
• Progr