Security Analyst, Governance, Risk, and Compliance (GRC) (Remote Optional)
The Petal mission
Petal’s mission is to bring financial opportunity and innovation to everyone.
We're pioneering a new approach to credit, by analyzing an applicant’s banking history, in addition to credit history, to determine their creditworthiness. We call this technology a Cash Score — and it takes into account income, spending, and savings. It’s currently helping thousands of people qualify for credit at better rates, even if they’ve never had it before.
We bring the same ingenuity to our credit card products. Our simple and intuitive app gives members access to credit score tracking, budgeting tools, subscription management, and automated payment options—everything they need to make financial progress.
Now more than ever, Americans need help improving their credit safely, responsibly, and affordably. If this sounds like something you’d like to be a part of, apply now, and let’s change this trillion-dollar industry together.
At Petal, we're looking for people with kindness, positivity, and integrity. You're encouraged to apply even if your experience doesn't precisely match the job description. Your skills and potential will stand out—and set you apart—especially if your career has taken some extraordinary twists and turns. At Petal, we welcome diverse perspectives from people who think rigorously and aren't afraid to challenge assumptions.
The Infrastructure & Security Engineering Team
The Infrastructure & Security Engineering team manages security, product infrastructure, and IT support for Petal. So far, we have focused on growing the IT support and product infrastructure areas. Now we are expanding the security function, and there is tremendous opportunity to grow in an environment with a modern tech stack (no Outlook Web Access!).
The Security Analyst, Governance, Risk, and Compliance (GRC) role
The Security Analyst, GRC will coordinate and execute a growing slate of activities related to information security risk management practices at Petal, including policy/document management, third-party security reviews, internal assessments, and certification activities such as SOC 2 and PCI.
Key responsibilities:
- Steer Petal security activities toward a transparent and people-centric program that is directly connected to business value.
- Coordinate periodic security assessment and audit activities, particularly those required by business partners or compliance frameworks/regulations.
- Develop and maintain security policies and related documentation.
- Report on Petal’s developing maturity across security domains.
- Identify and measure meaningful metrics that help to clarify how we can improve our security practices.
- Collaborate closely and maintain alignment with key stakeholders including Security Operations, Information Technology, Legal, and Compliance.
Characteristics of a successful candidate:
- Outstanding communication skills, verbal, written, and visual. We believe creating excellent documentation, building relationships, and maintaining alignment with others will help us deliver results.
- Rigorous execution, reporting, and tracking for follow-through. We need to build trust among our stakeholders that we will be reliable in delivering our security objectives and monitoring for quality. This includes leveraging collaborative tooling for tracking (e.g., issue trackers, project management software, documentation platforms, etc).
- Analytical mindset. More important than any specific security framework or tool is a methodical mindset for exploring risks, learning new concepts, and finding creative solutions.
- Excitement and curiosity in security challenges faced by FinTechs. Introductory understanding of security in business environments and motivation for growth in the security field is important.
Nice-to-haves:
- Experience with security compliance frameworks (e.g., SOC 2, PCI-DSS, NIST CSF), expertise across security domains, or background in FinTechs is a plus.
- Working knowledge of cloud services, including major infrastructure/platform-as-a-service providers (e.g., AWS), and related security considerations (e.g., authentication, third-party risk management, etc).
For our California employment information privacy statement, please click here.