GRC Engineer

About the Company:

Ouro is a global, vertically-integrated financial services and technology company dedicated to the delivery of innovative financial empowerment solutions to consumers worldwide. Ouro’s financial products and services span prepaid, debit, cross-border payments, and loyalty solutions for consumers and enterprise partners.
Ouro's flagship product Netspend provides prepaid and debit account solutions that connect customers with secure, convenient access to global payment networks so they can manage their money and make everyday purchases. With a nationwide U.S. retail network, customers can purchase and reload Netspend products at 130,000 reload points and over 100,000 distributing locations.
Since Ouro's founding in 1999 by industry pioneers, Ouro products have processed billions of dollars in transaction volume and served millions of customers worldwide. The company is headquartered in Austin, Texas with employees worldwide.

Job Description: We are looking for a highly technical Governance, Risk, and Compliance (GRC) Engineer to strengthen our GRC function. This individual contributor role bridges traditional GRC responsibilities with hands-on technical expertise, ensuring that risk assessments, architecture reviews, and control validations are grounded in real-world engineering practices.

The ideal candidate has significant experience in cloud and application architectures, strong knowledge of security controls and frameworks, and the ability to translate business requirements into actionable risk mitigation strategies. This role partners closely with Product Engineering, Cloud/Infrastructure, Security Engineering, and Audit/Compliance teams.

Key Responsibilities

Risk Assessments & Control Validation

• Lead technical risk assessments across applications, cloud services, third-party integrations, and internal systems.

• Assess control effectiveness against frameworks such as NIST CSF, ISO 27001, SOC 2, PCI-DSS, and internal policies.

• Develop and maintain detailed risk registers and mitigation plans.

• Validate logging coverage, access controls, encryption configurations, and identity/security controls across cloud and infrastructure environments.

Policy, Standards & Compliance Engineering

• Contribute to the development and maintenance of security policies, technical standards, and architecture principles.

• Translate compliance requirements into technical control specifications.

• Support engineering teams in interpreting and implementing controls correctly.

• Collaborate with internal audit and external auditors to provide evidence and narrative explanations for control effectiveness.

Security Program Enablement

• Serve as a technical advisor to product and infrastructure teams during design, build, and release cycles.

• Improve risk assessment methodologies and tooling, including automation where possible.

• Provide GRC insights into threat modeling, vendor security reviews, and third-party due diligence.

• Support continuous improvement initiatives across governance, compliance, and risk processes.

Technical Architecture Governance

• Review product, application, and cloud infrastructure architectures for security control gaps, misconfigurations, and design risks.

• Evaluate engineering design documents, data flow diagrams, and deployment patterns to ensure alignment with security best practices (e.g., zero trust, least privilege, secure SDLC).

• Provide actionable recommendations to engineering teams to address identified risks.

• Participate in security design reviews for new and evolving technologies

Requirements

• 5+ years of experience in GRC, security engineering, architecture review, or related technical security roles.

• Strong understanding of cloud platforms (AWS, GCP, Azure) and their native security controls.

• Hands-on experience reviewing architecture diagrams, data flows, and engineering design patterns.

• Deep familiarity with security frameworks: NIST CSF, ISO 27001/27002//27017/27018/42001, PCI-DSS, CIS, SOC 2 Trust Principles, and MITRE ATLAS/ATT&CK.

• Proven ability to conduct comprehensive technical risk assessments.

• AI/ML architecture/governance over MCP, RAG, and agentic workflows

• API integration and orchestration

• Coding and scripting capabilities using Python, SQL, Go, and Powershell

• Understanding of CI/CD pipelines, container orchestration (Kubernetes), IAM, network security, and logging pipelines.

• Excellent communication skills and ability to translate complex technical risks to business stakeholders.

Preferred Qualifications

• Certifications such as CISM, CRISC, CISSP, CCSP, AWS Security Specialty, or similar.

• Experience with threat modeling methodologies.

• Familiarity with security-as-code and risk automation tooling.

• Previous work in a high-scale fintech, SaaS, or regulated environment