Title: Technical Product Manager – CyberGRC

Job Location: - Bengaluru

We are looking for an experienced and driven Technical Product Manager – CyberGRC to lead the evolution of MetricStream's AI-powered Cyber Risk and Compliance product suite. This role sits at the intersection of deep cybersecurity domain expertise and modern product innovation.

The ideal candidate will have hands-on experience delivering or using cyber GRC platforms — and will bring a sharp understanding of the space. You will shape the product roadmap to advance MetricStream's capabilities across continuous compliance automation, AI-driven risk management and real-time cyber risk visibility — driving MetricStream's transition to a continuous and autonomous compliance and risk platform.

You will own the product strategy and execution for capabilities spanning the full CyberGRC lifecycle, including:

IT and Cyber Risk management

• Risk assessment workflows with pre-packaged and customizable risk libraries, scoring algorithms, and treatment plans
• Vulnerability management integration: ingesting signals from vulnerability scanners, ITSM platforms, EDR tools, and cloud security posture tools to surface and prioritize risk findings
• Exposure management capabilities linking technical findings (vulnerabilities, misconfigurations) to quantified business impact
• Threat intelligence integration feeding real-time context into risk registers and dashboards
• Continuous cyber risk quantification (CRQ) using FAIR-based financial models, enabling CISOs to express risk in business terms for board and regulatory reporting
• AI agents that autonomously assess, prioritize, and summarize risk exposure across the IT and cyber landscape
• Predictive risk scoring and heat maps with automated, real-time updates — moving beyond static, point-in-time assessments

Compliance Automation & Framework Management

• Continuous controls monitoring and automated evidence collection across major frameworks: ISO 27001, NIST CSF, NIST SP 800-53, SOC 2, PCI DSS, HIPAA, GDPR, DORA, and the NIST AI RMF
• Cross-framework control mapping so customers satisfy multiple requirements without duplicate effort
• Agentic policy management: AI-driven policy generation, version control, change summaries, and automated approval workflows
• Audit-readiness workflows with continuously collected auditor-facing evidence packages

Reporting, Dashboards & Stakeholder Communication

• Executive and board-level dashboards that translate cyber risk posture into financial and business terms
• Regulator-ready reports for SEC, NYDFS, DORA, and other mandated disclosures
• Trust center capabilities allowing customers to share real-time compliance posture with auditors and enterprise customers

AI & Emerging Risk Domains

• Governance capabilities for GenAI risk, including prompt injection, model abuse, training data risks, and LLM-specific attack vectors
• AI Security Assessments aligned to ISO 42001, NIST AI RMF, and the EU AI Act

Explainable AI features that surface rationale behind automated risk scores and recommendations

Key Responsibilities

• Product Roadmap & Execution: Own the CyberGRC product vision and multi-quarter roadmap, making strategic prioritization decisions informed by competitive intelligence, customer research, and MetricStream's ConnectedGRC platform strategy.
• Competitive Product Strategy: Maintain deep awareness of how MetricStream's CyberGRC competes with competitors — and identify features that close gaps or establish differentiated leadership.
• Customer & CISO Engagement: Lead discovery sessions, design sprints, and advisory conversations with CISOs, cyber risk managers, compliance officers, and security teams to uncover unmet needs and validate product direction.
• Requirements Management: Translate complex cybersecurity workflows and regulatory requirements into crisp product requirements, user stories, and acceptance criteria grounded in real-world risk scenarios.
• Cross-Functional Collaboration: Partner closely with engineering, data science, UX, and QA to ship secure, scalable, and high-quality product capabilities on time.
• AI Feature Development: Define use cases and requirements for AI-powered features including agentic workflows, automated evidence collection, risk summarization, and predictive scoring — ensuring explainability and trust.
• Backlog Prioritization: Continuously manage and prioritize the product backlog, balancing new capabilities, platform debt, integration depth, and regulatory coverage.
• Go-to-Market Partnership: Work with sales, customer success, and marketing to prepare compelling product narratives, enable field teams, and integrate customer feedback loops into the development cycle.
• Metrics & Adoption: Define and monitor KPIs for CyberGRC product adoption, feature utilization, and customer outcomes — using data to iterate and improve.
• Product Evangelism: Represent MetricStream CyberGRC in customer engagements, analyst briefings, and industry forums, clearly articulating product value for cyber risk and compliance stakeholders

Skills and Experience

• Experience: 6–10 years in Cyber Risk Management, IT GRC, Compliance, or Security Product roles, ideally within enterprise SaaS, regulated industries, or GRC platform environments.
• Domain Expertise: Deep understanding of cyber risk frameworks and methodologies — threat modeling, vulnerability management, control assessment, risk treatment, and financial risk quantification (FAIR).
• Competitive Awareness: Familiarity with the modern cyber GRC and compliance automation landscape, including platforms such as Vanta, Drata, SAFE Security, ServiceNow IRM, or OneTrust.
• Compliance Frameworks: Working proficiency across key standards including ISO 27001, NIST CSF, NIST SP 800-53, SOC 2, PCI DSS, GDPR, HIPAA, DORA, and the NIST AI RMF.
• Technical Acumen: Comfort with AI/ML concepts in cybersecurity (anomaly detection, agentic workflows, risk scoring models), API integrations, and cloud security architecture.
• Product Mindset: Demonstrated experience with modern product development practices — design thinking, agile delivery, user story writing, and data-informed iteration.
• Stakeholder Communication: Ability to translate technical risk concepts into board-level and business language, and to influence cross-functional teams without direct authority.
• Certifications (Preferred): CISSP, CRISC, CISM, CISA, or CEH

Education

Bachelor's or Master's degree in Cybersecurity, Information Technology, Risk Management, Computer Science, or a related discipline.