Security Risk and Compliance Lead

At Asana, security is foundational to our mission of helping teams work together effortlessly. Our security team protects Asana’s employees, users, and customers by proactively addressing threats, ensuring compliance with legal and regulatory requirements, and fostering a culture of security throughout our product and operations. We are a team of security engineers and risk and compliance practitioners who build innovative safeguards and collaborate across the organization to build and maintain trust at scale.

As the Third Party Risk Management Lead, you will be responsible for building and running Asana’s Third Party Risk Management (TPRM) program. You will own the end-to-end lifecycle of vendor security risk — from initial due diligence and risk tiering through ongoing monitoring and remediation. You will work closely with Procurement, Legal, Privacy, and Engineering teams to ensure that our third-party relationships are effectively assessed, tracked, and managed.

This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. Working from home on Fridays depends on the type of work you do, and your recruiter can share more about the in-office requirements.

Our employees in Poland are employed under a contract of employment.

What you’ll achieve

• Own and scale Asana’s TPRM program: Design, implement, and continuously improve a risk-based framework for assessing and managing third-party vendors and service providers. Establish risk tiering criteria, assessment workflows, and governance processes that scale with business growth.
• Lead vendor security assessments: Conduct and oversee security due diligence for new and existing vendors, including reviewing SOC 2 reports, ISO 27001 certifications, security questionnaires (SIG, CAIQ), and other relevant documentation. Identify gaps and work with vendors to remediate findings.
• Drive remediation and risk acceptance: Track and manage open findings from vendor assessments, work with internal stakeholders to prioritize remediation, and facilitate formal risk acceptance processes where appropriate. Ensure findings are documented and resolved in a timely manner.
• Manage ongoing third-party monitoring: Develop and execute a continuous monitoring strategy for critical and high-risk vendors, including periodic reassessments, breach notifications, and security posture updates. Maintain an accurate and up-to-date vendor risk inventory.
• Review security provisions in vendor contracts: Collaborate with Legal and Privacy teams to assess and negotiate security-related clauses in vendor agreements, data processing addenda, and subprocessor agreements, ensuring alignment with Asana’s policies and obligations.
• Report on TPRM program health: Develop metrics and reporting to communicate the state of third-party risk to senior leadership and relevant stakeholders. Support audit and compliance activities by providing evidence of TPRM program effectiveness, including for SOC 2, ISO 27001, and customer audits.
• Operate globally: Work with a global team to ensure appropriate coverage and coordination across timezones, supporting vendor assessments and risk decisions that span multiple regions.

About you

• 5+ years of experience in third-party risk management, vendor risk assessment, or a related information security discipline.
• Strong knowledge of TPRM frameworks and standards, including SIG, CAIQ, NIST SP 800-161, ISO 27001, and SOC 2.
• Experience conducting vendor security assessments and reviewing third-party security documentation (audit reports, certifications, penetration test summaries, etc.).
• Solid understanding of core security principles, cloud environments, data privacy, and compliance standards relevant to B2B SaaS organizations.
• Proven ability to build and operationalize scalable risk management processes and develop metrics for tracking program effectiveness.
• Excellent communication skills, with the ability to translate technical risk findings into clear, actionable language for both technical and non-technical audiences.
• Experience collaborating cross-functionally with Procurement, Legal, Privacy, and Engineering teams.
• Demonstrates curiosity about AI tools and emerging technologies, with a willingness to learn and leverage them to enhance productivity, collaboration, or decision-making.

At Asana, we're committed to building teams that include a variety of backgrounds, perspectives, and skills, as this is critical to helping us achieve our mission. If you're interested in this role and don't meet every listed requirement, we still encourage you to apply.

What we’ll offer

• Generous, transparent and fair compensation system
• Contract of Employment (and the option of  50% tax deductible costs for author’s rights usage in respect of  applicable roles ) 
• Health insurance with dental and travel coverage (Lux Med) 
• Meals reimbursement on the days that you work from the office
• Career growth budget 
• Home office setup budget 
• Gym/Fitness reimbursement
• Fertility healthcare and family-forming support with Carrot
• Mental Health Support in Modern Health
• Group life insurance
• MacBooks with all necessary accessories

For this role, the estimated base salary range is between 22,750 - 27,250 PLN gross per month (subject to all taxes and necessary deductions). The actual base salary will vary based on various factors, including market and individual qualifications objectively assessed during the interview process. The listed range above is a guideline, and the base salary range for this role may be modified.

In addition to base salary, your compensation package may include additional components such as equity and sales incentive pay (for most sales roles), and benefits. If you're interviewing for this role, speak with your Talent Acquisition Partner to learn more about the total compensation and benefits for this role.

#LI-Hybrid