Product Manager

MetricStream

MetricStream is the global market leader for Integrated Governance, Risk, and Compliance (GRC) solutions delivered on an intelligent integrated platform. MetricStream’s purpose-built platform is proven with over a million global users, designed to serve GRC use cases across industries and powered by deep domain expertise, embedded content, rich context, integrated data, and explainable AI. Since 2001, MetricStream has empowered organizations to intuitively harness front-line intelligence that enables all stakeholders to make real-time risk-aware business decisions.

Job Description

We are looking for an experienced and driven Technical Product Manager – CyberGRC to lead the evolution of MetricStream's AI-powered Cyber Risk and Compliance product suite. This role sits at the intersection of deep cybersecurity domain expertise and modern product innovation.

The ideal candidate will have hands-on experience delivering or using cyber GRC platforms — and will bring a sharp understanding of the space. You will shape the product roadmap to advance MetricStream's capabilities across continuous compliance automation, AI-driven risk management and real-time cyber risk visibility — driving MetricStream's transition to a continuous and autonomous compliance and risk platform.

You will own the product strategy and execution for capabilities spanning the full CyberGRC lifecycle, including:

IT and Cyber Risk management

Risk assessment workflows with pre-packaged and customizable risk libraries, scoring algorithms, and treatment plans
Vulnerability management integration: ingesting signals from vulnerability scanners, ITSM platforms, EDR tools, and cloud security posture tools to surface and prioritize risk findings
Exposure management capabilities linking technical findings (vulnerabilities, misconfigurations) to quantified business impact
Threat intelligence integration feeding real-time context into risk registers and dashboards
Continuous cyber risk quantification (CRQ) using FAIR-based financial models, enabling CISOs to express risk in business terms for board and regulatory reporting
AI agents that autonomously assess, prioritize, and summarize risk exposure across the IT and cyber landscape
Predictive risk scoring and heat maps with automated, real-time updates — moving beyond static, point-in-time assessments

Compliance Automation & Framework Management

Continuous controls monitoring and automated evidence collection across major frameworks: ISO 27001, NIST CSF, NIST SP 800-53, SOC 2, PCI DSS, HIPAA, GDPR, DORA, and the NIST AI RMF
Cross-framework control mapping so customers satisfy multiple requirements without duplicate effort
Agentic policy management: AI-driven policy generation, version control, change summaries, and automated approval workflows
Audit-readiness workflows with continuously collected auditor-facing evidence packages

Reporting, Dashboards & Stakeholder Communication

Executive and board-level dashboards that translate cyber risk posture into financial and business terms
Regulator-ready reports for SEC, NYDFS, DORA, and other mandated disclosures
Trust center capabilities allowing customers to share real-time compliance posture with auditors and enterprise customers

AI & Emerging Risk Domains

Governance capabilities for GenAI risk, including prompt injection, model abuse, training data risks, and LLM-specific attack vectors
AI Security Assessments aligned to ISO 42001, NIST AI RMF, and the EU AI Act

Explainable AI features that surface rationale behind automated risk scores and recommendations

Key Responsibilities
Product Roadmap & Execution: Own the CyberGRC product vision and multi-quarter roadmap, making strategic prioritization decisions informed by competitive intelligence, customer research, and MetricStream's ConnectedGRC platform strategy.
Competitive Product Strategy: Maintain deep awareness of how MetricStream's CyberGRC competes with competitors — and identify features that close gaps or establish differentiated leadership.
Customer & CISO Engagement: Lead discovery sessions, design sprints, and advisory conversations with CISOs, cyber risk managers, compliance officers, and security teams to uncover unmet needs and validate product direction.
Requirements Management: Translate complex cybersecurity workflows and regulatory requirements into crisp product requirements, user stories, and acceptance criteria grounded in real-world risk scenarios.
Cross-Functional Collaboration: Partner closely with engineering, data science, UX, and QA to ship secure, scalable, and high-quality product capabilities on time.
AI Feature Development: Define use cases and requirements for AI-powered features including agentic workflows, automated evidence collection, risk summarization, and predictive scoring — ensuring explainability and trust.
Backlog Prioritization: Continuously manage and prioritize the product backlog, balancing new capabilities, platform debt, integration depth, and regulatory coverage.
Go-to-Market Partnership: Work with sales, customer success, and marketing to prepare compelling product narratives, enable field teams, and integrate customer feedback loops into the development cycle.
Metrics & Adoption: Define and monitor KPIs for CyberGRC product adoption, feature utilization, and customer outcomes — using data to iterate and improve.
Product Evangelism: Represent MetricStream CyberGRC in customer engagements, analyst briefings, and industry forums, clearly articulating product value for cyber risk and compliance stakeholders
Skills and Experience
Experience: 6–10 years in Cyber Risk Management, IT GRC, Compliance, or Security Product roles, ideally within enterprise SaaS, regulated industries, or GRC platform environments.
Domain Expertise: Deep understanding of cyber risk frameworks and methodologies — threat modeling, vulnerability management, control assessment, risk treatment, and financial risk quantification (FAIR).
Competitive Awareness: Familiarity with the modern cyber GRC and compliance automation landscape, including platforms such as Vanta, Drata, SAFE Security, ServiceNow IRM, or OneTrust.
Compliance Frameworks: Working proficiency across key standards including ISO 27001, NIST CSF, NIST SP 800-53, SOC 2, PCI DSS, GDPR, HIPAA, DORA, and the NIST AI RMF.
Technical Acumen: Comfort with AI/ML concepts in cybersecurity (anomaly detection, agentic workflows, risk scoring models), API integrations, and cloud security architecture.
Product Mindset: Demonstrated experience with modern product development practices — design thinking, agile delivery, user story writing, and data-informed iteration.
Stakeholder Communication: Ability to translate technical risk concepts into board-level and business language, and to influence cross-functional teams without direct authority.
Certifications (Preferred): CISSP, CRISC, CISM, CISA, or CEH
Education

Bachelor's or Master's degree in Cybersecurity, Information Technology, Risk Management, Computer Science, or a related discipline.

Salary Range: ₹0.00 to ₹0.00

MetricStream is proud to be an Equal Opportunity Employer. We not only celebrate diversity, we thrive on it. We are committed to creating an all-inclusive workplace and do not discriminate on the basis of race, religion, color, sex, gender identity, sexual orientation, genetic information, age, non-disqualifying physical or mental disability, national origin, veteran status, or any other applicable characteristics protected by local, state or federal laws. All employment is decided on the basis of qualifications, merit, and business need.