Security Risk and Compliance Lead

At Asana, security is foundational to our mission of helping teams work together effortlessly. Our security team protects Asana’s employees, users, and customers by proactively addressing threats, ensuring compliance with legal and regulatory requirements, and fostering a culture of security throughout our product and operations. We are a team of security engineers and risk and compliance practitioners who build innovative safeguards and collaborate across the organization to build and maintain trust at scale.

As the Third Party Risk Management Lead, you will be responsible for building and running Asana’s Third Party Risk Management (TPRM) program. You will own the end-to-end lifecycle of vendor security risk — from initial due diligence and risk tiering through ongoing monitoring and remediation. You will work closely with Procurement, Legal, Privacy, and Engineering teams to ensure that our third-party relationships are effectively assessed, tracked, and managed.

This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. Working from home on Fridays depends on the type of work you do, and your recruiter can share more about the in-office requirements.

Our employees in Poland are employed under a contract of employment.

What you’ll achieve

• Own and scale Asana’s TPRM program: Design, implement, and continuously improve a risk-based framework for assessing and managing third-party vendors and service providers. Establish risk tiering criteria, assessment workflows, and governance processes that scale with business growth.
• Lead vendor security assessments: Conduct and oversee security due diligence for new and existing vendors, including reviewing SOC 2 reports, ISO 27001 certifications, security questionnaires (SIG, CAIQ), and other relevant documentation. Identify gaps and work with vendors to remediate findings.
• Drive remediation and risk acceptance: Track and manage open findings from vendor assessments, work with internal stakeholders to prioritize remediation, and facilitate formal risk acceptance processes where appropriate. Ensure findings are documented and resolved in a timely manner.
• Manage ongoing third-party monitoring: Develop and execute a continuous monitoring strategy for critical and high-risk vendors, including periodic reassessments, breach notifications, and security posture updates. Maintain an accurate and up-to-date vendor risk inventory.
• Review security provisions in vendor contracts: Collaborate with Legal and Privacy teams to assess and negotiate security-related clauses in vendor agreements, data processing addenda, and subprocessor agreements, ensuring alignment with Asana’s policies and obligations.
• Report on TPRM program health: Develop metrics and reporting to communicate the state of third-party