Security Risk and Compliance Lead

At Asana, security is foundational to our mission of helping teams work together effortlessly. Our security team protects Asana’s employees, users, and customers by proactively addressing threats, ensuring compliance with legal and regulatory requirements, and fostering a culture of security throughout our product and operations. We are a team of security engineers and risk and compliance practitioners who build innovative safeguards and collaborate across the organization to build and maintain trust at scale.

As the Third Party Risk Management Lead, you will be responsible for building and running Asana’s Third Party Risk Management (TPRM) program. You will own the end-to-end lifecycle of vendor security risk — from initial due diligence and risk tiering through ongoing monitoring and remediation. You will work closely with Procurement, Legal, Privacy, and Engineering teams to ensure that our third-party relationships are effectively assessed, tracked, and managed.

This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. Working from home on Fridays depends on the type of work you do, and your recruiter can share more about the in-office requirements.

Our employees in Poland are employed under a contract of employment.

What you’ll achieve

Own and scale Asana’s TPRM program: Design, implement, and continuously improve a risk-based framework for assessing and managing third-party vendors and service providers. Establish risk tiering criteria, assessment workflows, and governance processes that scale with business growth.

Lead vendor security assessments: Conduct and oversee security due diligence for new and existing vendors, including reviewing SOC 2 reports, ISO 27001 certifications, security questionnaires (SIG, CAIQ), and other relevant documentation. Identify gaps and work with vendors to remediate findings.

Dr