Information Security Senior Manager

About the position

Reporting to the VP of InfoSec GRC, the Senior Manager is responsible for execution of enterprise-wide governance, risk, and compliance strategies to ensure alignment with regulatory requirements and cybersecurity best practices. This role is responsible for leading information security RCSA program, control testing, and issue lifecycle management to strengthen the organization's risk posture. Serving as a key liaison between infosec, technology, and business stakeholders, the senior manager provides strategic oversight and actionable insights to executive leadership. This role is hybrid in office three days a week in Santa Ana, CA.

Responsibilities

• Lead the strategic execution of the enterprise-wide Information Security Governance, Risk, and Compliance (GRC) program.
• Develop, implement, and mature a robust Risk and Control Self-Assessment (RCSA) program to identify, assess, and mitigate cybersecurity risks across business units.
• Oversee security assurance activities, including control design evaluations, walkthroughs, and control effectiveness testing aligned with regulatory and framework requirements (e.g., NIST CSF, ISO 27001, SOX, SOC2, FFIEC CAT).
• Direct the testing of security controls, including coordination with internal audit, external assessors, and business stakeholders.
• Advise management on the design and implementation of control activities that reduce risk, add value, and mature the control environment.
• Lead enterprise-wide information security risk assessments, including risk identification, evaluation, and prioritization, to support informed decision-making and resource allocation.
• Collaborate with business units and technology teams to assess the impact and likelihood of cybersecurity threats, integrating findings into broader risk management and mitigation strategy.
• Manage the full issue lifecycle, including issue identification, root cause analysis, remediation planning, tracking, validation, and closure, ensuring timely and effective resolution of risk and compliance gaps.
• Provide subject matter expertise and guidance for Information Security policies and standards.
• Provide leadership and subject matter expertise during regulatory examinations, internal audits, and third-party assessments.
• Collaborate with business and IT stakeholders to integrate GRC practices into key business and technology initiatives.
• Leverage GRC tools (e.g., Archer, ServiceNow GRC, LogicGate) to automate risk management workflows and enhance reporting capabilities.
• Support KPI/KRI's to facilitate risk prioritization and articulation for the enterprise and senior leadership reporting.
• Develop and present executive-level reporting and dashboards to senior leadership and board committees on risk posture, control effectiveness, and compliance status.
• Stay current on emerging threats, industry trends, and regulatory changes to proactively adjust GRC strategies.
• Provide excellent customer service in support of program activities.
• Manage technical professionals (typically skilled exempt level employees) who have responsibility for operations and project outcomes.
• Set priorities on daily operations, provide input to, and administer cost center spending, participate in long-range departmental planning, recommend control methodologies and frameworks.
• Set objectives and priorities and ensure the effective allocation and use of department resources.
• Develop long-range plan for the department and is a key participant in strategic planning for the Information Security function.
• Translate strategic goals and priorities into technical strategies and objectives for his/her department.
• Introduce best practices and ensure the timeliness, quality, and consistency of his/her department's delivery of products and services.
• Write and conduct performance reviews, provide ongoing performance feedback, establish salary budget and approve salary increases, make hiring decisions.
• Frequently interface with executives inside and outside the company to make operational and project-related decisions, resolve critical issues, gather industry and competitive information and foster a productive professional network.
• Perform duties outside of normal work hours based on business needs.

Requirements

• BA/BS degree in Computer Information Systems, Computer Science or equivalent experience is required.
• 8+ years of experience in technology, with 5+ years in a leadership role within InfoSec GRC.
• Certifications such as CISM, CRISC, CISSP, or CGEIT preferred.
• Strong knowledge of information security and risk management frameworks (e.g., NIST, ISO, COBIT, CIS).
• Demonstrated experience building and operating RCSA programs and control testing frameworks.
• Proven success in managing audit and regulatory interactions.
• Familiarity with GRC platforms and data analytics tools for risk management.

Nice-to-haves

• Leadership: Ability to communicate function vision and establish aligned direction and goals for his/her department.
• Teamwork: Ability to establish and maintain effective working relationships at the senior management level across functional groups and business units.
• Integrity: Deals with others in an honest manner, assures adherence to company policies, and addresses questionable business practices.
• Service: Drives and models customer loyalty, manages customer expectations, uses customer feedback to establish department goals, and ensures commitments are met.
• Commitment: Successful track record designing, developing, and executing critical complex projects in more than one area of functional expertise.

Benefits

• Comprehensive benefits package including medical, dental, vision, 401k, PTO/paid sick leave.
• Employee stock purchase plan.