Lead Security Governance & Risk Engineer

KlaviyoBoston, MA
$156,000 - $234,000Hybrid

About The Position

An exciting opportunity within the Security Trust and Risk (STAR) team whose mission is to ensure the safety and security of our customers, partners and Klaviyos as well as deliver best in class technology solutions, infrastructure and services. This is achieved by providing a robust and secure technology foundation to do great work. We solve problems using technology, embrace automation and AI, and support Klaviyo's continued scalability and sustainable employee growth in a rapidly evolving environment. The STAR team assists the Global Security Services (GSS) organization in developing and refining information security policies, standards and strategy, enterprise risk management, creating metrics and reporting, coordinating cross-functional projects, and strategically aligning global information security initiatives with the broader CISO vision amongst other governance, risk and compliance efforts. The STAR team is highly collaborative and cross-functional, working closely with various functions within the GSS team (namely Security Product and Development and Security Intelligence Operations), Global Technology Solutions (GTS) team and the broader Klaviyo organization.

Requirements

  • 7+ years of experience in information security, technology risk, cyber risk, or operational risk within a large, complex, or high-growth organization, including hands-on risk engineering or quantitative risk work.
  • Strong command of cyber risk quantification, able to express risk in financial and business terms (FAIR, riskquant, or similar) rather than qualitative severity ratings alone.
  • Hands-on engineering ability: SQL, Python, and integrating with APIs to extract, transform, and load data between systems and to automate risk reporting.
  • Experience building and running a technology and/or third-party risk register and taxonomy, with the tooling and process automation behind it.
  • Working knowledge of security and AI frameworks (NIST CSF and RMF, ISO 27000 series, ISO 42001, SOC 2, PCI DSS, CIS Controls) and how they translate into credible control requirements.
  • Hands-on familiarity with modern risk and security tooling: third-party risk platforms, cyber risk quantification, vulnerability management, and endpoint and data-security telemetry, with a clear point of view on where AI augments versus replaces human judgement.
  • Experience authoring and maintaining security policies and standards, with a governance mindset that ties policy to the risk it reduces and to operational controls.
  • Able to operate independently as a second line of defense while engaging credibly with senior engineers, architects, and security teams.
  • Proficiency discussing complex, nuanced topics with technical and non-technical audiences alike, and translating technical risk into clear business impact.
  • Excellent ability to plan, prioritise, and execute work cross-functionally and on time.

Nice To Haves

  • Experience leading an evolution from a traditional GRC / compliance model toward an automated, engineering-led, or AI-enabled risk capability.
  • AI governance, model risk, or responsible-AI programme experience, and ISO 42001 readiness or certification work.
  • Experience building metrics and dashboards (KPIs, KRIs, KCIs) using business intelligence or dashboarding tools like Tableau and so on.
  • Experience in a regulated or high-trust environment (SOC 2, ISO 27000 series, ISO 42001, HIPAA, GDPR).
  • Threat modeling or secure design reviews, and experience designing or implementing technical security controls in AWS.
  • Experience securing web applications, Kubernetes clusters, and/or containers.
  • Relevant professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Auditor / Lead Implementer, an ISO 42001 / AI governance certification, or Open FAIR.

Responsibilities

  • Operate and maintain the risk register and taxonomy. Run the technology and third-party risk register on a consistent standard (threat actor, technique, scenario, safeguard, loss event, quantification) so that risks aggregate, prioritise, and report meaningfully across the business.
  • Lead AI risk governance and ISO 42001 readiness. Maintain the AI risk assessment methodology and risk criteria, maintain the consolidated AI risk register against the K:AI inventory, and define AI risk treatment plans that map each risk to specific controls and treatment decisions. Drive ISO/IEC 42001 readiness (Clauses 6.1 and 8.2/8.3) toward the certification target, working with the Trust & Compliance and ARIA teams.
  • Drive third-party risk automation and risk scoring. Contribute vendor and application risk signals into the composite risk score, partnering with the TPRM lead who owns vendor onboarding automation and the TPRM process.
  • Perform the hands-on risk quantification. Apply cyber risk quantification (expected loss, probability, and cost of remediation versus acceptance) so leadership and the Technology Risk Committee can make rational investment and risk-acceptance decisions rather than relying on qualitative severity labels.
  • Support the risk governance cadence. Contribute to weekly risk huddles, monthly risk reviews, and the quarterly Technology Risk Committee (CIO, CISO, CTO), preparing accurate, succinct, decision-ready risk materials and translating high-severity findings into clear business impact.
  • Operate as a second line of defense. Provide independent oversight, credible challenge, and guidance to first-line teams, apply consistent risk taxonomies and reporting standards, and escalate risks that exceed established tolerance.
  • Partner cross-functionally and close the loop. Work with Engineering, Product, GTS, Legal, Internal Audit, ARIA, and Finance on risk and audit findings affecting systems and processes, tracking findings and remediation through to closure with clear ownership.

Benefits

  • Comprehensive range of health, welfare, and wellbeing benefits
  • Participation in the company’s annual cash bonus plan
  • Equity
  • Sign-on payments
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service