Manager, Information Security Assurance Services

Thrivent•Minneapolis, MN

1d•$146,428 - $198,108•Remote

About The Position

The Manager, Information Security Assurance Services is responsible for leading the design, build, and continuous maturation of the program. This role requires a proven track record of establishing and scaling information security assurance capabilities, including control frameworks, regulatory compliance, and audit readiness, information security awareness, policy governance, third-party risk management, and Payment Card Industry Data Security Standards (PCI DSS). This leader will oversee a team accountable for executing and evolving assurance processes, with a clear mandate to drive automation, standardization, and gain operational efficiency across all Assurance Services products and services. The role partners closely with business, technology, and regulatory stakeholders to ensure controls are effectively implemented, measured, and aligned to organizational risk tolerance and regulatory requirements. The ideal candidate brings demonstrated experience building GRC programs from the ground up and advancing them to a mature, technology-enabled function, leveraging automation, integrated tooling, and data-driven insights to reduce manual effort, improve control effectiveness, and enhance transparency. This role will be responsible for executing the strategic direction, establish scalable processes, and ensure the team delivers consistent, high-quality outcomes that strengthen the organization’s overall security posture and resilience.

Requirements

Minimum 10 years of progressive experience across GRC, information security, technology risk, internal/external audit, controls, cybersecurity assurance, or closely related disciplines.
Minimum 5 years of direct people leadership experience, including coaching, performance management, workforce planning, and talent development.
Demonstrated experience operating within or directly supporting PCI DSS environments, including scope definition, control design, testing, remediation, evidence management, and QSA/ISA interaction.
Strong working knowledge of governance and control frameworks including NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, and PCI DSS, with the ability to design and defend control rationale to auditors and regulators.
Demonstrated experience designing, testing, and remediating IT general controls (ITGCs) and application-level controls.
Proven ability to communicate complex risk and control topics clearly to executive audiences, audit committees, regulators, and cross-functional stakeholders.
Ability to operate independently under limited direction, prioritize competing demands, and consistently deliver results in ambiguous, fast-moving environments.
Bachelor's degree in Information Security, Computer Science, Information Systems, related discipline, or equivalent professional experience.

Nice To Haves

Experience implementing or operating ServiceNow Integrated Risk Management (IRM) or comparable GRC platforms (e.g., Archer, AuditBoard, OneTrust, MetricStream).
Experience operating within a Product Operating Model, including roadmap planning, backlog grooming, sprint-based delivery, feature commitment management, and metrics-driven execution.
Experience in financial services, banking, or other highly regulated industries, including direct interaction with regulators such as state banking authorities, the OCC, FDIC, or NYDFS.
Industry certifications such as CISSP, CISA, CISM, CRISC, CGEIT, or CIA.
Demonstrated success improving control automation, continuous control monitoring, assurance testing efficiency, audit-readiness practices, and evidence-as-code approaches.

Responsibilities

Program leadership across assurance domains —Lead and continuously mature governance, controls design and testing, audit and regulatory response, security awareness, policy governance, third-party/vendor risk management (TPRM), and the PCI DSS program, with full accountability for adherence to established controls, policies, and regulatory requirements.
Hands-on subject matter expertise — Serve as the team's go-to expert across information security assurance disciplines. Step in as an active contributor on control narratives, audit walkthroughs, regulator engagements, and remediation plans when program needs demand it.
Control framework ownership — Build, maintain, and continuously improve the control framework, ensuring alignment with NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, HIPAA, FDIC, PCI DSS v4.x, and other applicable standards. Maintain control libraries, control-to-framework mappings, and a defensible evidence model.
Audit and regulatory response — Direct the end-to-end response to internal audits, external audits, regulatory examinations, and PCI engagements. Personally review high-risk responses, evidence packages, and management responses prior to submission.
PCI DSS program oversight — Provide senior oversight and governance of the PCI DSS v4.x program, including scope validation, strategy, control implementation, ISA coordination, AOC/ROC readiness, compensating controls, and establish a clear multi-year roadmap to support enterprise goals.
Third-party risk management — Mature the TPRM program including inherent risk tiering, due diligence depth-of-review, contractual security requirements, ongoing monitoring, fourth-party visibility, and concentration risk reporting.
Policy governance — Own the enterprise information security policy governance (policies, standards, procedures, guidelines), including a defined lifecycle, exception management, ownership accountability, and executive committee approval cadence.
Security awareness — Direct the strategy, content, and measurement of the enterprise information security awareness program, including annual training, role-based training, phishing simulations, and Cybersecurity Awareness Month (CSAM) campaigns and activities.
Executive translation and stakeholder partnership — Translate strategic priorities, regulatory expectations, and informal executive conversations into structured roadmaps, OKRs, deliverables, sprint commitments, and team execution plans. Partner with business, technology, regulatory stakeholders, and third parties to communicate complex issues, drive alignment on contentious topics, and advocate for business-aligned outcomes.
People leadership and talent development — Manage, coach, and develop a multi-disciplinary team of assurance professionals. Set clear expectations, establish accountability, conduct performance management, and build a high-performing and high-trust team.
Continuous improvement and automation — Drive process maturity, automation of evidence collection and control testing, improved reporting routines, reduced manual effort, and effective use and management of GRC/IRM platforms (e.g., ServiceNow IRM) to scale the program and sustain operations.
Metrics and reporting — Define and operationalize KPIs/KRIs across each assurance domain. Deliver board-ready and executive-ready dashboards, and narrative reporting that articulate program health and remediation trajectory.
Decision-making and influence — Make and own operational and strategic decisions with significant impact to program effectiveness, and guide senior leaders through informed recommendations, best practices, and trade-off discussions.