Senior Manager, Security Risk Management

About The Position

Requirements

• 7+ years in information security, risk management, or GRC roles, with a minimum of 3 years managing teams (or equivalent leadership experience).
• Demonstrated ownership of a TPRM program or security governance program in a regulated or high-growth technology environment (fintech preferred).
• Strong knowledge of security frameworks (NIST, ISO), compliance standards (SOC2, PCI), and vendor risk processes (IRQ/DDQ/SME assessments).
• Hands-on familiarity with TPRM/GRC tooling and observability: AuditBoard (or equivalent), Jira, BI tools (Sigma/Tableau/Looker), and experience with integrations/APIs.
• Excellent stakeholder management across legal, procurement, engineering, product, and executive leadership.
• Proven experience translating audit findings into operational remediation plans and measurable outcomes.
• Strong communication skills — able to present risk to technical and non-technical audiences and to influence decisions.
• Certifications such as CISSP, CISM, CRISC, or similar.
• Practical experience with threat-modeling approaches and third-party integration security (API, SSO/OAuth/SAML, TLS).

Nice To Haves

• Experience scaling automation for GRC/TPRM programs and integrating security checks into CI/CD pipelines.
• Prior experience in fintech or highly regulated industries.

Responsibilities

• Program strategy & governance
• Own Security Governance: maintain and evolve security policies, standards, and control frameworks (e.g., NIST CSF, ISO 27001), including mapping to controls and compliance requirements (SOC2, PCI, applicable regulations).
• Lead program maturity planning, roadmaps, and cross-functional governance forums (e.g., security steering committee, risk council).
• Define and enforce security risk appetite and decision criteria for third-party relationships and integrations.
• Third-party risk management
• Lead the Security TPRM function across vendor lifecycle: intake/onboarding, due diligence (IRQ/DDQ/SME reviews), contracting handoffs, ongoing monitoring, periodic reviews, and offboarding.
• Ensure robust fourth-party oversight, including subprocessors, and manage remediation/QA cycles driven by Internal Audit and regulators.
• Oversee high-risk vendor decisions and escalations; establish clear RACI for partnership contracts and security acceptance criteria.
• Operational excellence & tooling
• Own program KPIs, dashboards, and reporting (Jira STPRM Ops, AuditBoard, Sigma/BI, MetricStream). Drive improvements in throughput, turnaround, backlog age, and remediation velocity.
• Partner with Automation/TPRM Ops to operationalize threat-modeling outputs, integration inventories, pre-integration gates, and CI/CD checks; prioritize automations that reduce manual work and surface strategic escalations.
• Implement and maintain QA processes (quarterly QA), runbooks, SOPs for ticket ownership, and evidence standards.
• People & stakeholder leadership
• Build, coach, and scale the Governance and TPRM teams: hiring, performance management, career development, and team morale.
• Act as the primary security contact for Legal, Procurement, Privacy, Product, and Engineering on vendor risk and governance matters.
• Represent Security in executive forums, audit meetings, and regulatory engagements; own remediation commitments and timelines.
• Audit, compliance & risk reporting
• Serve as the security liaison for Internal Audit and external assessments; ensure timely remediation of findings and demonstrable progress.
• Produce regular program health reporting for senior leadership and Board-level stakeholders.

Benefits

• Health care coverage - Affirm covers all premiums for all levels of coverage for you and your dependents
• Flexible Spending Wallets - generous stipends for spending on Technology, Food, various Lifestyle needs, and family forming expenses
• Time off - competitive vacation and holiday schedules allowing you to take time off to rest and recharge
• ESPP - An employee stock purchase plan enabling you to buy shares of Affirm at a discount