Senior Manager - Security Risk Management (Hybrid)

About The Position

Requirements

• 8+ years of experience in Information Security, Risk Management, Compliance, or related fields.
• 3+ years in a leadership role.
• Strong knowledge of security frameworks (NIST, ISO, SOC 2, CIS), risk methodologies, and regulatory requirements.
• Experience leading enterprise policy programs and vendor risk management activities.
• Proven ability to collaborate and influence across all levels of the organization.
• Excellent written and verbal communication skills with the ability to influence stakeholders, present to executives, and simplify complex risk topics

Nice To Haves

• Relevant certifications such as CISSP, CISM, CRISC, or ISO 27001 Lead Implementer/Auditor.
• Experience scaling programs in large, distributed, or highly regulated environments.
• Background in cloud security, business continuity, or enterprise risk management.

Responsibilities

• Information Security Policies & Standards Lead the lifecycle management of enterprise Information Security policies, standards, baselines, and guidelines. Ensure alignment with regulatory requirements, industry frameworks (e.g., NIST CSF, ISO 27001), and internal risk posture. Partner with business and technology leaders to ensure policies are actionable, effective, and embedded into operational processes. Oversee periodic reviews, updates, and governance activities for all security documentation.
• Third‑Party Information Security Risk Management (TPRM) Lead the enterprise Information Security–focused TPRM program, ensuring all third parties with access to corporate data, systems, or facilities undergo rigorous security risk assessments. Maintain assessment methodologies centered on security controls, including data protection, access management, vulnerability management, encryption practices, incident response maturity, and cloud security posture. Oversee due diligence processes, security questionnaires, evidence reviews, attestations (SOC 2, ISO 27001, penetration tests), and follow‑up remediation activities. Partner with Procurement, Legal, and business stakeholders to ensure contracts include appropriate security obligations, such as breach notification requirements, minimum security standards, and right‑to-audit language. Monitor ongoing vendor security risk through periodic reassessments, continuous monitoring tools, and threat intelligence related to third‑party ecosystems. Deliver metrics and executive‑level reporting on the security posture of third parties, highlighting emerging risks, systemic gaps, and required remediation actions.
• Security Strategy Support the development and execution of the long‑term security strategy. Partner closely with cross‑functional business teams and IT leadership to ensure security strategy aligns with organizational goals, technology roadmaps, and operational priorities. Provide expert insight into risk-based prioritization, investment planning, and roadmap development. Monitor regulatory, threat, and technology trends to inform strategic decisions. Support management reporting for enterprise executive committees, risk committees, and governance forums.
• Security Training & Awareness Oversee the enterprise security awareness program, including phishing simulations, mandatory training, campaigns, and targeted education for high‑risk groups. Drive culture change by promoting security-first behaviors and improving security literacy across the organization. Measure effectiveness using risk metrics, training performance, and behavior analytics.

Benefits

• First American offers a comprehensive benefits package including medical, dental, vision, 401k, PTO/paid sick leave and other great benefits like an employee stock purchase plan.