Sr. Manager, Information Security Risk Management (REMOTE)

About The Position

Requirements

• 7-10 years progressive experience in Information Security, Risk, or Audit with 3–5+ years leading teams and/or owning a GRC platform.
• Bachelors Degree: Information Systems, Computer Science, Cybersecurity, or related; or equivalent experience.

Nice To Haves

• Demonstrated experience standing up or significantly maturing an enterprise risk management program and owning a GRC solution end-to-end.
• Strong knowledge of risk and control frameworks and regulations: NIST CSF/800-53, ISO 27001, SOC 2, SOX/ITGC, PCI DSS, HIPAA, CIS, and data protection/privacy (e.g., GDPR, CCPA/CPRA).
• Hands-on experience designing automated workflows, building dashboards, and integrating GRC with IT/security tooling.
• Exceptional communication and stakeholder management skills; proven ability to translate technical risk into business impacts and priorities.
• Security or audit certifications: CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CISA.
• Experience with risk quantification approaches (e.g., FAIR) and board-level reporting.
• Background in cloud and modern engineering environments (AWS/Azure/GCP, DevSecOps, SaaS).

Responsibilities

• Build and lead a high-performing GRC/risk team (analysts, engineers, control owners), including hiring, coaching, performance management, and succession planning.
• Serve as the product owner for the GRC platform, setting vision, roadmap, priorities, and adoption goals; lead a cross-functional virtual team of process owners (IT, Engineering, Privacy, Legal, Procurement, Audit).
• Act as a trusted advisor to senior leaders on risk appetite, emerging risks, and investment trade-offs; communicate risk in business terms.
• Establish a culture of accountability and continuous improvement across control owners and process stakeholders.
• Design, implement, and mature an enterprise Information Security Risk Management (ISRM) program aligned to business strategy and regulatory requirements.
• Define and operationalize risk taxonomy, risk appetite/thresholds, and risk assessment methodologies (inherent/residual, likelihood/impact, qualitative/quantitative where appropriate).
• Stand up end-to-end risk workflows: identification → assessment → treatment planning → control implementation → monitoring → metrics → reporting.
• Integrate risk management with strategic planning, project/architecture reviews, third-party risk, privacy, resilience/BCP/DR, and audit.
• Establish and maintain the Information Security Policy & Standards framework; ensure clear control ownership and maintenance cadence.
• Run the issue/exception/waiver process: risk acceptance, remediation tracking, and expiration governance.
• Coordinate audit readiness and responses (internal audit, external audit, regulatory inquiries); ensure defensible evidence management.
• Own the selection, implementation, configuration, and continuous improvement of the GRC platform (e.g., ServiceNow GRC, Archer, OneTrust, LogicGate, MetricStream, similar).
• Engineer scalable workflows for risk assessments, control testing, issue management, vendor risk, policy lifecycle, SOX/ITGC, and automated evidence collection.
• Build and maintain authoritative control libraries mapped to frameworks (e.g., NIST CSF/800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, SOX, CIS).
• Implement integrations with core systems (e.g., IAM, CMDB, ticketing, CI/CD, cloud security tools, vulnerability management, procurement, ERP) to drive control automation and near-real-time monitoring.
• Define and publish dashboards and KPIs/KRIs for executive reporting; enable self-service analytics and board-level reporting packages.
• Establish a risk-based control testing and continuous control monitoring (CCM) program; leverage automation for evidence capture and evaluation.
• Oversee security exceptions, findings, and remediation programs with clear SLAs and escalation paths.
• Coordinate scenario analysis and tabletop exercises for key risks (e.g., ransomware, data exfiltration, third-party outage).
• Partner with Security Engineering and Operations to connect risk insights to detection, vulnerability, and incident response priorities.
• Mature third-party risk management (TPRM) with tiering, due diligence, contract clauses, continuous monitoring, and exit strategies.
• Embed risk reviews in SDLC and project governance (architecture boards, change management, M&A diligence/integration).

Benefits

• competitive total rewards package that could include other components such as: incentive, equity and benefits.
• all state paid leave requirements.
• a generous suite of benefits.