Sr Mgr, Information Security

About The Position

Requirements

• Bachelor’s degree in Information Security, Computer Science, or related field.
• 8–12+ years of experience in information security, risk, compliance, or IT audit roles.
• Strong hands-on experience with risk assessments, audits, and control testing.
• Practical working knowledge of NIST CSF, ISO 27001/27002, SOC 2, and cloud security controls.
• Ability to independently manage multiple assessments and audits end-to-end.
• Typically requires BS/BA in a related discipline.
• Generally 7+ years of experience in a related field.
• May require certification.

Nice To Haves

• CISSP, CISM, CRISC, CISA, ISO 27001 Lead Implementer/Auditor, or equivalent.
• Deep technical understanding of security controls and risk mitigation
• Strong documentation and evidence management skills
• Ability to translate compliance requirements into technical actions
• Comfortable working in fast-paced, hands-on environments
• Strong problem-solving and attention to detail
• Advanced degree may offset less experience in some disciplines.

Responsibilities

• Perform and lead information security risk assessments across applications, infrastructure, cloud environments, and business processes.
• Maintain risk registers, document findings, assign remediation actions, and track closure.
• Conduct threat modeling and control gap analyses in collaboration with engineering and security teams.
• Perform and review third-party/vendor security risk assessments and questionnaires.
• Directly manage compliance efforts for frameworks and regulations such as ISO 27001, SOC 2, PCI DSS, SOX, GDPR, or HIPAA (as applicable).
• Prepare audit evidence, coordinate walkthroughs, and respond to auditor and regulator requests.
• Execute control testing and validate control design and operating effectiveness.
• Track remediation plans and validate corrective actions.
• Draft, update, and maintain information security policies, standards, and procedures.
• Map technical and administrative controls to compliance requirements and business risks.
• Work hands-on with system owners to design and implement security controls.
• Administer and optimize GRC tools (e.g., Varonis, Lighbeam, Tenable, Auditboard etc).
• Build risk dashboards, compliance metrics, and executive-level reporting.
• Automate evidence collection and control monitoring where possible.
• Work closely with IT, Cloud, DevOps, Security Operations, Legal, Privacy, and Internal Audit teams.
• Provide actionable security guidance during system design, cloud migrations, and vendor onboarding.
• Act as a subject matter expert for security risk and compliance inquiries.
• Lead by example with direct execution while mentoring junior risk and compliance staff.
• Review work products, provide hands-on coaching, and ensure quality and consistency.
• Support hiring and onboarding of risk and compliance team members as needed.
• Manage and coordinate a team of Security Managers and Engineers.
• Ensure tight rigor and control over Security Operations and Audit processes.
• Serves as an internal information security consultant to the organization.
• Effectively leads and or coordinates all internal dedicated security functions including but not limited to - patching, anti-virus, intrusion prevention, CERT response, log file monitoring, cross division security coordination, systems operational security testing, rule set analysis, threat detection and adaptation, as well as advent security related functions.
• Initiates activities to create information security awareness within the organization.
• Performs information security risk assessments, and acts as an internal auditor.
• Evaluates audit findings and drives remediation of identified control deficiencies.
• Reviews all system-related security planning throughout the network and acts as a liaison to information systems.
• Monitors compliance with information security policies and procedures, addressing problems with the appropriate department manager or data owner.
• Oversees the security policy to ensure appropriateness.
• Provides training and consultation to ensure understanding of and compliance with established security standards and controls.
• Manages the Computer Security Incident Response Plan.
• Manages the Risk Program including coordination and follow-up of the semi-annual risk assessment and development and implementation of business unit policies and standards.
• Manages the business unit's audits and examinations.
• Works with management to put controls in place needed to comply with SOX and PCI regulatory requirements.