Associate Director/Senior Manager, Information Risk Management (IT Controls & Governance)
Position Responsibilities:
Security Testing: Execute security testing using methodologies such as SAST, SCA, and DAST to identify vulnerabilities. Leverage tools like Snyk for open-source dependency and container image security
Information Risk Assessments: Conduct risk assessments for IT initiatives prior to go-live, review release evidence, and ensure compliance with internal and industry standards
Third-Party Risk Management: Oversee vendor onboarding and governance, ensuring procurement aligns with security requirements and contractual clauses
Vulnerability Management: Apply OWASP Top 10 and NIST guidelines to prevent common vulnerabilities such as injection flaws and broken access controls
Secure Development: Embed security practices into SDLC and DevOps workflows, ensuring integration with CI/CD pipelines and version control systems
Cloud Security: Assess and validate security controls for cloud platforms (e.g., Microsoft Azure, Alibaba Cloud) and cloud-native services such as Kubernetes and microservices
GenAI Security Evaluation: Evaluate security risks in Generative AI projects, ensuring responsible use and compliance with data privacy and integrity standards
Communication & Compliance: Translate technical risks into actionable insights for technical and non-technical stakeholders, including presenting security concerns and posture to all levels—from developers to senior executives, and providing regular updates to C-level leadership.
Reviewing penetration testing reports and automated scans (Snyk, GitGuardian).
Developing automated security reports using Power BI, Python, or Power Automate.
Leading security audits and implementing remediation plans.
Acting as product owner for enterprise SCA & SAST solutions, driving migration strategies and improving DevSecOps maturity.
Managing penetration testing programs and refining methodologies based on stakeholder feedback.
Enhancing AppSec risk metrics for accurate visualization and remediation guidance.
Required Qualifications:
Bachelor’s degree in Computer Science, Information Security, or related field (or equivalent experience)
Proven experience in information security and compliance monitoring, preferably in cloud environments
Strong analytical skills and ability to interpret complex security reports.
Familiarity with penetration testing and DevOps tools (BurpSuite, Snyk, GitHub, GitGuardian)
Knowledge of OWASP trends and Generative AI risk considerations
Programming proficiency in Python or experience with Microsoft Power Automate
Experience with Power BI or similar visualization tools
Excellent communication and collaboration skills
Relevant certifications (CISSP, CISM, CEH) preferred
Understanding of IT control frameworks and regulatory requirements (ISO 27001, NIST, COBIT, PDPO, GDPR)
When you join our team:
We’ll empower you to learn and grow the career you want.
We’ll recognize and support you in a flexible environment where well-being and inclusion are more than just words.
As part of our global team, we’ll support you in shaping the future you want to see.
About Manulife and John Hancock
Manulife Financial Corporation is a leading international financial services provider, helping people make their decisions easier and lives better. To learn more about us, visit https://www.manulife.com/en/about/our-story.html.
Manulife is an Equal Opportunity Employer
At Manulife/John Hancock, we embrace our diversity. We strive to attract, develop and retain a workforce that is as diverse as the customers we serve and to foster an inclusive work environment that embraces the strength of cultures and individuals. We are committed to fair recruitment, retention, advancement and compensation, and we administer all of our practices and programs without discrimination on the basis of race, ancestry, place of origin, colour, ethnic origin, citizenship, religion or religious beliefs, creed, sex (including pregnancy and pregnancy-related conditions), sexual orientation, genetic characteristics, veteran status, gender identity, gender expression, age, marital status, family status, disability, or any other ground protected by applicable law.
It is our priority to remove barriers to provide equal access to employment. A Human Resources representative will work with applicants who request a reasonable accommodation during the application process. All information shared during the accommodation request process will be stored and used in a manner that is consistent with applicable laws and Manulife/John Hancock policies. To request a reasonable accommodation in the application process, contact recruitment@manulife.com.
Working Arrangement