Sr. Manager, Information Security Risk Management (REMOTE)

The Senior Manager, Information Security & Risk Management is responsible for building, leading, and maturing the enterprise information security risk management program and the Governance, Risk, and Compliance (GRC) platform that enables it. This role owns the people, process, and technology underpinning risk identification, assessment, treatment, reporting, and assurance. The ideal candidate brings deep experience in security risk frameworks, control assurance, and GRC product ownership - translating complex risk into clear business decisions and automating workflows for scale. 

Strategy & Leadership (People) 

• Build and lead a high-performing GRC/risk team (analysts, engineers, control owners), including hiring, coaching, performance management, and succession planning. 

• Serve as the product owner for the GRC platform, setting vision, roadmap, priorities, and adoption goals; lead a cross-functional virtual team of process owners (IT, Engineering, Privacy, Legal, Procurement, Audit). 

• Act as a trusted advisor to senior leaders on risk appetite, emerging risks, and investment trade-offs; communicate risk in business terms. 

• Establish a culture of accountability and continuous improvement across control owners and process stakeholders. 

Risk Management Program (Process) 

• Design, implement, and mature an enterprise Information Security Risk Management (ISRM) program aligned to business strategy and regulatory requirements. 

• Define and operationalize risk taxonomy, risk appetite/thresholds, and risk assessment methodologies (inherent/residual, likelihood/impact, qualitative/quantitative where appropriate). 

• Stand up end-to-end risk workflows: identification → assessment → treatment planning → control implementation → monitoring → metrics → reporting. 

• Integrate risk management with strategic planning, project/architecture reviews, third-party risk, privacy, resilience/BCP/DR, and audit. 

• Establish and maintain the Information Security Policy & Standards framework; ensure clear control ownership and maintenance cadence. 

• Run the issue/exception/waiver process: risk acceptance, remediation tracking, and expiration governance. 

• Coordinate audit readiness and responses (internal audit, external audit, regulatory inquiries); ensure defensible evidence management. 

GRC Platform Ownership (Technology) 

• Own the selection, implementation, configuration, and continuous improvement of the GRC platform (e.g., ServiceNow GRC, Archer, OneTrust, LogicGate, MetricStream, similar). 

• Engineer scalable workflows for risk assessments, control testing, issue management, vendor risk, policy lifecycle, SOX/ITGC, and automated evidence collection. 

• Build and maintain authoritative control libraries mapped to frameworks (e.g., NIST CSF/800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, SOX, CIS). 

• Implement integrations with core systems (e.g., IAM, CMDB, ticketing, CI/CD, cloud security tools, vulnerability management, procurement, ERP) to drive control automation and near-real-time monitoring. 

• Define and publish dashboards and KPIs/KRIs for executive reporting; enable self-service analytics and board-level reporting packages. 

Assurance & Continuous Monitoring 

• Establish a risk-based control testing and continuous control monitoring (CCM) program; leverage automation for evidence capture and evaluation. 

• Oversee security exceptions, findings, and remediation programs with clear SLAs and escalation paths. 

• Coordinate scenario analysis and tabletop exercises for key risks (e.g., ransomware, data exfiltration, third-party outage). 

• Partner with Security Engineering and Operations to connect risk insights to detection, vulnerability, and incident response priorities. 

Third-Party & Product/Project Risk 

• Mature third-party risk management (TPRM) with tiering, due diligence, contract clauses, continuous monitoring, and exit strategies. 

• Embed risk reviews in SDLC and project governance (architecture boards, change management, M&A diligence/integration). 

Preferred Qualifications: 

• Demonstrated experience standing up or significantly maturing an enterprise risk management program and owning a GRC solution end-to-end. 

• Strong knowledge of risk and control frameworks and regulations: NIST CSF/800-53, ISO 27001, SOC 2, SOX/ITGC, PCI DSS, HIPAA, CIS, and data protection/privacy (e.g., GDPR, CCPA/CPRA). 

• Hands-on experience designing automated workflows, building dashboards, and integrating GRC with IT/security tooling. 

• Exceptional communication and stakeholder management skills; proven ability to translate technical risk into business impacts and priorities. 

• Security or audit certifications: CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CISA. 

• Experience with risk quantification approaches (e.g., FAIR) and board-level reporting. 

• Background in cloud and modern engineering environments (AWS/Azure/GCP, DevSecOps, SaaS).