Senior Manager of Risk and Compliance

Senior Manager of Risk and Compliance

Job Summary

This position is a hands-on leader responsible for the execution and operational delivery of security compliance, risk management, and audit functions. This position oversees a team of compliance analysts and works cross-functionally with stakeholders to ensure security controls and compliance objectives are met. They are responsible for managing day-to-day security risk activities, responding to client audit and assessment requests, overseeing third-party vendor reviews, and leading internal assessments and risk treatment tracking.

The ideal candidate combines deep operational knowledge with the ability to mentor and guide a growing team.

Essential Duties and Responsibilities

• Designs and leads the information security risk assessment strategy, methodology,

and process.

• Coordinates the execution of enterprise-wide information security risk assessments, including the reporting and oversight of risk treatment plans to address findings.
• Perform internal control reviews, gap assessments, and documentation of compliance with applicable security and privacy regulations (e.g. HIPAA, SOC 2,

NIST, ISO 27001)

• Manage risk and compliance resources for team execution.
• Oversee the development and maintenance of security policies, standards, and procedures aligned with leading frameworks.
• Support contract and vendor reviews by assessing third-party risk and advising on risk acceptance / treatment in conjunction with Vendor management processes.
• Deliver regular reporting on metrics, KPI’s, risk posture, exceptions, remediation and audit status to appropriate parties.
• Provide approved responses to client inquiries and maintain library of records,

documentation, and responses.

• Ensure key security controls are identified, implemented, tested, and remediated as required.
• Evaluate and advise on security control recommendations to mitigate information security risks.
• Evaluate and advise on implementation and eWectiveness of security controls for compliance with applicable information security laws, regulations, and policies.
• Work with business partners, global risk management, IT risk, product and data security, and outside consultants on required information security risk assessments and audits.
• Respond to security assessments, questionnaires and audits from regulators,

clients and third-party business partners.

• Work directly with clients to provide advisory services and guidance that will reduce organizational risk, improve their overall security posture, and achieve compliance.
• Prepare reports and other deliverables that contain strategy, technical analysis,

findings, and recommendations.

• Other duties as assigned.

Supervisory Responsibility

This position manages employees and is responsible for the performance management and hiring of the employees.

Education Minimum/Preferred Education Description

• Minimum 4 Year / Bachelors Degree Information Security, Information Systems or related

• Field

• Minimum Certification CISA

• Preferred Certification CISSP, CRISC, CISM, or other equivalents

• Experience

Minimum Years of Experience Description

• 5+ years management In Information Security with combinations in operational security,

risk management, IT, Compliance and Audit

• 5+ years Specific to security risk management and compliance programs, process, and

execution

Knowledge, Skills, and Abilities

• Ability to write solution workflow diagrams, system documentation, playbooks, etc.
• Strong analytical skills
• Excellent written and verbal communications skills, including presentational skills
• Understanding of or experience with industry and regulatory standards, including

NIST 800-53, HIPAA Security Rule, ISO 2700x, AICPA SOC 2, PCI DSS, GDPR, CCPA

• Prior experience auditing and performing quality control actions of audits.
• Hands-on experience with GRC platforms and work management tools (e.g. Jira,

Confluence)

• Demonstrated experience in curating cyber security strategies and programs for large and complex organizations
• Proven ability to operate independently, manage multiple priorities, and drive results in a deadline-driven environment.
• Proven track record in defining, developing, and implementing cyber risk management structures, governance models, organizational transformations in the areas of cyber security
• Strong domain expertise and understanding of five or more of following areas:
• Cyber risk program management and delivery
• Secur