Security Risk Management Lead

## About the Role The Security Risk Management Lead will play a key role in Affirm's Security Risk Management team, responsible for designing, developing, and implementing solutions to complex technical and business problems. This role entails leading and maturing Affirm's Security Third Party Program, building and maintaining automation to replace manual GRC tasks, and partnering with stakeholders to assess and manage security risk across third-party relationships. The ideal candidate will be equally comfortable shaping policy and shipping automation using modern tooling. As a subject matter expert, the Security Risk Management Lead will operate at the intersection of security, compliance, and engineering, driving program operational excellence and establishing repeatable processes, service-level expectations, metrics, and reporting for third-party security risk management. This role requires a unique blend of technical, business, and communication skills, as well as the ability to translate ambiguous requirements into practical, scalable program solutions. The Security Risk Management team is evolving beyond traditional governance, risk, and compliance, building an engineering-driven program that designs, automates, and scales controls, workflows, and tooling to protect Affirm and its customers. This role offers a unique opportunity to contribute to the broader Security Risk Management strategy, identifying opportunities to scale, simplify, and strengthen security governance processes through engineering. ## What You Will Do - Lead and mature Affirm's Security Third Party Program, including design, implementation, and continuous improvement of processes, controls, and operational workflows - Build and maintain automation to replace manual GRC tasks using Python, low-code platforms, and agentic coding tools - Design and operate workflow orchestration and integrations across systems like ticketing, GRC platforms, vendor management tools, identity providers, and cloud control planes - Partner closely with Procurement, Legal, Engineering, IT, Compliance, Privacy, and business stakeholders to assess and manage security risk across third-party relationships - Translate ambiguous business and security requirements into practical, scalable program solutions and decision frameworks - Identify opportunities to automate manual processes across the program and prototype solutions - Drive program operational excellence by establishing repeatable processes, service-level expectations, metrics, and reporting for third-party security risk management - Evaluate third-party security controls, cloud architectures, integration patterns, and risk posture, providing clear recommendations to stakeholders and leadership - Conduct light threat models on high-risk integrations and partner with Security SMEs for deeper diligence - Manage and prioritize a portfolio of complex security risk reviews and initiatives simultaneously, balancing business enablement with risk reduction ## What We Are Looking For - 5+ years of experience in security risk management, compliance, or a related field - Proficiency in Excel and experience with automation tools like Python, low-code platforms, and agentic coding tools - Strong understanding of security principles, threat modeling, and risk management frameworks - Experience with cloud architectures, integration patterns, and security controls - Excellent communication and collaboration skills, with the ability to partner with stakeholders and drive program operational excellence - Strong problem-solving skills, with the ability to translate ambiguous requirements into practical solutions - Experience with workflow orchestration and integrations across systems like ticketing, GRC platforms, and cloud control planes ## Nice to Have - Experience with security orchestration, automation, and response (SOAR) tools - Knowledge of cloud security frameworks and compliance standards like SOC 2, ISO 27001, and PCI-DSS - Familiarity with agile development methodologies and DevOps practices - Experience with data analytics and visualization tools like SQL, Tableau, or Power BI ## Benefits and Perks - Competitive compensation package - Opportunities for professional growth and development in a rapidly growing company - Collaborative and dynamic work environment with a team of experienced security professionals - Flexible remote work arrangements and a stipend for home office setup - Comprehensive health insurance and wellness programs - Generous paid time off and holidays - Access to cutting-edge security tools and technologies - Recognition and reward programs for outstanding performance

- Tip: Develop a strong understanding of security principles, threat modeling, and risk management frameworks to stand out in this role.

• To succeed, focus on building a portfolio that demonstrates your ability to automate manual processes and drive program operational excellence.
• When applying, highlight your experience with automation tools like Python, low-code platforms, and agentic coding tools.
• Be prepared to discuss your approach to security risk management, including your experience with cloud architectures, integration patterns, and security controls.
• Research Affirm's security strategy and be ready to discuss how you can contribute to the company's mission to cultivate a culture of security.
• Show enthusiasm for learning and growing with the company, and be prepared to discuss your long-term career goals and how they align with Affirm's vision.