Senior Manager, Security Risk Management

About the Role

As a key member of the security team, the Senior Manager will work closely with various stakeholders, including Legal, Procurement, Privacy, Product, and Engineering, to ensure that security risk is properly assessed and mitigated. The role requires a deep understanding of security risk management principles, excellent leadership skills, and the ability to drive change and improvement in a fast-paced environment.

The successful candidate will be responsible for setting the security risk posture, tightening governance and fourth-party oversight, improving tooling and automation adoption, and ensuring timely, actionable escalations to senior leadership. This is an exciting opportunity for a seasoned security professional to join a dynamic team and contribute to the growth and success of Affirm.

What You Will Do

• Own and evolve security policies, standards, and control frameworks to ensure compliance with regulatory requirements and industry standards
• Lead the development of program strategy, roadmaps, and cross-functional governance forums to drive security governance and TPRM
• Define and enforce security risk appetite and decision criteria for third-party relationships and integrations
• Oversee the Security TPRM function across the vendor lifecycle, including intake/onboarding, due diligence, contracting handoffs, ongoing monitoring, and offboarding
• Ensure robust fourth-party oversight, including subprocessors, and manage remediation/QA cycles driven by Internal Audit and regulators
• Own program KPIs, dashboards, and reporting to drive improvements in throughput, turnaround, backlog age, and remediation velocity
• Partner with Automation/TPRM Ops to operationalize threat-modeling outputs, integration inventories, pre-integration gates, and CI/CD checks
• Implement and maintain QA processes, runbooks, SOPs for ticket ownership, and evidence standards
• Build, coach, and scale the Governance and TPRM teams, including hiring, performance management, career development, and team morale
• Act as the primary security contact for Legal, Procurement, Privacy, Product, and Engineering on vendor risk and governance matters

What We Are Looking For

• 8+ years of experience in security risk management, preferably in a similar role or industry
• Strong knowledge of security frameworks and standards, such as NIST CSF, ISO 27001, and SOC2
• Excellent leadership and management skills, with experience in building and scaling high-performing teams
• Strong analytical and problem-solving skills, with the ability to drive change and improvement
• Proficiency in Excel and experience with security tools and technologies, such as Jira, AuditBoard, Sigma/BI, and MetricStream
• Strong communication and collaboration skills, with the ability to work effectively with various stakeholders
• Experience in managing third-party risk and compliance, including vendor management and due diligence
• Strong understanding of regulatory requirements and industry standards, including PCI, SOC2, and applicable regulations

Nice to Have

• Experience in cloud security, including AWS, Azure, or Google Cloud
• Knowledge of automation and DevOps practices, including CI/CD and threat modeling
• Familiarity with agile development methodologies and experience in working with cross-functional teams
• Certification in security risk management, such as CRISC or CISM
• Experience in managing security operations, including incident response and security monitoring

Benefits and Perks

• Competitive salary and bonus structure
• Comprehensive health, dental, and vision insurance
• 401(k) matching and retirement savings plan
• Flexible PTO and vacation policy
• Remote work stipend and home office setup
• Professional development opportunities and training budget
• Access to cutting-edge security tools and technologies
• Collaborative and dynamic work environment
• Recognition and reward programs for outstanding performance

• Develop a strong understanding of security risk management principles and frameworks, such as NIST CSF and ISO 27001, to stand out in your application and interview.
• Showcase your experience in managing third-party risk and compliance, including vendor management and due diligence, to demonstrate your expertise in this area.
• Highlight your leadership and management skills, including experience in building and scaling high-performing teams, to demonstrate your ability to drive change and improvement.
• Familiarize yourself with security tools and technologies, such as Jira, AuditBoard, Sigma/BI, and MetricStream, to demonstrate your technical skills and expertise.
• Prepare to discuss your experience in managing security operations, including incident response and security monitoring, to demonstrate your ability to handle complex security issues.
• Be prepared to provide specific examples of your experience in driving change and improvement in a fast-paced environment, and how you have contributed to the growth and success of previous organizations.
• Research Affirm's approach to security risk management and be prepared to discuss how your skills and experience align with the company's goals and objectives.