Senior Manager, Security Risk Management

## About the Role The Senior Manager, Security Risk Management, will play a key role in leading Security Governance and the Security Third-Party Risk Management (TPRM) function at Affirm. This role is critical in driving program strategy, operational maturity, and stakeholder alignment for security governance, vendor risk, and third-party integration risk. The ideal candidate will have a deep understanding of security policies, standards, and control frameworks, as well as experience in managing teams and stakeholder relationships. As a leader in the Security Governance and TPRM team, the Senior Manager will be responsible for setting the security risk posture, tightening governance and fourth-party oversight, improving tooling and automation adoption, and ensuring timely, actionable escalations so senior leadership can make informed business decisions. This role will also involve collaborating with various stakeholders, including Legal, Procurement, Privacy, Product, and Engineering, to ensure alignment and effective risk management. The Senior Manager will be expected to drive the Security Governance and TPRM programs from tactical firefighting to predictable, measurable operations that scale with the business. This will involve defining and enforcing security risk appetite and decision criteria for third-party relationships and integrations, as well as leading the Security TPRM function across the vendor lifecycle. ## What You Will Do - Own and maintain security policies, standards, and control frameworks, including mapping to controls and compliance requirements - Lead program maturity planning, roadmaps, and cross-functional governance forums - Define and enforce security risk appetite and decision criteria for third-party relationships and integrations - Lead the Security TPRM function across the vendor lifecycle, including intake/onboarding, due diligence, contracting handoffs, ongoing monitoring, periodic reviews, and offboarding - Ensure robust fourth-party oversight, including subprocessors, and manage remediation/QA cycles driven by Internal Audit and regulators - Oversee high-risk vendor decisions and escalations, and establish clear RACI for partnership contracts and security acceptance criteria - Own program KPIs, dashboards, and reporting, and drive improvements in throughput, turnaround, backlog age, and remediation velocity - Partner with Automation/TPRM Ops to operationalize threat-modeling outputs, integration inventories, pre-integration gates, and CI/CD checks - Implement and maintain QA processes, runbooks, SOPs for ticket ownership, and evidence standards - Build, coach, and scale the Governance and TPRM teams, including hiring, performance management, career development, and team morale - Act as the primary security contact for Legal, Procurement, Privacy, Product, and Engineering on vendor risk and governance matters - Represent Security in executive forums, audit meetings, and regulatory engagements, and own remediation commitments and timelines ## What We Are Looking For - 7+ years of experience in information security, risk management, or GRC roles, with a minimum of 3 years managing teams or equivalent leadership experience - Demonstrated ownership of a TPRM program or security governance program in a regulated or high-growth technology environment (fintech preferred) - Strong understanding of security policies, standards, and control frameworks, including NIST CSF, ISO 27001, and SOC2 - Experience with vendor risk management, including due diligence, contracting, and ongoing monitoring - Excellent communication and stakeholder management skills, with the ability to influence and collaborate with various stakeholders - Strong analytical and problem-solving skills, with the ability to drive improvements in process and operations - Experience with automation and tooling, including Jira, AuditBoard, Sigma/BI, and MetricStream - Strong leadership and management skills, with the ability to build, coach, and scale high-performing teams ## Nice to Have - Experience with cloud-based security solutions and technologies - Knowledge of regulatory requirements, including PCI and applicable laws and regulations - Certification in information security, risk management, or a related field (e.g., CISM, CRISC, CISSP) - Experience with Agile development methodologies and DevOps practices ## Benefits and Perks - Competitive compensation package - Comprehensive health insurance benefits - Generous paid time off and holiday schedule - Remote work stipend and flexible work arrangements - Professional development opportunities, including training and conference sponsorships - Access to cutting-edge technologies and tools - Collaborative and dynamic work environment - Recognition and reward programs for outstanding performance

- Develop a strong understanding of security policies, standards, and control frameworks, including NIST CSF, ISO 27001, and SOC2 - Highlight your experience with vendor risk management, including due diligence, contracting, and ongoing monitoring - Showcase your leadership and management skills, including building, coaching, and scaling high-performing teams - Be prepared to discuss your experience with automation and tooling, including Jira, AuditBoard, Sigma/BI, and MetricStream - Research Affirm's company culture and values, and be prepared to discuss how you align with them - Prepare examples of your analytical and problem-solving skills, including driving improvements in process and operations - Be ready to discuss your experience with cloud-based security solutions and technologies, as well as regulatory requirements and compliance