Who We Are:

The Security Governance, Risk & Compliance (GRC) team works across Twitter to organize risk governance organizational structures, methodologies, and processes that are commensurate with industry best practice but tailored to Twitter’s niche risk sensitivities. Security GRC capabilities allow Twitter to manage security risk & control programs that enable us to achieve company goals and better protect its customers and data in a responsible and proactive manner. We work with internal and external stakeholders to build and operate programs that last - including Information Security, IT, Engineering, Product, Strategy & Operations, Internal Audit, Legal, Privacy, etc. 

What You’ll Do:

We are looking for someone to lead our Risk / Issue Oversight & Treatment team. You will be responsible for maintaining and maturing our risk register and issue management programs. You will ensure risks are actively identified, centrally registered, consistently and thoroughly assessed, reach agreed consensus on the criticality of the risk, and lead to an informed risk treatment decision. You will help design and implement efficient processes to monitor and report on the current state of our security risk posture, and work closely with leadership to help ensure security strategies and investments are addressing our top current / emerging risks. You will engage with Infosec team leads, coach team members and identify opportunities to continually improve the program. You will serve as a trusted advisor within Information Security and to our risk-adjacent partners including Engineering, Product, Finance, Internal Audit, Legal, Privacy, and Strategy & Operations teams. Together, your contributions will also help drive a stronger culture of risk ownership, accountability and awareness across the company as well as help meet broader enterprise risk management capabilities objectives.

As a Staff Security GRC Program Manager, you will:

• Lead efforts to improve and operate our risk register and issue management programs, such as: 

  • Managing risk registration activities to ensure security risks are centrally and consistently cataloged

  • Shepherding risk treatment decisions to drive clear actions for either risk mitigation or formal risk acceptance

  • Issue and action management to ensure steady progress is made towards resolution that address the root cause(s) and prevent issue recurrence

  • Producing insights from our aggregated risks to highlight relevant risk trends or behaviors, and delivering periodic reporting to measure our risk posture and enable escalations where necessary

• Drive improvements to the risk register program, such as:

  • Supporting risk-adjacent teams to adopt the risk register or leverage it to build equivalent programs

  • Periodically re-validating the accuracy of our Top Risks

  • Shifting from less qualitative to more quantitative risk analysis techniques

  • Harnessing synergies from security-related workflows such as security incident response,  vulnerability management and threat intelligence to build more informed risk intelligence that drive more purposeful action or recommendations

• Lead risk mitigation or risk acceptance conversations and help stakeholders reach a common understanding of the risks and tradeoffs, and a defined plan to either mitigate or accept the risk(s). 

• Develop and/or deliver regular risk metrics and reporting to Infosec / Staff leadership and management committees such as the Security Committee or Board Risk Committee 

• Build and maintain strong cross-functional relationships across the organization to help with expectation setting, training and awareness, and promote consistency and improvement in our processes

• Assist with the implementation and operation of Governance Risk and Compliance (GRC) tooling to further improve and automate our risk management processes

• Advise and collaborate with SMEs, including Audit & Compliance teams, to ensure adequate security controls are in place to manage risk and are aligned with leading best practices

• Help support various parts of the company to adopt a common risk management process, this may include joining other Security GRC projects (e.g., Third Party Risk Management, M&A Due Diligence, Risk & Compliance Assessments) or other projects adjacent to our Security GRC program objectives.

• Keep up with relevant regulation, emerging threats, forecasts, policies and best practices, and maintain a mindset of constant innovation to consider possibilities in advancing our risk management framework

Who You Are

• An inspiring and resourceful leader who is able to effectively prioritize multiple projects simultaneously

• Adept at digging into the details, bringing clarity from ambiguity, and synthesizing solutions that scale

• Experience tackling complex problems from initial proposal to implementation with proven success in building influence and driving consensus across multiple stakeholders

• Proficient at designing and delivering key risk metrics and reports to varying audiences across the management chain 

• Adept at communicating risks and issues clearly and concisely to both technical and non-technical audiences

• Able to work efficiently with minimal oversight/direction and practices good judgment on matters requiring attention and escalation

• Have technical security-related knowledge of common risks, vulnerabilities, and threats and solid experience in escorting these issues through risk analysis / treatment / mitigation processes

• Willing to advocate for the security of Twitter users and communicate why security decisions are important to other internal teams

• Have great people skills and able to flourish under pressure and ambiguity in a fast-paced team environment

Requirements

• Bachelor degree in Information Security, Computer Science, Management Information Systems or related field preferred

• Minimum 10+ years of related work experience building or operating programs to mitigate risks around security, confidentiality, integrity, availability, and privacy. Preferred prior experience in Information Security, Governance Risk or Compliance, or relevant Audit / Assessments functions

• Demonstrated success in a security / operational risk management team at large complex organizations with a mature risk oversight function with direct experience in conducting and analyzing security risk assessments

• Strong knowledge of relevant information security frameworks, including related regulatory compliance requirements, such as ISO 27001 / ISO 27002, SOC 2 Trust Services Criteria, PCI DSS, GDPR, NIST Cyber Security Framework (CSF) / 800-53, CIS Critical Security Controls

• Strong knowledge of audit and risk management methodologies, such as SOX, COBIT, NIST RMF / 800-37 / 800-30, FAIR

• Relevant professional certifications in Information Security or Governance Risk Compliance Management is a plus, such as CISA, CISM, CRISC, CGEIT, CSX-P, CISSP, CCSK 

• Proficient with Atlassian products, G-Suite applications, and GRC tools, such as RSA Archer / ServiceNow / MetricStream

• Proficient with reporting tools such as Tableau and Google Data Studio

All your information will be kept confidential according to EEO guidelines.

Here’s all the legal good stuff: We are committed to an inclusive and diverse Twitter. Twitter is an equal opportunity employer. We do not discriminate based on race, ethnicity, color, ancestry, national origin, religion, sex, sexual orientation, gender identity, age, disability, veteran, genetic information, marital status, or any other legally protected status.

San Francisco applicants: pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

Notice (Colorado Equal Pay for Equal Work Act)
The expected salary range for this role to be performed in Colorado is USD$146,000.00 - USD$204,000.00. Starting pay for the successful applicant will depend on a variety of job-related factors, which may include education, training, experience, location, business needs, or market demands. This range may be modified in the future.

This job is also eligible for participation in Twitter’s Performance Bonus Plan and Equity Incentive Plan subject to the terms of the applicable plans and policies.

Twitter offers a wide range of benefits to U.S.-based employees, including medical, dental, and vision insurance, 401(k) program with employer match, generous time off for vacation, sick time, and parental leave. Twitter's benefits prioritize employee wellness and progressive support to our diverse workforce.