Sr Security GRC Program Manager - Risk Management
- Full-time
Company Description
Who We Are:
The Security Governance, Risk & Compliance (GRC) team works across Twitter to organize risk governance organizational structures, methodologies, and processes that are commensurate with industry best practice but tailored to Twitter’s niche risk sensitivities. Security GRC capabilities allow Twitter to manage security risk & control programs that enable us to achieve company goals and better protect its customers and data in a responsible and proactive manner. We work with internal and external stakeholders to build and operate programs that last - including Information Security, IT, Engineering, Product, Strategy & Operations, Internal Audit, Legal, Privacy, etc.
Job Description
What You’ll Do
We are growing our Risk / Issue Oversight & Treatment team. You will be responsible for maintaining and helping to mature our risk register and issue management programs that enable all security-related projects to reach and manage informed decisions about their security risks. You will ensure risks are actively identified, centrally registered, consistently and thoroughly assessed, reach agreed consensus on the criticality of the risk, and lead to an informed risk treatment decision. You will help design and implement efficient processes to monitor and report on the current state of our security risk posture. You will serve as a trusted advisor within Information Security and to our risk-adjacent partners including Engineering, Product, Finance, Internal Audit, Legal, Privacy, and Strategy & Operations teams. Together, your contributions will also help drive a stronger culture of risk ownership, accountability and awareness across the company as well as help meet broader enterprise risk management capabilities objectives.
As a Sr Security GRC Program Manager, you will:
Contribute to building and operating our risk register and issue management programs, and help maintain updates to our toolkit and procedures, as needed.
Actively engage with several security workflows to ensure relevant risks are actively identified and centrally registered and tracked following a consistent procedure to ensure risks are accounted for and risk treatment decisions are agreed and regularly monitored with the risk owners and reported to leadership.
Support or lead risk mitigation or risk acceptance conversations and help stakeholders reach a common understanding of the risks and tradeoffs, and a defined plan to either mitigate or accept the risk(s).
Develop regular risk metrics, dashboards, and reporting
Perform risk analysis to identify risk trends / behaviors and perform data quality checks of our risk/issue data to ensure data integrity.
Conduct and promote performing root cause analysis of identified risks / issues to ensure mitigation recommendations are adequate
Assist with the implementation and operation of Governance Risk and Compliance (GRC) tooling to further improve and automate our risk management processes
Advise and collaborate with SMEs, including Audit & Compliance teams, to ensure adequate security controls are in place to manage risk and are aligned with leading best practices
Help support various parts of the company to adopt a common risk management process, this may include joining other Security GRC projects (e.g., Third Party Risk Management, M&A Due Diligence, Risk & Compliance Assessments) or other projects adjacent to our Security GRC program objectives.
Keep up with relevant regulation, emerging threats, forecasts, policies and best practices, and maintain a mindset of constant innovation to consider possibilities in advancing our risk management framework
Qualifications
Who You Are
A critical problem solver, detailed oriented, and highly motivated self-starter with a passion for constant learning & improvement
Able to communicate relevant information clearly and concisely, both verbally and in writing
Able to work efficiently with minimal oversight/direction and collaborate effectively in cross functional projects
Have technical security-related knowledge of common risks, vulnerabilities, and threats and solid experience in escorting these issues through risk analysis / treatment / mitigation processes
Adept at communicating risks and issues clearly and concisely to both technical and non-technical audiences
Willing to advocate for the security of Twitter users and communicate why security decisions are important to other internal teams
Have good people skills and able to flourish under pressure and ambiguity in a fast-paced team environment
Requirements
Bachelor degree in Information Security, Computer Science, Management Information Systems or related field preferred
Minimum 6+ years of related work experience building or operating programs to mitigate risks around security, confidentiality, integrity, availability, and privacy. Preferred prior experience in Information Security, Governance Risk or Compliance, or relevant Audit / Assessments functions
Demonstrated success in a security / operational risk management team at large complex organizations with a mature risk oversight function with direct experience in conducting and analyzing security risk assessments
Strong knowledge of relevant information security frameworks, including related regulatory compliance requirements, such as ISO 27001 / ISO 27002, SOC 2 Trust Services Criteria, PCI DSS, GDPR, NIST Cyber Security Framework (CSF) / 800-53, CIS Critical Security Controls
Strong knowledge of audit and risk management methodologies, such as SOX, COBIT, NIST RMF / 800-37 / 800-30, FAIR
Relevant professional certifications in Information Security or Governance Risk Compliance Management is a plus, such as CISA, CISM, CRISC, CGEIT, CSX-P, CISSP, CCSK
Proficient with Atlassian products, G-Suite applications, and GRC tools, such as RSA Archer / ServiceNow / MetricStream
Proficient with reporting tools such as Tableau and Google Data Studio
Additional Information
All your information will be kept confidential according to EEO guidelines.
Here’s all the legal good stuff: We are committed to an inclusive and diverse Twitter. Twitter is an equal opportunity employer. We do not discriminate based on race, ethnicity, color, ancestry, national origin, religion, sex, sexual orientation, gender identity, age, disability, veteran, genetic information, marital status, or any other legally protected status.
San Francisco applicants: pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.
Notice (Colorado Equal Pay for Equal Work Act)
The expected salary range for this role to be performed in Colorado is USD$157,000.00 - USD$220,000.00. Starting pay for the successful applicant will depend on a variety of job-related factors, which may include education, training, experience, location, business needs, or market demands. This range may be modified in the future.
This job is also eligible for participation in Twitter’s Performance Bonus Plan and Equity Incentive Plan subject to the terms of the applicable plans and policies.
Twitter offers a wide range of benefits to U.S.-based employees, including medical, dental, and vision insurance, 401(k) program with employer match, generous time off for vacation, sick time, and parental leave. Twitter's benefits prioritize employee wellness and progressive support to our diverse workforce.