Who We Are:

The Security Governance, Risk & Compliance (GRC) team works across Twitter to organize risk governance organizational structures, methodologies, and processes that are commensurate with industry best practice but tailored to Twitter’s niche risk sensitivities. Security GRC capabilities allow Twitter to manage security risk & control programs that enable us to achieve company goals and better protect its customers and data in a responsible and proactive manner. We work with internal and external stakeholders to build and operate programs that last - including Information Security, IT, Engineering, Product, Strategy & Operations, Internal Audit, Legal, Privacy, etc. 

What You’ll Do

We are growing our Compliance team to further mature our security program and ensure that the technical implementation of our internal controls is strong and well-managed. You will be responsible for maintaining and improving our common risk & controls framework and building sustainable control assurance programs that keep the company aligned with our regulatory & compliance obligations, policy requirements, and customer expectations. Your focus will be to ensure we have adequate internal controls in place, drive control adoption and maintenance, support control owner education and awareness, and manage roadmaps to resolve control gaps in a timely fashion.

As a Sr Security GRC Program Manager, you will:

• Mature the company’s unified security risk and control framework and ensure its alignment against applicable laws, regulations, industry standards such as ISO 27002, NIST Cyber Security Framework (CSF), PCI Data Security Standard, etc. as well as Twitter Information Security and IT policies & standards

• Support the Security GRC team and other stakeholders in integrating the unified security risk and control framework as part of their service capabilities to drive programmatic consistency

• Support Information Security oversight and governance by building control assurance programs to proactively assess and report on the design, operating effectiveness, and sustainability of key controls to ensure we are always “audit ready”

• Translate ambiguous control requirements to meaningful language that can be understood and operationalized by control owners

• Lead efforts to address control implementation, remedy control gaps that address the root cause of control failures, drive control ownership and accountability, and build process and control documentation as needed

• Advise and assist control owners in redesigning controls for improvement or automation, or preparing for scheduled audits or assessments

• Assist with the implementation and operation of Governance Risk and Compliance (GRC) tooling to further improve and automate our risk and control management processes

• Keep up with relevant regulation, emerging threats, forecasts, policies and best practices, and maintain a mindset of constant innovation to consider possibilities in advancing our unified security risk and control framework

Who You Are

• A critical problem solver, detailed oriented, and highly motivated self-starter with a passion for constant learning & improvement 

• Able to communicate relevant information clearly and concisely, both verbally and in writing

• Able to work efficiently with minimal oversight/direction and collaborate effectively in cross functional projects

• Have technical security-related knowledge of common risks, vulnerabilities, and threats and solid experience in escorting these issues through risk analysis / treatment / mitigation processes

• Willing to advocate for the security of Twitter users and communicate why security decisions are important to other internal teams

• Have good people skills and able to flourish under pressure and ambiguity in a fast-paced team environment

Requirements

• Bachelor degree in Information Security, Computer Science, Management Information Systems or related field preferred

• Minimum 6+ years of related work experience building or operating internal control programs to mitigate risks around security, confidentiality, integrity, availability, and privacy. Preferred prior experience in Information Security, Governance Risk or Compliance, or relevant Audit / Assessments functions

• Demonstrated success in a security / operational risk management team at large complex organizations with a mature risk oversight function with direct experience in conducting and analyzing security risk assessments

• Strong knowledge of relevant information security frameworks, including related regulatory compliance requirements, such as ISO 27001 / ISO 27002, SOC 2 Trust Services Criteria, PCI DSS, GDPR, NIST Cyber Security Framework (CSF) / 800-53, CIS Critical Security Controls

• Strong knowledge of audit and risk management methodologies, such as SOX, COBIT, NIST RMF / 800-37 / 800-30, FAIR

• Relevant professional certifications in Information Security or Governance Risk Compliance Management is a plus, such as CISA, CISM, CRISC, CGEIT, CSX-P, CISSP, CCSK 

• Proficient with Atlassian products, G-Suite applications, and GRC tools, such as RSA Archer / ServiceNow / MetricStream

All your information will be kept confidential according to EEO guidelines.

Here’s all the legal good stuff: We are committed to an inclusive and diverse Twitter. Twitter is an equal opportunity employer. We do not discriminate based on race, ethnicity, color, ancestry, national origin, religion, sex, sexual orientation, gender identity, age, disability, veteran, genetic information, marital status, or any other legally protected status.

San Francisco applicants: pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records.

Notice (Colorado Equal Pay for Equal Work Act)
The expected salary range for this role to be performed in Colorado is USD$157,000.00 - USD$220,000.00. Starting pay for the successful applicant will depend on a variety of job-related factors, which may include education, training, experience, location, business needs, or market demands. This range may be modified in the future.

This job is also eligible for participation in Twitter’s Performance Bonus Plan and Equity Incentive Plan subject to the terms of the applicable plans and policies.

Twitter offers a wide range of benefits to U.S.-based employees, including medical, dental, and vision insurance, 401(k) program with employer match, generous time off for vacation, sick time, and parental leave. Twitter's benefits prioritize employee wellness and progressive support to our diverse workforce.