Manager, Security Governance

US - VA - Arlington

Location(s)

US - VA - Arlington

Team(s)

Information Technology


Manager, Information Security Risk Management

At Rapid7, we're on a mission to close the security achievement gap for our customers by simplifying the complex through shared visibility, analytics, and automation that unite teams around challenges and successes of cybersecurity. Our products and services empower over 9,100 customers across over 120 countries to seamlessly build security into the heart of their organizations. 

Rapid7's Trust & Security Governance team functions within the Information Security department and plays a crucial role in supporting the organization's mission. We ensure we meet our duty of care to our customers, employees, and shareholders by creating effective governance for upholding internal security policies, identifying and managing security risk, distributing foundational security expertise across every department to create an exceptional security culture, and bolstering customer and community trust by providing accessible and transparent information about our internal security program. This role partners closely with other InfoSec teams, Legal, Procurement, and many other teams at Rapid7.

We're looking for an Information Security Risk Manager to provide leadership to develop and implement consistent information security risk management practices and partners closely with stakeholders throughout the organization to drive continued awareness and improvement.

Responsibilities

  • Manage and enhance the information security risk management program, including participation in broader enterprise risk management, vulnerability management, and third-party risk management activities
  • Manage and maintain the Trust and Security Governance Integrated Risk Management framework that guides and informs risk-based decisions, including how risk is defined, assessed, responded to, and monitored over time
  • Partner closely with the Information Security Governance Manager to ensure that the information security risk management strategy keeps pace with evolving global standards, guidelines, regulations, and customer expectations
  • Establish security risk management procedures that enable the Trust and Security Governance Integrated Risk Management framework, including third-party risk and vulnerability management activities
  • Enhance and manage the information security risk assessment process against our infrastructure, products, and suppliers
  • Partner with appropriate teams to craft and report the annual security risk assessment
  • Establish key metrics and partner with various stakeholders to ensure appropriate plans are in place to mitigate identified risks and vulnerabilities
  • Provide oversight to ensure information security risk management activities are documented and consistently performed
  • Work with the Security PMO to ensure projects are properly scoped, tracked, communicated, and completed in an effective and efficient manner
  • Manage and develop a team of individual direct reports

Qualifications

  • Demonstrated experience with security audits, security control assessments, risk assessments, and/or compliance program management
  • Demonstrated experience creating and documenting risk methodologies, maintaining risk registers, performing risk assessments, and driving risk mitigation projects
  • Experience leading or partnering with third party risk and vulnerability management programs
  • Demonstrated experience with security standards/frameworks such as ISO 27001, SOC 2, PCI, FedRAMP, NIST CSF, etc.
  • Experience managing, developing, and growing diverse teams
  • Demonstrated experience with executing program initiatives through a distributed team of analysts
  • Experience developing and driving continuous program improvement
  • Excellent communication skills, including the ability to communicate security and risk-related concepts to technical and nontechnical audiences
  • Excellent time management and prioritization skills with a proven ability to plan, prioritize, and execute projects independently or in coordination with other teams
  • Effective negotiating, critical thinking and problem-solving skills, including the ability to optimize risk mitigation approaches across diverse business units

Plusses

  • Knowledge of applicable regulations such as SOX, GDPR
  • Experience working with cyber risk quantification and evaluating emerging cybersecurity threats
  • Experience leading program initiatives in accordance with agile methodologies
  • Experience working with an enterprise GRC solution
  • Experience evaluating and triaging penetration test and vulnerability disclosure reports

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or protected veteran status.