Information Security Compliance & Risk Manager

The Manager, Information Security Compliance and Risk is responsible for leading the firm’s Governance, Risk, and Compliance (GRC) program, including regulatory compliance, enterprise risk management, and assurance activities that support client requirements and regulatory obligations.

This role also serves as the primary owner of Information Security AI governance, ensuring that the firm’s use of AI and machine learning technologies aligns with security, privacy, regulatory, and client expectations.

The role manages a team of three Information Security Analysts and owns SOC 2 and ISO 27001 certification programs, while partnering closely with Legal, Compliance, Privacy, IT, and Security Engineering and Operations to ensure effective control design, evidence collection, risk management, and continuous improvement.

Responsibilities:

Governance and Compliance Leadership

• Own and maintain the firm’s information security governance framework, including policies, standards, and procedures.
• Lead annual SOC 2 and ISO 27001 audit cycles, including audit readiness, evidence coordination, and remediation tracking.
• Ensure ongoing compliance with client, regulatory, and contractual information security requirements.
• Manage policy exceptions, risk acceptances, and documentation of compensating controls.

Regulatory Authorization and Assurance

• Lead the renewal and ongoing maintenance of government and client security authorizations, attestations, and approvals required for regulated engagements.
• Coordinate cross-functional evidence collection and control validation to support authorization renewals and periodic reassessments.
• Track authorization requirements, renewal timelines, and control changes to ensure continuous eligibility for regulated work.

AI Security Governance

• Lead the Information Security AI governance program, ensuring secure, responsible, and compliant use of AI technologies across the firm.
• Partner with Legal, Privacy, Compliance, and business stakeholders to define and maintain AI security requirements, risk assessments, and usage standards.
• Establish and maintain security controls for AI-enabled tools, including data handling, access controls, model usage restrictions, and third-party AI risk.
• Support client and regulatory inquiries related to AI security posture and governance practices.
• Track emerging AI-related regulatory and security requirements and assess their impact on firm policies and controls.

Risk Management

• Maintain and mature the enterprise information security risk register.
• Facilitate periodic risk assessments, including risks associated with AI usage, data processing, and third-party technologies.
• Develop and report meaningful risk metrics and dashboards for leadership review.
• Translate technical and operational risks into clear business-impact language.

Third-Party and Emerging Risk Governance

• Oversee third-party security risk management in partnership with Legal.
• Lead structured reviews of vendor security posture, including AI and SaaS providers.
• Track remediation plans and ongoing monitoring of third-party and AI-related risks.

Audit and Assurance Coordination

• Serve as the primary liaison for internal and external audits related to information security.
• Coordinate evidence collection across IT, Security Engineering, Privacy, and business stakeholders.
• Track findings, corrective actions, and continuous improvement initiatives.

Team Leadership

• Directly manage three Information Security Analysts.
• Set priorities, provide mentorship, and support professional development.
• Establish consistent processes, documentation standards, and performance expectations across the GRC function.

Cross-Functional Collaboration

• Partner closely with Security Engineering and Operations to align governance requirements with technical controls.
• Work with Legal, Compliance, Privacy, and Data Science teams on regulatory interpretation and AI governance requirements.
• Support client security inquiries, assessments, and due diligence requests.

Expected Outcomes

• Sustained audit readiness for SOC 2 and ISO 27001 with minimal disruption.
• Clear, measurable visibility into information security and AI-related risk posture.
• Consistent, scalable governance processes supporting firm growth and responsible AI adoption.
• Strong alignment between governance requirements and operational security controls.

Qualifications & Skills

• Bachelor’s degree required; degree in information security, risk management, or a related field preferred.
• 7 to 10 years of experience in information security, GRC, audit, or risk management required.
• Prior experience managing SOC 2 and or ISO 27001 programs required.
• Demonstrated people management or team leadership experience.
• Professional certifications such as CISSP, CISM, CRISC, CGRC, or ISO 27001 Lead Implementer or Auditor.
• Experience with GRC platforms and risk management tooling.
• Experience supporting AI governance, data governance, or emerging technology risk programs.
• Experience supporting client-driven security assessments in a professional services environment.
• An inclusive and growth-oriented mindset, strong interpersonal skills, and an ability to work across differences.
• To the extent permitted by applicable law, eligible candidates must be authorized to work in the United States without sponsorship or restriction, now and in the future.