Manager, Information Security Compliance & Risk

The Information Security Compliance and Risk Manager is responsible for overseeing and advancing the organization’s Governance, Risk, and Compliance function. This includes managing security compliance initiatives, enterprise risk activities, and assurance efforts that help satisfy client expectations, contractual obligations, and regulatory requirements. This position also leads the firm’s security oversight for artificial intelligence, ensuring AI and machine learning use is aligned with internal security standards, privacy principles, and applicable compliance requirements.

In this role, the manager supervises a team of two Information Security Analysts and is accountable for the firm’s SOC 2 and ISO 27001 programs. The position works in close partnership with Legal, Privacy, Compliance, IT, Security Engineering, and Security Operations to support effective control design, audit preparedness, risk visibility, evidence management, and program maturity.

Primary Areas of Responsibility

Security Governance and Compliance

• Direct and evolve the information security governance program, including policies, standards, and operational procedures.
• Oversee recurring SOC 2 and ISO 27001 audit activities, including preparation, evidence coordination, auditor engagement, and remediation follow-through.
• Maintain alignment with customer, regulatory, and contractual security expectations.
• Administer risk exceptions, approval of risk acceptances, and supporting documentation for compensating controls.

Authorization and Assurance Support

• Manage renewal cycles and ongoing maintenance of client and government security authorizations required for regulated work.
• Coordinate cross-functional collection of evidence and validation of controls for renewals and reassessments.
• Monitor authorization deadlines, requirement changes, and eligibility needs tied to regulated engagements.

AI Security Oversight

• Lead the security governance approach for AI across the organization, with a focus on safe, responsible, and compliant adoption.
• Partner with Legal, Privacy, Compliance, and business stakeholders to define AI-related security requirements, assessment processes, and usage expectations.
• Establish safeguards for AI-enabled tools, including data protection measures, access management, usage restrictions, and third-party risk controls.
• Support responses to customer and regulatory questions related to AI security practices.
• Monitor developing AI regulations and security expectations, and translate them into actionable policy or control updates.

Risk Management

• Maintain and strengthen the enterprise information security risk register.
• Lead recurring risk assessments covering AI use, data handling, vendor exposure, and other emerging technology concerns.
• Produce meaningful metrics, reporting, and dashboards for leadership.
• Present technical and operational risks in business-relevant terms for decision-makers.

Third-Party and Emerging Technology Risk

• Oversee third-party security risk activities in coordination with Legal and other stakeholders.
• Lead structured assessments of vendor security programs, including SaaS and AI-related providers.
• Track remediation efforts and ongoing monitoring for third-party and emerging risk areas.

Audit Coordination

• Act as the central point of contact for internal and external information security audits.
• Organize evidence gathering across technical and business teams.
• Track findings, corrective action plans, and improvement efforts through completion.

Team Leadership

• Manage, coach, and support a team of three Information Security Analysts.
• Set direction, establish priorities, and drive consistency in process execution and documentation standards.
• Promote professional growth and clear performance expectations across the function.

Cross-Functional Partnership

• Work closely with Security Engineering and Security Operations to align governance requirements with real-world technical controls.
• Collaborate with Legal, Privacy, Compliance, IT, and Data Science stakeholders on regulatory interpretation and AI governance matters.
• Assist with client questionnaires, security reviews, and due diligence requests.

What Success Looks Like

• Strong audit readiness for SOC 2 and ISO 27001 with limited operational disruption.
• Clear reporting and visibility into security and AI-related risk exposure.
• Scalable governance processes that support business growth and responsible technology adoption.
• Effective alignment between compliance requirements and security operations.

Background and Qualifications

• Bachelor’s degree required; concentration in information security, risk management, or a related discipline is preferred.
• Approximately 7–10 years of experience in information security, compliance, audit, or risk-focused roles.
• Hands-on experience managing SOC 2 and/or ISO 27001 programs.
• Prior experience leading people or managing teams.
• Relevant certifications may include CISSP, CISM, CRISC, CGRC, or ISO 27001 Lead Implementer/Auditor.
• Familiarity with GRC platforms and risk tooling.
• Exposure to AI governance, data governance, or risk programs tied to emerging technologies.
• Experience supporting client-facing security assessments, ideally within a professional services environment.
• Strong communication skills, sound judgment, and the ability to work effectively across teams and stakeholder groups.
• Candidates must be authorized to work in the United States without current or future sponsorship, where permitted by law.