Manager, Information Security Assurance Services

Benefits

Additional Information

The Manager, Information Security Assurance Services is responsible for leading the design, build, and continuous maturation of the program. This role requires a proven track record of establishing and scaling information security assurance capabilities, including control frameworks, regulatory compliance, and audit readiness, information security awareness, policy governance, third-party risk management, and Payment Card Industry Data Security Standards (PCI DSS). This leader will oversee a team accountable for executing and evolving assurance processes, with a clear mandate to drive automation, standardization, and gain operational efficiency across all Assurance Services products and services. The role partners closely with business, technology, and regulatory stakeholders to ensure controls are effectively implemented, measured, and aligned to organizational risk tolerance and regulatory requirements. The ideal candidate brings demonstrated experience building GRC programs from the ground up and advancing them to a mature, technology-enabled function, leveraging automation, integrated tooling, and data-driven insights to reduce manual effort, improve control effectiveness, and enhance transparency. This role will be responsible for executing the strategic direction, establish scalable processes, and ensure the team delivers consistent, high-quality outcomes that strengthen the organization's overall security posture and resilience. Job Duties and Responsibilities Program leadership across assurance domains -Lead and continuously mature governance, controls design and testing, audit and regulatory response, security awareness, policy governance, third-party/vendor risk management (TPRM), and the PCI DSS program, with full accountability for adherence to established controls, policies, and regulatory requirements. Hands-on subject matter expertise - Serve as the team's go-to expert across information security assurance disciplines. Step in as an active contributor on control narratives, audit walkthroughs, regulator engagements, and remediation plans when program needs demand it. Control framework ownership - Build, maintain, and continuously improve the control framework, ensuring alignment with NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, HIPAA, FDIC, PCI DSS v4.x, and other applicable standards. Maintain control libraries, control-to-framework mappings, and a defensible evidence model. Audit and regulatory response - Direct the end-to-end response to internal audits, external audits, regulatory examinations, and PCI engagements. Personally review high-risk responses, evidence packages, and management responses prior to submission. PCI DSS program oversight - Provide senior oversight and governance of the PCI DSS v4.x program, including scope validation, strategy, control implementation, ISA coordination, AOC/ROC readiness, compensating controls, and establish a clear multi-year roadmap to support enterprise goals. Third-party risk management - Mature the TPRM program including inherent risk tiering, due diligence depth-of-review, contractual security requirements, ongoing monitoring, fourth-party visibility, and concentration risk reporting. Policy governance - Own the enterprise information security policy governance (policies, standards, procedures, guidelines), including a defined lifecycle, exception management, ownership accountability, and executive committee approval cadence. Security awareness - Direct the strategy, content, and measurement of the enterprise information security awareness program, including annual training, role-based training, phishing simulations, and Cybersecurity Awareness Month (CSAM) campaigns and activities. Executive translation and stakeholder partnership - Translate strategic priorities, regulatory expectations, and informal executive conversations into structured roadmaps, OKRs, deliverables, sprint commitments, and team execution plans. Partner with business, technology, regulatory stakeholders, and third parties to communicate complex issues, drive alignment on contentious topics, and advocate for business-aligned outcomes. People leadership and talent development - Manage, coach, and develop a multi-disciplinary team of assurance professionals. Set clear expectations, establish accountability, conduct performance management, and build a high-performing and high-trust team. Continuous improvement and automation - Drive process maturity, automation of evidence collection and control testing, improved reporting routines, reduced manual effort, and effective use and management of GRC/IRM platforms (e.g., ServiceNow IRM) to scale the program and sustain operations. Metrics and reporting - Define and operationalize KPIs/KRIs across each assurance domain. Deliver board-ready and executive-ready dashboards, and narrative reporting that articulate program health and remediation trajectory. Decision-making and influence - Make and own operational and strateg

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at thrivent? Share your experience