Security Risk Management Lead

This is a fully remote position, open to applicants in United States.

📋 Description

• Lead and enhance Affirm's Security Third Party Program, which includes designing, implementing, and continuously improving processes, controls, and operational workflows.

• Develop and sustain automation that replaces manual GRC tasks such as intake, triage, evidence collection, control validation, tracking, escalations, and reporting, utilizing Python, low-code platforms, and agentic coding tools (Cursor, Claude, etc.).

• Create and manage workflow orchestration and integrations across systems, including ticketing, GRC platforms, vendor management tools, identity providers, and cloud control planes.

• Collaborate closely with Procurement, Legal, Engineering, IT, Compliance, Privacy, and business stakeholders to assess and manage security risks associated with third-party relationships.

• Convert ambiguous business and security requirements into practical, scalable program solutions and decision frameworks.

• Identify opportunities for automating manual processes within the program and prototype solutions independently instead of waiting for engineering resources.

• Promote operational excellence in the program by establishing repeatable processes, service-level expectations, metrics, and reporting for third-party security risk management.

• Assess third-party security controls, cloud architectures (AWS/GCP), integration patterns, and risk posture, providing clear recommendations to stakeholders and leadership.

• Conduct light threat modeling on high-risk integrations and collaborate with Security SMEs for deeper analysis.

• Manage and prioritize a portfolio of complex security risk reviews and initiatives simultaneously, balancing business enablement with risk mitigation.

• Work with technical teams to implement or optimize systems and tools that facilitate program automation and workflow orchestration.

• Develop dashboards, reporting mechanisms, and program insights (using SQL, BI tools, or custom tooling) that enhance visibility into risk trends, bottlenecks, and program performance.

• Serve as a trusted advisor and subject matter expert on third-party security risk management, assisting stakeholders in making informed, risk-based decisions.

• Contribute to the broader Security Risk Management strategy by identifying opportunities to scale, simplify, and strengthen security governance processes through engineering.

⛳️ Requirements

• A minimum of 5 years of experience in Information Security, Risk Management, Engineering, or related roles.

• Practical experience with agentic coding tools (Cursor, Claude Code, Copilot, etc.) and a working knowledge of Python; while not a requirement to be a software engineer, you should be proficient enough to read, modify, and execute scripts, build automations, and deliver small tools from start to finish.

• Familiarity with cloud environments (AWS, GCP, or Azure) including IAM, logging, common services, and the security risks/controls associated with cloud-deployed third parties and integrations.

• Exceptional written and verbal communication skills.

• Experience in engineering solutions via Python, Claude, Cursor, or other agentic coding tools.

• Knowledge of industry-standard information security and control frameworks (NIST Cyber Security Framework, ISO 2700x, SOC1&2(SSAE18), PCI DSS, NIST-800-53, FFIEC Cybersecurity Assessment Tool, SANS Top 20, etc.).

• A BA or BS degree in Information Security, Cyber Security, Computer Science, or a related field, or equivalent experience.

• Strong attention to detail and familiarity with security practices and tools.

• Proven ability to drive projects to completion.

• Capability to comprehend and communicate technical issues to non-technical teams.

• Professional certification in Information Security or Risk Management (such as CISSP, CISM, CISA, CRISC, etc.) is advantageous.

🏝️ Benefits

• Health care coverage - Affirm pays all premiums for all levels of coverage for you and your dependents.

• Flexible Spending Wallets - generous stipends provided for Technology, Food, various Lifestyle needs, and family planning expenses.

• Time off - competitive vacation and holiday schedules enabling you to take time off to rest and recharge.

• ESPP - An employee stock purchase plan allowing you to acquire shares of Affirm at a discount.