The IT Security Manager is responsible for leading and supporting information security governance, risk management, compliance, and security assurance activities across the organization. The role works closely with Global IT, Legal, HR, Internal Audit, business stakeholders, and third-party partners to maintain and improve the organization's security program.
This position drives security policy execution, security standards, risk management processes, compliance initiatives, security awareness, audit support, vendor security oversight, and management reporting. The role provides practical guidance to ensure information security risks are identified, assessed, managed, and communicated clearly.
This is not a Security Operations role. The position does not own SOC operations, security engineering, incident response execution, threat detection, endpoint protection, vulnerability management operations, identity platform administration, or security tooling administration unless separately assigned.
Requirements:
5+ years of experience in information security, cybersecurity, risk management, governance, compliance, audit, or a related field.
Strong understanding of information security principles, governance practices, and risk management processes.
Experience coordinating security audits, assessments, findings, and remediation activities.
Experience developing, maintaining, or supporting security policies, standards, procedures, and awareness programs.
Strong written and verbal communication skills.
Demonstrated ability to influence stakeholders across multiple business functions and regions.
Strong analytical, organizational, and problem-solving skills.
Ability to manage multiple priorities and deliver outcomes in a matrixed global environment.
Experience with security frameworks and standards such as ISO 27001, NIST Cybersecurity Framework, SOC 2, CIS Controls, or equivalent.
Experience with third-party security risk management.
Experience working in a global organization.
Professional certification such as CISSP, CISM, CRISC, CGRC, ISO 27001 Lead Implementer, or equivalent.
TECHNICAL AND SOFTWARE SKILLS:
Proficient with Microsoft 365 productivity and collaboration tools, including Teams, Word, Excel, PowerPoint, and SharePoint.
Comfortable with governance, risk, compliance, policy management, reporting, and documentation platforms.
Able to read and interpret business cases, project plans, risk reports, policies, procedures, training materials, and audit documentation.
Able to prepare clear written summaries, management updates, risk narratives, and corrective action plans.
EDUCATION AND EXPERIENCE:
Bachelor's degree in Information Security, Cybersecurity, Information Technology, Risk Management, Business Administration, or a related discipline is preferred.
An equivalent combination of education, professional certification, and relevant experience may be considered.
ESSENTIAL FUNCTIONS
Security Governance
Develop, maintain, and improve information security policies, standards, procedures, and guidelines.
Drive adoption of security governance practices across the organization.
Partner with business and technology stakeholders to ensure security requirements are included in business processes and initiatives.
Provide subject matter expertise on information security governance matters.
Risk Management
Lead the identification, assessment, treatment, monitoring, and reporting of information security risks.
Maintain and support the enterprise security risk register.
Track remediation plans and ensure security risks are managed within approved timelines.
Facilitate recurring security risk assessments across business functions and technology environments.
Compliance and Audit Support
Coordinate internal and external information security assessments and audit activities.
Support security requirements related to contractual, regulatory, customer, and industry obligations.
Manage audit findings, corrective action plans, evidence coordination, and remediation tracking.
Prepare management reports and metrics related to compliance and security program effectiveness.
Security Awareness and Training
Develop and support security awareness and training activities.
Promote practical security behavior across the organization.
Provide guidance to employees, management, and stakeholders on security responsibilities.
Third-Party and Vendor Security
Support third-party security risk management activities.
Perform security reviews of vendors, service providers, and business partners.
Track vendor security risks and coordinate remediation where required.
Security Program Management
Support planning and execution of security initiatives, projects, and strategic objectives.
Measure and report on information security program performance and maturity.
Identify opportunities to improve security governance processes and reduce operational friction.
OUT OF SCOPE:
Security Operations Center management.
Security incident response execution or technical investigation ownership.
Security engineering, architecture, or tool administration.
Endpoint detection and response platform ownership.
Vulnerability scanning operations and patch execution.
Identity and access management platform administration.
Network security operations or firewall administration.
24x7 monitoring, alert triage, or threat hunting responsibilities.