Director of Engineering leading GitLab's Security Risk Management platform development for enterprise - scale vulnerability analysis. Focusing on high - performance distributed systems design and collaboration with cross - functional teams.
About the role
- Lead Security Governance and TPRM functions at Affirm, a fintech company. Drive policy frameworks and manage vendor risks to ensure operational maturity.
Responsibilities
- Own Security Governance: maintain and evolve security policies, standards, and control frameworks (e.g., NIST CSF, ISO 27001), including mapping to controls and compliance requirements (SOC2, PCI, applicable regulations).
- Lead program maturity planning, roadmaps, and cross-functional governance forums (e.g., security steering committee, risk council).
- Define and enforce security risk appetite and decision criteria for third-party relationships and integrations.
- Lead the Security TPRM function across vendor lifecycle: intake/onboarding, due diligence (IRQ/DDQ/SME reviews), contracting handoffs, ongoing monitoring, periodic reviews, and offboarding.
- Ensure robust fourth-party oversight, including subprocessors, and manage remediation/QA cycles driven by Internal Audit and regulators.
- Oversee high-risk vendor decisions and escalations; establish clear RACI for partnership contracts and security acceptance criteria.
- Own program KPIs, dashboards, and reporting (Jira STPRM Ops, AuditBoard, Sigma/BI, MetricStream). Drive improvements in throughput, turnaround, backlog age, and remediation velocity.
- Partner with Automation/TPRM Ops to operationalize threat-modeling outputs, integration inventories, pre-integration gates, and CI/CD checks; prioritize automations that reduce manual work and surface strategic escalations.
- Implement and maintain QA processes (quarterly QA), runbooks, SOPs for ticket ownership, and evidence standards.
- Build, coach, and scale the Governance and TPRM teams: hiring, performance management, career development, and team morale.
- Act as the primary security contact for Legal, Procurement, Privacy, Product, and Engineering on vendor risk and governance matters.
- Represent Security in executive forums, audit meetings, and regulatory engagements; own remediation commitments and timelines.
- Serve as the security liaison for Internal Audit and external assessments; ensure timely remediation of findings and demonstrable progress.
- Produce regular program health reporting for senior leadership and Board-level stakeholders.
Requirements
- 7+ years in information security, risk management, or GRC roles, with a minimum of 3 years managing teams (or equivalent leadership experience).
- Demonstrated ownership of a TPRM program or security governance program in a regulated or high-growth technology environment (fintech preferred).
- Strong knowledge of security frameworks (NIST, ISO), compliance standards (SOC2, PCI), and vendor risk processes (IRQ/DDQ/SME assessments).
- Hands-on familiarity with TPRM/GRC tooling and observability: AuditBoard (or equivalent), Jira, BI tools (Sigma/Tableau/Looker), and experience with integrations/APIs.
- Excellent stakeholder management across legal, procurement, engineering, product, and executive leadership.
- Proven experience translating audit findings into operational remediation plans and measurable outcomes.
- Strong communication skills — able to present risk to technical and non-technical audiences and to influence decisions.
- Certifications such as CISSP, CISM, CRISC, or similar.
- Practical experience with threat-modeling approaches and third-party integration security (API, SSO/OAuth/SAML, TLS).
- Experience scaling automation for GRC/TPRM programs and integrating security checks into CI/CD pipelines.
- Prior experience in fintech or highly regulated industries.
Benefits
- Health care coverage - Affirm covers all premiums for all levels of coverage for you and your dependents
- Flexible Spending Wallets - generous stipends for spending on Technology, Food, various Lifestyle needs, and family forming expenses
- Time off - competitive vacation and holiday schedules allowing you to take time off to rest and recharge
- ESPP - An employee stock purchase plan enabling you to buy shares of Affirm at a discount
Job title
Job type
Experience level
Salary
Degree requirement
Tech skills
Location requirements
Report this job
Found something wrong with the page? Please let us know by submitting a report below.
Senior Software Engineer developing Data Security platform services for Abnormal AI. Leading initiatives in security and privacy, ensuring safe data handling across products and ecosystems.
Senior Software Engineer developing AI - powered security products at Sophos. Owning end - to - end product development from idea to production across frontend, backend, and APIs.
IT consultant providing security assessments and IT infrastructure reviews. Focused on identifying risks and delivering recommendations for improvement across multiple domains.
Lead Security Engineer at US Mobile building systems for the 21st century with a focus on fraud prevention and security integration across SDLC.
Manager, Cybersecurity & IT Risk ensuring audits and risk management practices at CNB. Collaborating with teams to address cybersecurity and IT controls issues effectively.
Security Principal at Optiv designing AI security solutions for clients, leveraging advanced security services and technologies. Driving pipeline generation and maintaining strong client relationships as a trusted advisor.
Technical Leader overseeing security for Product and Cloud at Tempo. Leading team, engaging with partners, ensuring compliance, fostering innovations in security practices.
Senior Cybersecurity Advisor providing support to threat and vulnerability analysts at Exposant 3 in a hybrid work model. Collaborating on incident responses and vulnerability management in a dynamic team.
Senior Manager overseeing IAM initiatives and strategic roadmap execution at RBC. Partnering with stakeholders to enhance organizational capabilities in Identity and Access Management.