Security Governance, Risk, and Compliance Manager

Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual engineer, everyone views security as a personal responsibility. Your unique mission leading GRC for Security is to capture and surface risk to technology and business owners in a collaborative and actionable way.

What will you do?

  • Inventory and establish regular intake schedules for all risk data sources, including testing tools, risk assessment processes, and other primary sources of risk information.
  • Develop compelling and clear visualizations of inherent and residual risk data for a diverse set of stakeholders, ranging from board of directors to engineering team leads.
  • Refine the role and processes for information security relative to compliance, IT, and legal in third-party due diligence activities.
  • Review, analyze, and respond to third-party risk surveys, with support of SMEs across InfoSec.
  • Develop risk weightings, classification, and other foundational elements necessary to drive toward reporting risk in dollars and cents.
  • Shape requirements for automating asset inventory tools relative to governance needs.
  • Influence Security peers and leaders across the company to adopt a risk-based mentality toward all day-to-day activities.

What’s great about it?

  • Carrying out two positive missions at the same time: helping people take back control of their credit and helping to keep their personal information safe.
  • Solving security problems at scale in a highly technology-focused team, with a culture of “how to do this safely”, not a culture of “no”.
  • Spending way less time convincing anyone why security is important and way more time talking about how to manage risk effectively - the importance of security is woven into our DNA already!

What do we expect?

  • Minimum 5 years experience as an individual contributor or leader of a GRC program.
  • CISA/CISM highly desirable.
  • Extreme attention to detail and nuance, with a working familiarity with security practices and tools ranging from operations security, information technology, physical security, anti-fraud, and application security.
  • Intimate working knowledge of major governance frameworks including ISO27001, PCI, SSAE16 (SOC2), BSIMM/MSSDL, and SOX.
  • Artful communication skills and organizational savvy, to steer peers and leadership toward solutions that carefully balance business, risk, compliance, and engineering concerns.
  • Eagerness to challenge the status quo, balanced with a reasonable and methodical approach to effecting change.
  • Unwillingness to settle for traditional 9-point scales and two-axis graphs as the GRC metrics endgame.
  • A fun and positive attitude!

Back to top