Senior Manager, IT Cybersecurity & Compliance
Posted about 5 hours ago
About Us
Position Title: Senior Manager, IT Cybersecurity & Compliance
Department: Information Technology
Reports To: Senior Director, IT Infrastructure
Location: South San Francisco, CA (preferred) or Princeton, NJ – On-site 4 days per week (Mon to Thurs)
Job Overview
We are seeking a Senior Manager, IT Cybersecurity and Compliance to manage and strengthen our information security, privacy, and IT compliance programs. Reporting to the Senior Director, IT Infrastructure, this role manages the day-to-day security risk management process, runs security awareness and training, and helps ensure compliance with applicable regulations and internal policies (including SOX, GDPR, and GxP). The Senior Manager serves as a primary IT point of contact for audits and assessments, maintains IT security policies and standards, oversees vulnerability management and vendor security reviews, and prepares evidence and attestations for IT General Controls (ITGCs) and related governance processes.
Key Responsibilities
- Security governance and program leadership: Help define and execute the IT security and compliance roadmap and operating processes; maintain metrics, reporting, and continuous improvement activities.
- Security policies and standards: Maintain and obtain approvals for IT security policies, standards, and procedures (e.g., vulnerability management, patching, configuration baselines, identity and access management, encryption, logging/monitoring, secure remote access, incident response, and third-party risk management), and recommend updates as needed.
- Vendor and third-party security assessments: Conduct security due diligence and ongoing monitoring for vendors (SaaS, cloud, MSPs, consultants, and critical suppliers), including risk tiering, questionnaires, evidence review (e.g., SOC 1/2, ISO 27001), remediation tracking, and security addendum requirements in partnership with Legal and Procurement.
- Security awareness and training: Run user security training and awareness programs (onboarding, annual training, targeted campaigns, phishing simulations, role-based training), and measure effectiveness through reporting and follow-up actions.
- SOX compliance (ITGC): Support and maintain IT General Controls in scope for SOX (access controls, change management, computer operations, system development where applicable). Provide timely evidence, coordinate walkthroughs, respond to auditor requests, and execute remediation and management action plans.
- Privacy and regulatory compliance: Partner with Privacy/Legal to support GDPR and other applicable privacy requirements, including security controls, data protection impact inputs, and vendor processing/security reviews.
- GxP/regulated environment compliance: Help ensure IT controls and practices support GxP expectations (e.g., validated systems, data integrity/ALCOA+ principles, audit trails, controlled access, change control, backup/restore, and incident handling) in partnership with Quality.
- Identity, access, and permissions governance: Operate access governance processes (role design, least privilege, segregation of duties, periodic access reviews). Provide ITGC-related attestations for appropriate roles and permissions, including evidence of approvals and review completion.
- Risk management: Maintain the IT security risk register; perform periodic risk assessments, threat modeling (as appropriate), and control gap analyses; escalate risks and recommendations to leadership.
- Vulnerability management: Manage the vulnerability management program including scanning, prioritization, remediation SLAs, exception handling, and reporting; partner with Infrastructure, Application owners, and vendors to drive timely remediation.
- Incident response and investigations: Coordinate IT security incident response activities, including triage, containment, forensics coordination, communications support, and post-incident reviews; maintain tabletop exercises and runbooks.
- Audit and assessment management: Serve as a primary IT contact for internal/external audits and customer security assessments; coordinate evidence collection across IT teams; ensure findings are documented, tracked, and resolved.
- Security architecture and project reviews: Review new systems, integrations, and changes for security and compliance requirements; provide secure-by-design guidance for cloud, endpoints, networks, and applications.
- Data protection: Support data classification, retention/security control alignment, encryption and key management practices (in partnership with platform teams), and secure data handling requirements.
- Business continuity and disaster recovery: Support IT aspects of BCP/DR planning, testing, and documentation; ensure controls align with audit/regulatory expectations.
- Collaboration and stakeholder management: Partner with Finance, Quality, Legal/Privacy, HR, Procurement, and business leaders to operationalize controls and meet compliance objectives; communicate security requirements in practical, business-aligned terms.
Required Qualifications
- Bachelor’s degree in Information Security, Information Systems, Computer Science, or equivalent practical experience.
- 7+ years of progressive experience in IT, information security, risk management, and/or IT compliance, including experience leading projects, programs, or small teams.
- Demonstrated experience supporting SOX IT General Controls, including evidence collection, walkthroughs, and remediation of findings.
- Working knowledge of GDPR security requirements and privacy-supporting controls.
- Experience operating in regulated environments and supporting GxP expectations (e.g., pharma/biotech, medical devices, clinical, manufacturing, or quality-regulated systems).
- Hands-on experience with third-party/vendor security assessments, including SOC report review and risk-based remediation tracking.
- Experience designing and delivering security awareness and training programs for end users and administrators.
- Strong understanding of core security domains: IAM, endpoint security, network security, cloud security, vulnerability management, logging/monitoring, and incident response.
- Excellent written communication skills, including ability to draft clear policies, standards, and procedures.
Preferred Qualifications
- Relevant certifications such as CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor, or similar.
- Experience with security and compliance frameworks such as NIST CSF, NIST 800-53, ISO 27001, SOC 2, and/or COBIT.
- Experience with cloud platforms (e.g., AWS, Azure, GCP) and SaaS security controls.
- Experience with GRC tooling (risk registers, control libraries, evidence management, vendor risk platforms).
- Experience supporting customer security questionnaires and audits.
- Experience building and scaling security programs in high-growth organizations.
Key Competencies
- Ability to translate regulatory and security requirements into practical, scalable processes.
- Strong project/program management and prioritization skills; comfortable operating with ambiguity.
- Strong communication skills and the ability to present risk, tradeoffs, and remediation plans to leadership and stakeholders.
- High integrity and sound judgment when handling sensitive information.
- Collaborative approach with the ability to influence without authority across IT and business stakeholders.
- Detail-oriented approach to controls, evidence, and documentation while maintaining a risk-based mindset.
Exact Compensation may vary based on skills, experience and location.
Other open roles at Kardigan(6)
Bangladesh's Best Online Shopping Store with 17+ Million Products at Resounding Discounts in Dhaka & All Across Bangladesh with Cash on Delivery (COD).
Key team members

Ehsan Saya

Kabin Pandey

James DONG

Ben (Qian) Yi
Jobr aggregates jobs directly from company career portals — no middlemen. Our team applies on your behalf with AI-tailored resumes, reviewed by a human before submission.