Security Risk Management Lead

Job Overview

Eligibility / Qualification Required:

What You'll Do

• Lead and mature Affirm's Security Third Party Program, including the design, implementation, and continuous improvement of processes, controls, and operational workflows
• Build and maintain automation that replaces manual GRC tasks: intake, triage, evidence collection, control validation, tracking, escalations, and reporting, using either Python, low code platforms, and agentic coding tools (Cursor, Claude, etc.)
• Design and operate workflow orchestration and integrations across systems like ticketing, GRC platforms, vendor management tools, identity providers, and cloud control planes
• Partner closely with Procurement, Legal, Engineering, IT, Compliance, Privacy, and business stakeholders to assess and manage security risk across third party relationships
• Translate ambiguous business and security requirements into practical, scalable program solutions and decision frameworks
• Identify opportunities to automate manual processes across the program and prototype solutions yourself rather than waiting on an engineering backlog
• Drive program operational excellence by establishing repeatable processes, service-level expectations, metrics, and reporting for third party security risk management
• Evaluate third party security controls, cloud architectures (AWS/GCP), integration patterns, and risk posture, and provide clear recommendations to stakeholders and leadership
• Conduct light threat models on high risk integrations and partner with Security SMEs for deeper diligence
• Manage and prioritize a portfolio of complex security risk reviews and initiatives simultaneously, balancing business enablement with risk reduction
• Partner with technical teams to implement or optimize systems and tools that support program automation and workflow orchestration
• Develop dashboards, reporting mechanisms, and program insights (SQL, BI tools, or custom tooling) that improve visibility into risk trends, bottlenecks, and program performance
• Act as a trusted advisor and SME on third party security risk management, helping stakeholders make informed, risk based decisions
• Contribute to the broader Security Risk Management strategy by identifying opportunities to scale, simplify, and strengthen security governance processes through engineering

• 5+ years of experience in Information Security, Risk Management, Engineering and/or relevant roles
• Hands-on experience using agentic coding tools (Cursor, Claude Code, Copilot, etc.) and a working knowledge of Python; you don't need to be a software engineer, but you should be fluent enough to read, modify, and run scripts, build automations, and ship small tools end-to-end
• Familiarity with cloud environments (AWS, GCP, or Azure) — IAM, logging, common services, and the security risks/controls that apply to cloud-deployed third parties and integrations
• Excellent written and verbal communications skills
• Experience engineering solutions via Python, Claude, Cursor or other agentic coding tooling
• Experience with industry based information security & control frameworks (NIST Cyber Security Framework, ISO 2700x, SOC1&2(SSAE18), PCI DSS, NIST-800-53, FFIEC Cybersecurity Assessment Tool, SANS Top 20, etc.)
• BA or BS degree in Information Security, Cyber Security, Computer Science or related field or commensurate experience
• Attention to detail and experience with security practices and security tooling
• Demonstrated ability to drive projects towards completion
• Ability to understand and communicate technical issues to non-technical teams
• Professional certification in Information Security or Risk Management (such as CISSP, CISM, CISA, CRISC, etc.) is a plus

• Health care coverage - Affirm covers all premiums for all levels of coverage for you and your dependents 
• Flexible Spending Wallets - generous stipends for spending on Technology, Food, various Lifestyle needs, and family forming expenses
• Time off - competitive vacation and holiday schedules allowing you to take time off to rest and recharge
• ESPP - An employee stock purchase plan enabling you to buy shares of Affirm at a discount

How to Apply: