Senior Manager, Technology Risk & Compliance

Summary

The Senior Manager, Technology Risk & Compliance is a critical position within Chobani’s Cyber Security team, and has technology governance, risk, and compliance responsibilities across the organization globally. This position is responsible for managing Chobani’s Technology Compliance program to raise the overall security and compliance posture and reduce risk levels for Chobani. This individual will be directly responsible for implementing, maintaining, and improving policies, procedures, and internal controls to assure compliance with applicable regulatory and legal requirements as well as best practices. The Senior Manager, Technology Risk & Compliance will drive risk analysis, design controls, and implement industry best practices across the organization. In addition to driving continuous improvement in this space, the Senior Manager will lead day-to-day operations in the areas of cyber security policy, technology risk management, data protection, and compliance with standards and regulations such as ISO, NIST, CCPA, SOX, and PCI. 

Responsibilities

•    Maintains Chobani Information Security policies, procedures, and standards and regularly evaluate compliance with an emphasis on continuous improvement
•    Leads the management of and enhancements to Chobani’s suite of GRC tools, including: SAP GRC Access Control and Process Control, OneTrust, and Workiva
•    Responsible for implementing and maintaining internal controls to assure compliance with applicable regulatory, contractual, and legal requirements as well as good business practices
•    Accountable for bridging gaps between IT controls and business controls, including designing, implementing, and maintaining ITGC's and automated business controls
•    Operationalizes various cyber security governance functions, such as enterprise security risk management, compliance management, and policy management
•    Collaborates with business and technology counterparts to understand business objectives, initiatives, and ensure alignment with cyber security policies and best practices
•    Develops and maintains meaningful cyber security risk and compliance metrics and provide periodic updates to management
•    Acts as liaison between technology team and internal/external audit partners
•    Leads ongoing technology risk assessment programs and processes, and tracking mitigation efforts
•    Manages and facilitates assigned projects and program components to deliver services in accordance with established objectives and requirements in a timely and responsive manner
•    Other duties as assigned by management

Requirements

• Bachelor’s degree in Information Systems, Information Security, or other related discipline
• Minimum of 8 years of experience in Information Security, Technology Risk Management, IT Audit, or IT Compliance functions
• Three (or more) years of IT Audit experience with a Big 4 firm is preferred
• Risk and compliance experience with SAP S/4 HANA is a must
• Candidates should have a foundational understanding of basic security role/authorization concepts in SAP, and be able to explain security design to business leaders in non-technical manner. 
• Understanding and ability to maintain configurations within SAP GRC Access Control (including access request management, user access review, and segregation of duties workflows) and Process Control (including continuous control monitoring & manual control performance functionality)
• Experience working in information security governance, with a broad understanding of a range of enterprise IT architectures (e.g., web applications, databases, operating systems, server infrastructure, mobile devices, and networking technologies)
• Understanding of security functions including: secure change management, secure SDLC, software/application security, identity and access management, supplier security risk management, patch and vulnerability management and security controls testing and validation
• Ability to manage and continuously improve IT controls for compliance with relevant industry regulations and standards (including ISO 27001, NIST, CCPA, PCI, and Sarbanes-Oxley)
• Proven experience in the assessment of internal controls and communicating findings and recommendations to others clearly and accurately in non-technical terms is required
• Experience performing and managing security risk assessments against information security policies, standards, or frameworks
• Ability to translate technical information security risk findings and articulate them in business terms to non-technical stakeholders
• Knowledge of and experience applying one (or more) of the following security and compliance frameworks: ISO 27001, PCI, NIST, COBIT, and Sarbanes-Oxley
• At least one of the following industry certifications is preferred:
  • Certified Information Systems Auditor (CISA)
  • Certification Information Security Manager (CISM)
  • Certified Information Systems Security Professional (CISSP)
• Superior writing and editing skills with the ability to construct well-founded, clear, and concise analyses and recommendations
• Experience managing complex programs and projects
• Ability to resolve ambiguity and take decisive action
• Be willing to travel at least 25%