Staff Security Risk and Compliance Program Manager

Job description

**Location:**
Remote, United States
**Employment Type:**
FullTime
**Location Type:**
Remote
**Department**
Engineering
**Compensation:**
$213.2K – $250.5K • Offers Equity
_At Confluent, we are committed to providing competitive pay and benefits that are in line with industry standards.

We analyze and carefully consider several factors when determining compensation, including work history, education, professional experience, and location.

The actual pay may vary depending on your skills, qualifications, experience, and work location.

In addition, Confluent offers a wide range of employee benefits.

To learn more about our benefits click_ here (https://confluentbenefits.com) _._
**Overview**
We’re not just building better tech.

We’re rewriting how data moves and what the world can do with it.

With Confluent, data doesn’t sit still.

Our platform puts information in motion, streaming in near real-time so companies can react faster, build smarter, and deliver experiences as dynamic as the world around them.
It takes a certain kind of person to join this team.

Those who ask hard questions, give honest feedback, and show up for each other.

No egos, no solo acts.

Just smart, curious humans pushing toward something bigger, together.
One Confluent.

One Team.

One Data Streaming Platform.
**About the Role:**
As the **Staff Security Risk and Compliance Program Manager** in the Trust & Security organization you will play a critical role in fulfilling the vision to secure Confluent’s platform and cloud offerings through a combination of technical expertise, policy governance, security risk management, certification compliance, and excellent program management skills.

In this role, you'll be responsible for overseeing and maturing our risk management programs, including third party risk management, risk operations and reporting.

This is a senior-level position that requires strong leadership, deep expertise in risk and compliance frameworks, and a data-driven approach to risk management.
**What You Will Do:**
**Third-Party Risk Management (TPRM) Leadership:**
+ **Program Ownership** : Develop, implement, and maintain Confluent's risk & compliance program, policies, and procedures.

Act as the primary owner of risk management initiatives, ensuring they are well-defined and executed on time.
+ **Third Party Risk Assessment:** Develop a third party risk management north star, and execute a risk-based approach for onboarding, monitoring, and offboarding third parties.

This includes conducting due diligence, assessing vendor integration risks, and mitigating and reporting on third party risks to stakeholders.
+ **Continuous Monitoring:** Establish and manage a continuous monitoring program to track vendor performance, security posture, and compliance with contractual obligations.
+ **Contract Management:** Partner with legal and procurement to ensure risk-mitigation clauses are integrated into third-party contracts and service level agreements (SLAs).
**Risk Operations & Process Excellence:**
+ **Operationalization:** Translate risk management policies into scalable, repeatable, and efficient operational processes.
+ **Tooling & Automation:** Identify, implement, and manage risk management tools (e.g., GRC platforms) to automate workflows, streamline assessments, and improve data accuracy.
+ **Process Improvement:** Continuously evaluate and optimize risk processes to enhance efficiency, reduce manual effort, and improve the overall user experience for internal stakeholders.
**Risk Metrics & Reporting:**
+ **Key Performance & Risk Indicators:** Define, track, and report on key risk and performance indicators (KRIs/KPIs) to measure the effectiveness of the security and compliance programs.
+ **Executive Reporting:** Prepare and present clear, concise, and data-driven reports to senior leadership and the Board of Directors on the state of security and compliance risks.
+ **Data Analysis:** Conduct trend analysis on risk data to identify emerging risks, areas of concern, and opportunities for proactive mitigation.
+ **Benchmarking:** Stay abreast of industry best practices and regulatory changes to benchmark our program and drive continuous improvement.
**What You Will Bring:**
+ **Experience** : 8+ years of experience in GRC, with a significant portion of that time focused specifically on risk management.
+ **Technical Skills** :
+ Strong understanding of compliance frameworks such as NIST, ISO 27001, SOC, PCI DSS, HITRUST, CSA Star, etc.
+ Strong knowledge of and experience in all facets of integrated security governance, risk, and compliance management.
+ Strong security engineering fundamentals background in infrastructure security controls in GCP, AWS, Azure, and/or web application security
+ **Tooling and automation:** Experience with implementing, operationalizing and maintaining GRC platforms.
+ **Program Management Skills:**
+ Strong project management and organizational skills.
+ Exceptional analytical and problem-solving skills, with a data-driven approach to decision-making.
+ Experience in running long-term, complex security programs that deliver iterative improvements and risk reduction.
+ **Communication and Collaboration skills** : Excellent written and verbal communication skills.

The ability to influence and lead without direct authority.

Detail-oriented with a strong analytical mindset.
+ **Certifications** : Current Security CISSP, CRISC, CISM or equivalent certification completed or currently in progress is a plus
**Ready to build what's next?

Let’s get in motion.**
**Come As You Are**
Belonging isn’t a perk here.

It’s the baseline.

We work across time zones and backgrounds, knowing the best ideas come from different perspectives.

And we make space for everyone to lead, grow, and challenge what’s possible.
We’re proud to be an equal opportunity workplace.

Employment decisions are based on job-related criteria, without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, or any other classification protected by law.

Required Skill Profession

Other General