Senior Manager – Infosec – GRC
| Company | Palo Alto Networks |
|---|---|
| Location | Santa Clara, CA, USA |
| Salary | $Not Provided – $Not Provided |
| Type | Full-Time |
| Degrees | Bachelor’s |
| Experience Level | Expert or higher |
Requirements
- 10+ years of progressive Governance, Risk & Compliance experience in technology or regulated industries, with at least 3–5 years in a leadership role
- Bachelor’s degree in Computer Science, Information Security or related field
- Proven track record building and scaling enterprise GRC frameworks (ISO 27001, NIST CSF, SOC 2, FedRAMP) end to end
- Exposure to emerging AI regulations and guidelines (EU AI Act, FTC AI principles, NYDFS AI guidance) and embedding those requirements into vendor risk questionnaires and policies
- Hands-on experience running third‑party risk management programs – vendor assessments, contract clauses, remediation tracking and embedding customer‑trust controls
- Hands-on experience evaluating cloud service providers (e.g. AWS, Azure, GCP) against shared‑responsibility models, CSPM findings, and secure configuration frameworks (CIS, NIST)
- Hands‑on experience evaluating AI‑related risks from third parties
- Solid understanding of application, endpoint, and infrastructure security controls to validate control design and drive mitigation of identified gaps
- Extensive expertise with GRC and automation platforms (OneTrust, RSA Archer, MetricStream, etc.) , coupled with the ability to translate risk data into executive‑grade dashboards and meaningful KRIs/KPIs
- Strong curiosity about AI tools and the latest generative AI trends, with a willingness to explore emerging technologies and apply them creatively to solve real-world problems
- Demonstrated ability to partner with Legal, Procurement, IT, Privacy, Product , Engineering to integrate security policies and standards into business processes
- Strong leadership skills: coaching and growing GRC analysts and engineers, setting clear objectives, and fostering cross‑functional collaboration
- Excellent communication skills:ability to articulate complex risk and compliance requirements to both technical teams and senior executives
- Experience operating in Agile environments, driving iterative improvements in GRC tooling, workflows, and reporting
Responsibilities
- Establish and implement the organization’s Governance, Risk, and Compliance (GRC) framework, focusing on third-party risk management, customer trust, and the development of policies and standards across application, endpoint, and infrastructure security domains
- Oversee the complete third-party risk management process: onboarding new vendors, conducting risk assessments, prioritizing remediation efforts, and validating mitigation prior to operational deployment
- Oversee the complete customer trust process: leading customer audits, completing security questionnaires from customers and maintaining standardized Information Security documentation, prioritizing remediation efforts of audit findings
- Define and monitor key risk and compliance indicators (KRIs/KPIs) for vendor performance, customer assurance, and policy adherence to evaluate program effectiveness and ensure accountability
- Provide actionable intelligence on vendor and customer-facing security posture, ensuring Service Level Agreements (SLAs) for remediation are met, reducing control deficiencies, and reinforcing trust commitments
- Collaborate with business stakeholders to incorporate Third-Party Risk Management (TPRM) and Customer Trust requirements into contracts, SLAs, and strategic initiatives, such as new partnerships and product integrations
- Manage, mentor, and develop a high-performing team of GRC analysts and engineers; establish clear objectives, performance benchmarks, and professional development plans
- Serve as a trusted thought leader, presenting third-party risk trends, customer trust metrics, and recommendations for policies and standards to senior management and the board of directors
- Advise executive leadership on security risks related to vendors, customer trust obligations, and options for policy treatment to facilitate informed decision-making and maintain stakeholder confidence
- Contribute to other GRC and InfoSec programs as needed
Preferred Qualifications
- Professional certifications a plus: CISSP, CISM, CRISC, or relevant cloud security credentials (AWS, Azure, GCP)