At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you’re a close but not exact match with the description, we hope you’ll still consider applying. Want to learn more about life at Klaviyo? Visit careers.klaviyo.com to see how we empower creators to own their own destiny.
We’re seeking a highly motivated Senior Manager of Security Risk & Reviews who will help us continue to evolve our Risk function by using engineering principles and data-driven strategies to precisely identify, understand, communicate, and prioritize mitigation of risk. Our Risk function consists of the following programs:
- Internal security risk management (risk assessment, risk governance, risk register management)
- Third-party security risk management (vendor security reviews, partner security reviews)
- Enterprise risk management
- Security metrics (risk reduction/KRIs, control coverage/KCIs, program performance/KPIs)
- Security advisory & consulting (policies/standards requirements definition, RFC reviews)
You’ll partner closely with Engineering, IT, Security, Leadership, and basically every other team at Klaviyo to create a holistic view of risk based on high quality data about our assets, weaknesses, threats, and safeguards (controls). You will lead and support a team of talented Risk practitioners to ensure our risk management practices are transparent, collaborative, evidence-based, and centered around quantitative risk models. Through all of this, you’ll help Klaviyo sustainably create value for our customers and uphold our trust with them.
What you’ll be doing
- Lead, grow, and develop our Risk team, helping your team members with career development, OKR achievement, and being effective partners across Klaviyo
- Partner with our Risk & Trust leadership to plan, oversee, and drive execution of our Risk & Trust projects and operations to ensure timely delivery of high-quality outcomes
- Define and steer the build out of new programs, such as Cyber Risk Quantification and Security Reviews, to more efficiently and effectively drive better risk management outcomes
- Continuously seek out and prioritize opportunities for the Risk team to automate and streamline our processes, reducing manual toil as much as possible
- Drive cross-functional alignment between the CISO organization and partner teams to ensure risk-related priorities are accounted for in quarterly and annual roadmap planning
We’d love to hear from you if you have most of the following:
- Current experience leading, growing, and managing teams, with an intentional focus on fostering diversity and belonging throughout the entire employee lifecycle
- Broad and deep understanding of modern cloud-native web application architectures and related security best practices, especially in the context of AWS
- Experience with cyber risk quantification (CRQ) tools and frameworks (e.g. riskquant, Safe Security, FAIR, etc.)
- Experience with threat modeling, secure design reviews, or other technical security assessment methods
- Experience building and leading internal security risk management and third-party risk management programs, especially with a strong focus on process automation and streamlining
- Experience using business intelligence tools to build and operationalize security metrics that demonstrably improve security outcomes (e.g. Tableau, ThoughtSpot, Mode, AWS QuickSight)
Everyone on our team must have:
- A strong bias toward evidence, logic, math, and reason when communicating risk (instead of fear, uncertainty, and doubt)
- A strong bias toward “guardrails, not gates” and “paved security roads” philosophies (instead of rigid “centralized command-and-control” processes and operating styles)
- Excellent ability to plan, prioritize, and deliver results cross-functionally and in a timely fashion
- Proficiency discussing complex, nuanced topics with technical & non-technical audiences alike, especially software engineers
- Strong alignment with Klaviyo’s core values
Ideally, you may also have any of the following:
- Experience with SQL, building tools with REST APIs, and Python
- Experience in security operations, security engineering, and/or security architecture
- Experience with or knowledge of modern security best practices for Kubernetes and container-based workloads
- Experience implementing industry standard risk management frameworks (NIST RMF, ISO 31000, ISO 27005)
The pay range for this role is listed below. Sales roles are also eligible for variable compensation and hourly non-exempt roles are eligible for overtime in accordance with applicable law. This role is eligible for benefits, including: medical, dental and vision coverage, health savings accounts, flexible spending accounts, 401(k), flexible paid time off and company-paid holidays and a culture of learning that includes a learning allowance and access to a professional coaching service for all employees.
Get to Know Klaviyo
We’re Klaviyo (pronounced clay-vee-oh). We empower creators to own their destiny by making first-party data accessible and actionable like never before. We see limitless potential for the technology we’re developing to nurture personalized experiences in ecommerce and beyond. To reach our goals, we need our own crew of remarkable creators—ambitious and collaborative teammates who stay focused on our north star: delighting our customers. If you’re ready to do the best work of your career, where you’ll be welcomed as your whole self from day one and supported with generous benefits, we hope you’ll join us.
Klaviyo is committed to a policy of equal opportunity and non-discrimination. We do not discriminate on the basis of race, ethnicity, citizenship, national origin, color, religion or religious creed, age, sex (including pregnancy), gender identity, sexual orientation, physical or mental disability, veteran or active military status, marital status, criminal record, genetics, retaliation, sexual harassment or any other characteristic protected by applicable law.
IMPORTANT NOTICE: Our company takes the security and privacy of job applicants very seriously. We will never ask for payment, bank details, or personal financial information as part of the application process. All our legitimate job postings can be found on our official career site. Please be cautious of job offers that come from non-company email addresses (@klaviyo.com), instant messaging platforms, or unsolicited calls.
You can find our Job Applicant Privacy Notice here .