Senior Manager - Security Risk Management (Hybrid)

Who We Are

Join a team that puts its People First! Since 1889, First American (NYSE: FAF) has held an unwavering belief in its people. They are passionate about what they do, and we are equally passionate about fostering an environment where all feel welcome, supported, and empowered to be innovative and reach their full potential. Our inclusive, people-first culture has earned our company numerous accolades, including being named to the Fortune 100 Best Companies to Work For® list for ten consecutive years. We have also earned awards as a best place to work for women, diversity and LGBTQ+ employees, and have been included on more than 50 regional best places to work lists. First American will always strive to be a great place to work, for all. For more information, please visit www.careers.firstam.com.

What We Do

The Senior Manager of Security Risk Management is a key leadership role responsible for developing, maintaining, and maturing the organization’s risk management program. This role oversees Information Security policies and standards, Third‑Party Risk Management, security training and awareness, and contributes directly to enterprise security strategy. The ideal candidate brings strong leadership, deep expertise in risk frameworks, and the ability to drive cross-functional alignment.

Key Responsibilities

Information Security Policies & Standards

• Lead the lifecycle management of enterprise Information Security policies, standards, baselines, and guidelines.
• Ensure alignment with regulatory requirements, industry frameworks (e.g., NIST CSF, ISO 27001), and internal risk posture.
• Partner with business and technology leaders to ensure policies are actionable, effective, and embedded into operational processes.
• Oversee periodic reviews, updates, and governance activities for all security documentation.
  
  

Third‑Party Information Security Risk Management (TPRM)

• Lead the enterprise Information Security–focused TPRM program, ensuring all third parties with access to corporate data, systems, or facilities undergo rigorous security risk assessments.
• Maintain assessment methodologies centered on security controls, including data protection, access management, vulnerability management, encryption practices, incident response maturity, and cloud security posture.
• Oversee due diligence processes, security questionnaires, evidence reviews, attestations (SOC 2, ISO 27001, penetration tests), and follow‑up remediation activities.
• Partner with Procurement, Legal, and business stakeholders to ensure contracts include appropriate security obligations, such as breach notification requirements, minimum security standards, and right‑to‑audit language.
• Monitor ongoing vendor security risk through periodic reassessments, continuous monitoring tools, and threat intelligence related to third‑party ecosystems.
• Deliver metrics and executive‑level reporting on the security posture of third parties, highlighting emerging risks, systemic gaps, and required remediation actions.
  
  

Security Strategy

• Support the development and execution of the long‑term security strategy.
• Partner closely with cross‑functional business teams and IT leadership to ensure security strategy aligns with organizational goals, technology roadmaps, and operational priorities.
• Provide expert insight into risk-based prioritization, investment planning, and roadmap development.
• Monitor regulatory, threat, and technology trends to inform strategic decisions.
• Support management reporting for enterprise executive committees, risk committees, and governance forums.
  
  

Security Training & Awareness

• Oversee the enterprise security awareness program, including phishing simulations, mandatory training, campaigns, and targeted education for high‑risk groups.
• Drive culture change by promoting security-first behaviors and improving security literacy across the organization.
• Measure effectiveness using risk metrics, training performance, and behavior analytics.

Required Qualifications

• 8+ years of experience in Information Security, Risk Management, Compliance, or related fields.
• 3+ years in a leadership role.
• Strong knowledge of security frameworks (NIST, ISO, SOC 2, CIS), risk methodologies, and regulatory requirements.
• Experience leading enterprise policy programs and vendor risk management activities.
• Proven ability to collaborate and influence across all levels of the organization.
• Excellent written and verbal communication skills with the ability to influence stakeholders, present to executives, and simplify complex risk topics
  
  

Preferred Qualifications

• Relevant certifications such as CISSP, CISM, CRISC, or ISO 27001 Lead Implementer/Auditor.
• Experience scaling programs in large, distributed, or highly regulated environments.
• Background in cloud security, business continuity, or enterprise risk management.

What We Offer

By choice, we don’t simply accept individuality – we embrace it, we support it, and we thrive on it! Our People First Culture celebrates diversity, equity and inclusion not simply because it’s the right thing to do, but also because it’s the key to our success. We are proud to foster an authentic and inclusive workplace For All. You are free and encouraged to bring your entire, unique self to work. First American is an equal opportunity employer in every sense of the term.

Based on eligibility, First American offers a comprehensive benefits package including medical, dental, vision, 401k, PTO/paid sick leave and other great benefits like an employee stock purchase plan.

$148,625.00 - $195,000.00 Annually

This hiring range is a reasonable estimate of the base pay range for this position at the time of posting. Pay is based on a number of factors which may include job-related knowledge, skills, experience, business requirements and geographic location.