The Manager, Information Security Assurance Services is responsible for leading the design, build, and continuous maturation of the program. This role requires a proven track record of establishing and scaling information security assurance capabilities, including control frameworks, regulatory compliance, and audit readiness, information security awareness, policy governance, third-party risk management, and Payment Card Industry Data Security Standards (PCI DSS).
This leader will oversee a team accountable for executing and evolving assurance processes, with a clear mandate to drive automation, standardization, and gain operational efficiency across all Assurance Services products and services. The role partners closely with business, technology, and regulatory stakeholders to ensure controls are effectively implemented, measured, and aligned to organizational risk tolerance and regulatory requirements.
The ideal candidate brings demonstrated experience building GRC programs from the ground up and advancing them to a mature, technology-enabled function, leveraging automation, integrated tooling, and data-driven insights to reduce manual effort, improve control effectiveness, and enhance transparency. This role will be responsible for executing the strategic direction, establish scalable processes, and ensure the team delivers consistent, high-quality outcomes that strengthen the organization’s overall security posture and resilience.
Job Duties and Responsibilities
- Program leadership across assurance domains —Lead and continuously mature governance, controls design and testing, audit and regulatory response, security awareness, policy governance, third-party/vendor risk management (TPRM), and the PCI DSS program, with full accountability for adherence to established controls, policies, and regulatory requirements.
- Hands-on subject matter expertise — Serve as the team's go-to expert across information security assurance disciplines. Step in as an active contributor on control narratives, audit walkthroughs, regulator engagements, and remediation plans when program needs demand it.
- Control framework ownership — Build, maintain, and continuously improve the control framework, ensuring alignment with NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, HIPAA, FDIC, PCI DSS v4.x, and other applicable standards. Maintain control libraries, control-to-framework mappings, and a defensible evidence model.
- Audit and regulatory response — Direct the end-to-end response to internal audits, external audits, regulatory examinations, and PCI engagements. Personally review high-risk responses, evidence packages, and management responses prior to submission.
- PCI DSS program oversight — Provide senior oversight and governance of the PCI DSS v4.x program, including scope validation, strategy, control implementation, ISA coordination, AOC/ROC readiness, compensating controls, and establish a clear multi-year roadmap to support enterprise goals.
- Third-party risk management — Mature the TPRM program including inherent risk tiering, due diligence depth-of-review, contractual security requirements, ongoing monitoring, fourth-party visibility, and concentration risk reporting.
- Policy governance — Own the enterprise information security policy governance (policies, standards, procedures, guidelines), including a defined lifecycle, exception management, ownership accountability, and executive committee approval cadence.
- Security awareness — Direct the strategy, content, and measurement of the enterprise information security awareness program, including annual training, role-based training, phishing simulations, and Cybersecurity Awareness Month (CSAM) campaigns and activities.
- Executive translation and stakeholder partnership — Translate strategic priorities, regulatory expectations, and informal executive conversations into structured roadmaps, OKRs, deliverables, sprint commitments, and team execution plans. Partner with business, technology, regulatory stakeholders, and third parties to communicate complex issues, drive alignment on contentious topics, and advocate for business-aligned outcomes.
- People leadership and talent development — Manage, coach, and develop a multi-disciplinary team of assurance professionals. Set clear expectations, establish accountability, conduct performance management, and build a high-performing and high-trust team.
- Continuous improvement and automation — Drive process maturity, automation of evidence collection and control testing, improved reporting routines, reduced manual effort, and effective use and management of GRC/IRM platforms (e.g., ServiceNow IRM) to scale the program and sustain operations.
- Metrics and reporting — Define and operationalize KPIs/KRIs across each assurance domain. Deliver board-ready and executive-ready dashboards, and narrative reporting that articulate program health and remediation trajectory.
- Decision-making and influence — Make and own operational and strategic decisions with significant impact to program effectiveness, and guide senior leaders through informed recommendations, best practices, and trade-off discussions.
Required Job Qualifications
Required Experience:
- Minimum 10 years of progressive experience across GRC, information security, technology risk, internal/external audit, controls, cybersecurity assurance, or closely related disciplines.
- Minimum 5 years of direct people leadership experience, including coaching, performance management, workforce planning, and talent development.
- Demonstrated experience operating within or directly supporting PCI DSS environments, including scope definition, control design, testing, remediation, evidence management, and QSA/ISA interaction.
- Strong working knowledge of governance and control frameworks including NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, and PCI DSS, with the ability to design and defend control rationale to auditors and regulators.
- Demonstrated experience designing, testing, and remediating IT general controls (ITGCs) and application-level controls.
- Proven ability to communicate complex risk and control topics clearly to executive audiences, audit committees, regulators, and cross-functional stakeholders.
- Ability to operate independently under limited direction, prioritize competing demands, and consistently deliver results in ambiguous, fast-moving environments.
- Bachelor's degree in Information Security, Computer Science, Information Systems, related discipline, or equivalent professional experience.
Preferred Experience:
- Experience implementing or operating ServiceNow Integrated Risk Management (IRM) or comparable GRC platforms (e.g., Archer, AuditBoard, OneTrust, MetricStream).
- Experience operating within a Product Operating Model, including roadmap planning, backlog grooming, sprint-based delivery, feature commitment management, and metrics-driven execution.
- Experience in financial services, banking, or other highly regulated industries, including direct interaction with regulators such as state banking authorities, the OCC, FDIC, or NYDFS.
- Industry certifications such as CISSP, CISA, CISM, CRISC, CGEIT, or CIA.
- Demonstrated success improving control automation, continuous control monitoring, assurance testing efficiency, audit-readiness practices, and evidence-as-code approaches.
Other Critical Factors
Skills:
- Strategic ownership — Sets multi-year vision for the assurance portfolio; does not wait for direction to identify gaps or propose roadmaps.
- Executive presence — Comfortable engaging directly with the CISO, CIO, General Counsel, Chief Risk Officer, business unit leaders, audit committee members, and external regulators. Presents findings with confidence and influences decisions without escalation dependence.
- Decision ownership — Makes defensible decisions on control design, risk acceptance recommendations, exception treatment, and resource allocation. Documents rationale and owns outcomes.
- Talent multiplier — Develops individual contributors into the next generation of assurance leaders through structured coaching, stretch assignments, and clear feedback.
- Outcome bias — Holds the team accountable to measurable outcomes (audit results, exemption rates, control coverage, completion velocity), not activity.
- Hands-on when needed — Models the way. Willing to personally write the control narrative, sit through the examiner walkthrough, or draft the board bullet when the situation requires senior-level execution.
Pay Transparency
Thrivent’s long-term growth depends on attracting, rewarding, and retaining people who are committed to helping others thrive with purpose. We accomplish this by offering a wide variety of market competitive compensation programs to attract, reward, and retain top talent. The applicable salary or hourly wage range for this full-time role is $146,428.00 - $198,108.00 per year, which factors in various geographic regions. The base pay actually offered will be determined by a variety of factors including, but not limited to, location, relevant experience, skills, and knowledge, business needs, market demand, and other factors Thrivent deems important.
Thrivent is unique in our commitment to helping people to be wise with money and live balanced and generous lives. That extends to our benefits.
The following benefits may be offered: various bonuses (including, for example, annual or long-term incentives); medical, dental, and vision insurance; health savings account; flexible spending account; 401k; pension; life and accidental death and dismemberment insurance; disability insurance; supplemental protection insurance; 20 days of Paid Time Off each year; Sick and Safe Time; 10 paid company holidays; Volunteer Time Off; paid parental leave; EAP; well-being benefits, and other employee benefits. Eligibility for receipt of these benefits is subject to the applicable plan/policy documents. Thrivent’s plans/policies are subject to change at any time at Thrivent’s discretion.
Thrivent provides Equal Employment Opportunity (EEO) without regard to race, religion, color, sex, gender identity, sexual orientation, pregnancy, national origin, age, disability, marital status, citizenship status, military or veteran status, genetic information, or any other status protected by applicable local, state, or federal law. This policy applies to all employees and job applicants.
Thrivent is committed to providing reasonable accommodation to individuals with disabilities. If you need a reasonable accommodation, please let us know by sending an email to [email protected] or call 800-847-4836 and request Human Resources.
#Remote