Senior Manager Security Risk Engineering

At Klaviyo we value the unique backgrounds experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If youre a close but not exact match with the description we hope youll still consider applying. Want to learn more about life at Klaviyo Visit see how we empower creators to own their own destiny.

About the team:

An exciting opportunity within the Security Trust and Risk (STAR) team whose mission is to ensure the safety and security of our customers partners and Klaviyos as well as deliver best in class technology solutions infrastructure and services. This is achieved by providing a robust and secure technology foundation to do great work. We solve problems using technology embrace automation and AI and support Klaviyos continued scalability and sustainable employee growth in a rapidly evolving environment.

The STAR team assists the Global Security Services (GSS) organization in developing and refining information security policies standards and strategy enterprise risk management creating metrics and reporting coordinating cross-functional projects and strategically aligning global information security initiatives with the broader CISO vision amongst other governance risk and compliance efforts. The STAR team is highly collaborative and cross-functional working closely with various functions within the GSS team (namely Security Product and Development and Security Intelligence Operations) Global Technology Solutions (GTS) team and the broader Klaviyo organization.

About the role:

The Senior Manager Security Risk Engineering is a senior information security and risk leader responsible for evolving risk management at Klaviyo from a traditional cyber-centric compliance-driven model into a real-time business-aligned engineering-led risk intelligence capability. Reporting into the Director of Security Trust and Risk you will lead the Security Risk Engineering team as a second line of defense owning technology risk management third-party risk risk quantification and the risk intelligence and automation capability that turns disparate security signals into a single decision-enabling view of risk.

You will operate as a credible hands-on risk authority who can challenge and partner with engineering and security teams while maintaining independence from first-line delivery. You will build a team that thinks like risk engineers rather than traditional analysts automating repeatable assessment instrumenting controls and applying AI as foundational infrastructure. You will partner with Engineering Product GTS Legal Audit Finance and the wider GSS organization to make risk legible across the business and to move Klaviyos risk posture measurably forward.

How youll have an impact:

• Lead the transition of risk management from a cyber-centric model to an enterprise-wide framework expanding scope beyond cybersecurity to operational financial regulatory and third-party risk with integrated remediation tracking and clear ownership of outcomes
• Own the risk register and taxonomy establishing a consistent standard (threat actor technique scenario safeguard loss event quantification) so that aggregation prioritisation and reporting become meaningful
• Quantify risk in financial terms expected loss probability and cost of remediation versus acceptance so leadership can make rational investment and risk-acceptance decisions rather than relying on qualitative severity labels
• Set and continuously refine the risk cadence: weekly risk huddles with business functions monthly risk reviews and a quarterly Enterprise Risk Committee connecting day-to-day execution to GSS and Klaviyo-level objectives
• Build the risk intelligence and automation capability partnering closely with the teams risk intelligence lead whose remit is risk intelligence and building automations using AI to surface a continuously updated quantified view of risk posture drawn from the live security tool estate (vulnerability endpoint third-party data movement and cyber risk quantification sources)
• Drive the risk scoring programme: integrate third-party risk application inventory and cyber risk quantification platforms so that applications and vendors carry a composite evidence-based risk score that drives tiered automated decision-making
• Unlock third-party risk automation through a tiered vendor model fast-tracking low-risk vendors while ensuring high-risk vendors receive deep due diligence business reviews and continuous monitoring
• Evaluate and govern risks associated with AI/ML deployments LLM integrations and cloud data pipelines embedding AI risk assessment into the internal and third-party risk programs
• Operate as a second line of defense providing independent oversight challenge and guidance to first-line teams applying consistent risk taxonomies and reporting standards and escalating risks that exceed established tolerance
• Act as custodian of the relevant security risk policies and standards owning the review and update cycle and ensuring each policy connects to a specific risk it reduces
• Partner with Legal and Internal Audit on regulatory horizon scanning and on audit findings affecting systems and processes tracking findings through to closure
• Maintain authoritative risk materials for GSS leadership monthly KPI updates and quarterly Board contributions accurate succinct and decision-ready translating high-severity findings into clear business impact
• Lead mentor and grow the team developing risk engineers and specialists and building a culture of adversarial thinking business empathy and technical rigour

Who you are:

• 10 years of experience in information security cybersecurity technology risk or operational risk within a large complex or high-growth organization with demonstrable depth of information security expertise and a track record of operating at a senior level
• Proven experience operating in or alongside a second line of defense function within a Three (or Four) Lines of Defense model able to engage credibly with senior engineers architects and security teams while maintaining independence from first-line delivery ownership
• Demonstrated leadership of a risk or security team with a track record of mentoring and developing people and the ability to manage conflicting priorities and multiple concurrent initiatives
• Strong command of risk quantification able to express risk in financial and business terms not just qualitative severity ratings and of enterprise risk management beyond cybersecurity alone
• Working knowledge of security frameworks NIST ISO 27001 SOC 2 ISO 42001 PCI DSS CIS Controls and how they translate into credible control requirements and delivery plans
• Hands-on familiarity with modern risk and security tooling: third-party risk platforms cyber risk quantification vulnerability management endpoint and data-security telemetry with a clear point of view on where AI augments versus replaces human judgement
• Experience building and tracking security KPIs and metrics to measure success and drive continuous improvement
• A strong communicator and problem-solver who balances persuasion with active listening with exceptional stakeholder management skills to engage engineering leaders and executives and translate complex technical risk into clear business impact

Nice to have:

• Experience leading an evolution from a traditional GRC / compliance model toward an automated engineering-led or AI-enabled risk capability
• Experience in a regulated or high-trust environment (e.g. SOC 2 ISO 27001 ISO 42001 HIPAA GDPR) and familiarity with the regulatory expectations affecting technology and cybersecurity risk
• Exposure to AI governance model risk or responsible-AI program work
• Familiarity with operational resilience and third-party risk beyond cybersecurity alone
• Experience with Python SQL and REST APIs to build automated data ingestion pipelines query security telemetry and programmatically orchestrate risk reporting
• Hands-on experience in SecOps AppSec or Security Architecture with a focus on threat modeling Zero Trust architecture and data governance
• Experience working with security and risk tooling in cloud infrastructure hosting and platform contexts
• Relevant professional certifications such as Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified in Risk and Information Systems Control (CRISC) or ISO 27001 Lead Auditor / Lead Implementer