Jobs · Information Technology · Massachusetts

Senior Manager - Security Risk Engineering

Klaviyo · Boston, MA · 6 days ago
Information Technology$180k–$270k/yrFull-time

About the role

The Senior Manager, Security Risk Engineering is a senior information security and risk leader responsible for evolving risk management at Klaviyo from a traditional, cyber-centric, compliance-driven model into a real-time, business-aligned, engineering-led risk intelligence capability. Reporting into the Director of Security Trust and Risk, you will lead the Security Risk Engineering team as a second line of defense — owning technology risk management, third-party risk, risk quantification, and the risk intelligence and automation capability that turns disparate security signals into a single, decision-enabling view of risk.

Responsibilities

  • Lead the transition of risk management from a cyber-centric model to an enterprise-wide framework — expanding scope beyond cybersecurity to operational, financial, regulatory, and third-party risk, with integrated remediation tracking and clear ownership of outcomes
  • Own the risk register and taxonomy, establishing a consistent standard (threat actor, technique, scenario, safeguard, loss event, quantification) so that aggregation, prioritization, and reporting become meaningful
  • Quantify risk in financial terms — expected loss, probability, and cost of remediation versus acceptance — so leadership can make rational investment and risk-acceptance decisions rather than relying on qualitative severity labels
  • Set and continuously refine the risk cadence: weekly risk huddles with business functions, monthly risk reviews, and a quarterly Enterprise Risk Committee, connecting day-to-day execution to GSS and Klaviyo-level objectives
  • Build the risk intelligence and automation capability — partnering closely with the team's risk intelligence lead, whose remit is risk intelligence and building automations using AI — to surface a continuously updated, quantified view of risk posture drawn from the live security tool estate (vulnerability, endpoint, third-party, data movement, and cyber risk quantification sources)
  • Partner with Engineering, Product, GTS, Legal, Audit, Finance, and the wider GSS organization to make risk legible across the business and to move Klaviyo's risk posture measurably forward

Requirements

10+ years of experience in information security, cybersecurity, technology risk, or operational risk within a large, complex, or high-growth organization, with demonstrable depth of information security expertise and a track record of operating at a senior level

Proven experience operating in or alongside a second line of defense function within a Three (or Four) Lines of Defense model, able to engage credibly with senior engineers, architects, and security teams while maintaining independence from first-line delivery ownership

Demonstrated leadership of a risk or security team, with a track record of mentoring and developing people, and the ability to manage conflicting priorities and multiple concurrent initiatives

Strong command of risk quantification — able to express risk in financial and business terms, not just qualitative severity ratings — and of enterprise risk management beyond cybersecurity alone

Working knowledge of security frameworks — NIST, ISO 27001, SOC 2, ISO 42001, PCI DSS, CIS Controls — and how they translate into credible control requirements and delivery plans

Hands-on familiarity with modern risk and security tooling: third-party risk platforms, cyber risk quantification, vulnerability management, endpoint, and data-security telemetry, with a clear point of view on where AI augments versus replaces human judgement

Experience building and tracking security KPIs and metrics to measure success and drive continuous improvement

A strong communicator and problem-solver who balances persuasion with active listening, with exceptional stakeholder management skills to engage engineering leaders and executives and translate complex, technical risk into clear business impact

Qualifications

Experience leading an evolution from a traditional GRC / compliance model toward an automated, engineering-led, or AI-enabled risk capability

Experience in a regulated or high-trust environment (e.g. SOC 2, ISO 27001, ISO 42001, HIPAA, GDPR) and familiarity with the regulatory expectations affecting technology and cybersecurity risk

Exposure to AI governance, model risk, or responsible-AI program work

Familiarity with operational resilience and third-party risk beyond cybersecurity alone

Experience with Python, SQL, and REST APIs to build automated data ingestion pipelines, query security telemetry, and programmatically orchestrate risk reporting

Experience working with security and risk tooling in cloud infrastructure, hosting, and platform contexts

Relevant professional certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), or ISO 27001 Lead Auditor / Lead Implementer

Skills

AI fluency at Klaviyo includes responsible use of AI (including privacy, security, bias awareness, and human-in-the-loop)

Benefits

Our salary range reflects the cost of labor across various U.S. geographic markets. The range displayed below reflects the minimum and maximum target salaries for the position across all our US locations. The base salary offered for this position is determined by several factors, including the applicant’s job-related skills, relevant experience, education or training, and work location. In addition to base salary, our total compensation package may include participation in the company’s annual cash bonus plan, variable compensation (OTE) for sales and customer success roles, equity, sign-on payments, and a comprehensive range of health, welfare, and wellbeing benefits based on eligibility.

Pay

Your recruiter can provide more details about the specific salary/OTE range for your preferred location during the hiring process.

Schedule

This role may require up to 10% travel for purposes such as new hire onboarding, client or partner work if applicable, team meetings, and industry events. Travel is coordinated in advance.

Similar jobs

Senior Risk Manager

Spartan Advisory PartnersGreater Syracuse-Auburn Area· 3 wk ago
Financeapply on spartan-advisory.com

Senior Risk Manager

Sotheby's Institute of ArtNew York, United States· 3 wk ago
Finance$90k–$120k/yr

Senior Risk Manager

PolymarketNew York, United States· 4 wk ago
RemoteFinance$21/hrapply on jobs.ashbyhq.com