Senior Manager, Information Security Risk

About Upstart

Upstart is a leading AI lending marketplace partnering with banks and credit unions to expand access to affordable credit. By leveraging Upstart's AI marketplace, Upstart-powered banks and credit unions can have higher approval rates and lower loss rates across races, ages, and genders, while simultaneously delivering the exceptional digital-first lending experience their customers demand. More than two-thirds of Upstart loans are approved instantly and are fully automated.

Upstart is a digital-first company, which means that most Upstarters can live and work anywhere in the U.S. We also have offices in San Mateo, California; Columbus, Ohio; and Austin, Texas.

Most Upstarters join us because they connect with our mission of enabling access to effortless credit based on true risk. If you are energized by the impact you can make at Upstart, we’d love to hear from you!

The Team

The Data & Technology Risk team provides oversight and effective challenge to lines of business on Privacy, Data Governance, and Information Security GRC functions. The team strategically plans and executes risk management practices to proactively manage risks in all areas to ensure they are within Upstart’s risk appetite levels.

As an Information Security Risk Sr. Manager at Upstart, you will have a broad range of responsibilities including leading the charge for operational implementation and maintenance of an impactful Information Security Program ensuring the confidentiality, integrity, and availability of Upstart systems and data. Leading by example, you will ensure that InfoSec requirements are embedded within the organization. You will collaborate very closely with the InfoSec Engineering and Operations teams and effectively challenge their implementation and solution approach to keep Upstart’s systems and information secured. You will function as a central Information Security subject matter expert supporting enterprise teams, including mentoring other Information Security GRC team members. You will work within the GRC team to mature the current risk management programs, such as risk assessment execution, control testing and monitoring, and procedure documentation. You will also provide security advice to business partners to effectively manage risk to the business and will validate that security and technology controls are implemented to support business and security requirements.

Upstarts leverages the Three Lines of Defense framework to proactively manage its risk. The Data & Technology Risk team is a Second Line of Defense with a mission to manage risk in collaboration with our First Line of Defense partners. The role has an opportunity to deliver on this mission by building out a collaborative Information Security Program that delivers value to our consumers, lending partners, and stakeholders by not only safeguarding and securing sensitive data but also ensuring the data assets meet our integrity and availability goals.

Position Location - This role is available in the following locations: Remote

Time Zone Requirements - This team operates on the East/West Coast time zones.

Travel Requirements - This team has regular onsite collaboration sessions. These occur 3-5 days per Quarter at various locations within the continental USA. If you need to travel to make these meetups, Upstart will cover all travel related expenses.

How you’ll make an impact:

• Help predict the future of information security risks for Upstart and help proactively identify and manage all emerging risks
• Introduce forward-looking risk measures that are relevant to the Lines of Business. Identify and help build KRIs and KPIs to proactively manage the effectiveness of the program
• Foster a culture of Security by Design across business teams and peers
• Engage, mentor, and guide business leads and other stakeholders with less experience in the field
• Demonstrate strong judgment to balance being both a trusted advisor to the business and driving effective collaboration
• Leverage business and tech/cyber domain expertise to raise the level of challenge activities to a strategic focus (designing and testing InfoSec controls)
• Support ongoing measurement and auditing on overall effectiveness of the InfoSec program and execution of policies and standards
• Identify opportunities to influence risk-taking strategies and ensure that aggregate risk is understood
• Implement appropriate Information Security awareness and training resources
• Constructively debate issues and connect the dots across various assessments (examples include assessments of new initiatives, scenario analysis, challenge of proposed mitigation plans and risk acceptances, etc.)
• Prepare and maintain InfoSec program documentation
• Support with the maintenance and updating of policies, standards, playbooks and standard operating procedures that support Information Security program goals

What we’re looking for:

• Technical certifications within the area Security are a strong plus (CISSP, CRISC, CBCP, CISM or equivalent)
• Minimum requirements:
• Preferred qualifications:
• Experience with personal data and ability to develop a broad knowledge of data across the business
• Able to communicate and discuss technical information in a way that establishes rapport, persuades others, and gains understanding
• Knowledge of and experience of cyber threats, penetration testing, and vulnerability assessments
• 6+ years of directly related experience in Information Security Risk Management space and managing a security risk and compliance team
• Experience in security standards such as ISO 27001, 27002, 27005; NIST, COBIT, ITIL
• In-depth understanding of Information Security policies, principles, and technologies and familiarity with control frameworks
• Experience in process design and process improvement in a complex cross functional environment
• Strong knowledge of security technology and risk assessment methodologies, policies and processes
• Comfortable raising concerns early and knows when to escalate, including the ability to raise issues and facilitate constructive problem-solving at all levels of the organization
• Understanding of Internet technologies, including tracking technologies, online behavioral advertising, video delivery, social media APIs, mobile applications, and website development processes
• Experience in vulnerability management, configuration management, and defining and assessing technical security requirements.

What you'll love:

• Generous holiday, vacation, sick and safety leave
• 401(k) with 100% company match up to $4,500 and immediate vesting and after-tax savings
• Comprehensive medical, dental, and vision coverage with Health Savings Account contributions from Upstart
• Supportive parental, family care, and military leave programs
• Social activities including team events and onsites, all-company updates, employee resource groups (ERGs), and other interest groups such as book clubs, fitness, investing, and volunteering
• Life and disability insurance
• Annual wellness, technology & ergonomic reimbursement programs
• Employee Stock Purchase Plan (ESPP)
• Catered lunches + snacks & drinks when working in offices
• Competitive Compensation (base + bonus & equity)

At Upstart, your base pay is one part of your total compensation package. The anticipated base salary for this position is expected to be within the below range. Your actual base pay will depend on your geographic location–with our “digital first” philosophy, Upstart uses compensation regions that vary depending on location. Individual pay is also determined by job-related skills, experience, and relevant education or training. Your recruiter can share more about the specific salary range for your preferred location during the hiring process.

In addition, Upstart provides employees with target bonuses, equity compensation, and generous benefits packages (including medical, dental, vision, and 401k).

United States | Remote - Anticipated Base Salary Range

$155,400—$215,000 USD

Upstart is a proud Equal Opportunity Employer. We are dedicated to ensuring that underrepresented classes receive better access to affordable credit, and are just as committed to embracing diversity and inclusion in our hiring practices. We celebrate all cultures, backgrounds, perspectives, and experiences, and know that we can only become better together.

If you require reasonable accommodation in completing an application, interviewing, completing any pre-employment testing, or otherwise participating in the employee selection process, please email [email protected]

https://www.upstart.com/candidate_privacy_policy