Security Risk Management Lead

What You'll Do

• Lead and mature Affirm's Security Third Party Program, including the design, implementation, and continuous improvement of processes, controls, and operational workflows
• Build and maintain automation that replaces manual GRC tasks: intake, triage, evidence collection, control validation, tracking, escalations, and reporting, using either Python, low code platforms, and agentic coding tools (Cursor, Claude, etc.)
• Design and operate workflow orchestration and integrations across systems like ticketing, GRC platforms, vendor management tools, identity providers, and cloud control planes
• Partner closely with Procurement, Legal, Engineering, IT, Compliance, Privacy, and business stakeholders to assess and manage security risk across third party relationships
• Translate ambiguous business and security requirements into practical, scalable program solutions and decision frameworks
• Identify opportunities to automate manual processes across the program and prototype solutions yourself rather than waiting on an engineering backlog
• Drive program operational excellence by establishing repeatable processes, service-level expectations, metrics, and reporting for third party security risk management
• Evaluate third party security controls, cloud architectures (AWS/GCP), integration patterns, and risk posture, and provide clear recommendations to stakeholders and leadership
• Conduct light threat models on high risk integrations and partner with Security SMEs for deeper diligence
• Manage and prioritize a portfolio of complex security risk reviews and initiatives simultaneously, balancing business enablement with risk reduction
• Partner with technical teams to implement or optimize systems and tools that support program automation and workflow orchestration
• Develop dashboards, reporting mechanisms, and program insights (SQL, BI tools, or custom tooling) that improve visibility into risk trends, bottlenecks, and program performance
• Act as a trusted advisor and SME on third party security risk management, helping stakeholders make informed, risk based decisions
• Contribute to the broader Security Risk Management strategy by identifying opportunities to scale, simplify, and strengthen security governance processes through engineering