Enterprise Risk Program Manager

Description:

The Enterprise Risk Program Manager at CoreWeave will be responsible for identifying, documenting and tracking internal/external risks, owning risk assessments processes, driving corrective action plans and responsible for proper audit preparation. This role will sit within the Governance, Risk and Compliance (GRC) team and report to the GRC Manager.

Additionally, this role will support the creation, enforcement and the implementation of security policies, procedures, standards, and controls to govern the protection of company information systems, networks, and data. This role is a high visibility role and of utmost importance for ensuring CoreWeave complies with the necessary frameworks needed to operate as a world-leading specialized cloud provider.

Job duties include but are not limited to: 

• Act as a contributing member of the GRC and Cyber functions to build and maintain the day-to-day operations of the team, working to maintain governance of information security frameworks, standards, and policies
• Drive the Enterprise Risk Management (ERM) program by fostering a risk informed culture and regularly assessing exposures, identifying gaps, and supporting issues management resolution
• Connect ERM activities to the organization’s top strategies and business objectives
• Support the maturity of the ERM Program through assisting with the development of foundational and governance elements including standards, systems, tools, policies, workflows, and communications
• Execute periodic control and risk assessments against the multiple compliance frameworks we currently align to and may align to in the future (SOX, SOC 2, ISO 27001:2022, FedRAMP, etc.)
• Assist in maintaining the documentation, prioritization, and tracking of items such as the company risk register and exceptions process
• Perform analysis on regulatory changes, or organization changes, that may impact our Information Security requirements
• Perform periodic Business Impact Analysis (BIA) assessments to support Business Continuity and Disaster Recovery programs 
• Work closely with internal stakeholders (Engineering, Corporate IT, Legal, HR, Audit, and Product Team Members) on governance/compliance initiatives and enhancements to the monitoring of security controls
• When requested provide ad-hoc risk consultation to executives, leaders and internal stakeholders to help manage risks in pursuit of business and strategic objectives
• Perform assessments of adherence to standards prior to engaging internal or external audit 
• Develop and track audit corrective action plans through remediation  
• Develop repeatable and sustainable program reporting by tracking and maintaining the appropriate KPIs and KRIs
• Review risk reporting, including but not limited to the status of key risks and related trends, the effectiveness of controls and responses/mitigation, key risk indicators, and exceptions, etc
• Maintain and monitor ERM program policies and procedures
• Maintain and mature GRC tool used to track risks, exceptions and remediation plans 
• Collaborate with Legal and Government Affairs program to ensure Know Your Customer (KYC) protocol is being executed in alignment to government sanction requirements and any ongoing sanction updates are implemented in a timely manner

Desired qualifications:

• Educational Qualification: Bachelor's in Information Security, Computer Science, or related degree; Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP) Certification or equivalent
• Minimum of 5-8 years work experience in IT/Security Compliance/Audit function (or equivalent)
• Proven experience in compliance, risk management and/or IT security program management 
• In-depth knowledge of the industry's standards and regulations, specifically SOX, SOC 2, ISO 27001:2022, ISO 27701, NIST 800-53, NIST CSF, FedRAMP, GDPR and HIPAA
• Understanding of concepts related to information security domains such as Cloud Computing, Physical Security, Third Party Risk Management (TPRM), Identity and Access Management, Data Security, Vulnerability and Patch Management, Malware Defenses, CIS Top 18 Controls
• Integrating new technologies into existing technology portfolio
• Collaborating with cross-functional teams, including engineering, network and infrastructure 
• Excellent knowledge of reporting procedures and record keeping
• Ability to succeed in a team environment or work as an individual contributor

Additional qualifications:

• Familiarity with GRC Programs for Cloud providers 
• Self-starter and requires minimal direction from leadership
• Methodical and diligent with outstanding planning abilities
• Able to meet deadlines and handle multiple priorities
• Strong ability to negotiate with business partners to attain successful outcomes
• Excellent communication skills
• Strong project management skills with the ability to manage several large projects at the same time, keeping them on scope, on budget and on time
• Ability to present and effectively communicate with all levels of the organization
• Flexible with the ability to multitask, effectively prioritize and work under pressure
• Advocate of continuous improvement and industry recognized best practice

CoreWeave is a fast growth startup, and the selected candidate is willing to be flexible for when they are needed. There will be times where the Enterprise Risk Program Manager may need to be available outside of regular business hours to support critical issues, projects or meetings.

Our compensation reflects the cost of labor across several US geographic markets. The base pay for this position ranges from $130,000 in our lowest geographic market up to $165,000/year in our highest geographic market. Pay is based on a number of factors including market location and may vary depending on job-related knowledge, skills, and experience.