Who you are

• Risk Management Expertise: 6+ years of a strong background in formal risk management frameworks, such as ISO 27001/ISO 27005, NIST SP 800-30, or others
• RIsk Registers Experience: Experienced in implementing and maintaining comprehensive risk registers and control inventories
• Communication & Collaboration: The ability to effectively and proactively work across teams (Information Security, IT, Product, Engineering, Legal, etc.) to gather information and ensure buy-in
• Analytical Skills: The ability to analyze data and make informed decisions about risk prioritization and treatment
• GRC’s Role: An understanding of GRC's role within broader security and risk management contexts
• GRC Tool Proficiency: Experience with GRC platforms (especially Vanta or OneTrust) can be a huge plus, as they can streamline documentation, evidence collection, and reporting
• Certifications: Certifications like CRISC (Certified in Risk and Information Systems Control) or ISO 27001 Lead Implementer are highly valuable as they demonstrate a proven understanding of the domain

What the job involves

• Drive technical risk excellence across Pantheon as a key member of our Governance, Risk, and Compliance (GRC) team
• You'll collaborate with teams throughout the organization to transform security risk initiatives into sustainable programs that support our business growth, compliance requirements, and security objectives
• By combining your risk expertise with program management skills, you'll help shape the future of Pantheon’s GRC strategy while solving complex challenges critical to Pantheon’s continued growth and success
• Our GRC team serves as the second line of defense and works closely with Information Security, IT, Product, Engineering, Legal and other departments to ensure comprehensive risk management across Pantheon. We create and maintain processes that identify, assess, and mitigate risk
• The GRC team plays a vital role in supporting Pantheon’s commitment to delivering a secure, reliable, and available platform for our customers
• Define the Risk Management Methodology: The Risk Manager is responsible for creating and documenting Pantheon’s overall approach to risk. This includes defining the criteria for what constitutes an acceptable level of risk ("risk appetite"), how to score the likelihood and impact of a risk, and how to ultimately treat those risks. This ensures everyone in the organization is on the same page and using a consistent process
• Lead the Risk Assessment Process: This is the most crucial part. The Risk Manager orchestrates and guides the process of identifying, analyzing, and evaluating all information security risks. This individual ensures that all assets—from data and software to physical devices and intellectual property—are considered. The Risk Manager works with different departments to identify potential threats and vulnerabilities
• Develop the Risk Treatment Plan (RTP): Once risks are identified and assessed, the Risk Manager develops the formal plan for how to address each one. ISO 27001 gives four main options for risk treatment:
• Modify: Implementing controls to reduce the risk. This is the most common option
• Retain: Accepting the risk because it falls within the acceptable risk appetite
• Avoid: Stopping the activity that causes the risk
• Transfer: Shifting the risk to a third party, for example, through cyber insurance or outsourcing
• The Risk Manager documents these treatment option decisions and ensures each risk has a designated "risk owner" who is accountable for its treatment
• Create the Statement of Applicability (SoA): This is a critical document for ISO 27001 certification. The Risk Manager is responsible for compiling the SoA, which details all the controls from ISO 27002 that Pantheon has selected to mitigate its identified risks. The SoA also includes justifications for any controls that were deemed unnecessary and not included
• Monitor and Report: The Risk Manager continuously monitors the effectiveness of the implemented controls and the overall risk environment. The individual provides regular reports to the Director of GRC on Pantheon’s risk posture, any new or emerging threats, and the status of the risk treatment plan. This ensures that the ISO 27001 Information Security Management System (ISMS) is always evolving to meet new challenges
• Maintain Risk-Related Documentation: A significant part of the Risk Manager's job is maintaining all the necessary documentation, including the risk register, the risk treatment plan, and the statement of applicability. This is essential for a smooth audit process

Benefits

• Health & Wellness: Taking care of you and your family is important to us. Our healthcare benefits program delivers choice and value so you can prioritize your health
• Remote & In-Office: We believe in a flexible employee experience, our San Francisco office is a center for collaboration and connection, but it's not the only place this happens
• Flexible Time-Off: We encourage work/life balance. Take time off when you need it, and return ready to make magic on the internet when you're ready and refreshed
• Monthly Book & Gym Allowance: One of the many ways we enable our team to take control of their development and wellness is to take advantage of our books and gym membership allowance
• Promoting Inclusivity: We strive to have a culture where Pantheors across the globe feel a high sense of belonging and engagement. We have several programs in place to help cultivate inclusion at Pantheon, including educational events, open forums, and training opportunities
• Giving Back: We believe in cultivating passion and giving back to the community we live and work in. Pantheon offers a Donation Matching program of $500 per employee and holds multiple team volunteer opportunities throughout the year
• Employee Resource Groups: Our Pantheon Resource Groups (PRGs) allow employees to connect, support each other, and spread awareness
• Professional Development: We support employee learning and development through company led-training, leadership forums, and full access to LinkedIn Learning's catalogue of courses