Senior Manager, Information Security
JOB_54046951125735Job type
PermanentLocation
TorontoProfession
CyberIndustry
Technology & Internet ServicesPay
160000-200000
Senior Manager, Information Security, Risk and Compliance
We are hiring a Senior Manager, Information Security, Risk and Compliance on behalf of a well-established organization in Toronto.
As the Senior Manager, Information Security, you aren't just checking compliance boxes, you are an architect and the owner of security compliance program, risk register, and governance processes. This is a planner-and-operator leadership role keeping the security strategy and roadmap current, decide what the security function works on next, and drive Engineering, IT, Product, and Legal to deliver against those priorities. In addition to doing hands-on work when needed, you set priorities, hold teams accountable, and report on whether the program is working.
A core part of the role is making sure the function is staffed and resourced to deliver its mission, including knowing when to bring in external experts to supplement the team. You are a trusted and analytical recommender on which risks the organization accepts vs. remediates, how work is sequenced against business priorities, and how to spend resources and time against the highest impact risks in the most efficient way.
Impact & Decision authority: This role owns the organization’s PCI DSS and SOC 2 compliance programs, ensuring attestations are maintained cleanly and without lapse. You ensure the organization operates within the bounds of all relevant regulatory requirements. Beyond compliance, this role directs risk management, including deciding which risks to accept versus remediate. You provide accountability for outcomes, such as defensible customer data and efficient audit processes, rather than just tracking activity.
Responsibilities:
Security Strategy and Program Management
- Own security strategy and multi-year roadmap as a governed program: initiatives tied to business objectives, with success criteria and key risks/dependencies.
- Run the roadmap with program discipline (milestones, status reporting, dependency tracking) so work is prioritized by business impact, not handled reactively.
- Staff and drive the Security Steering Committee: agenda, metrics, and decisions on prioritization, resourcing, and policy approval.
Service Queue, Prioritization and Trend Analysis
- Own the operating model for the security service queue. Every ticket has an owner, due date, and status, with enforced SLAs.
- Set the criteria for prioritizing requests (business impact, risk, deadlines, effort) and make the call on ambiguous requests that don't fit a playbook.
- Read the queue as a signal: spot recurring themes and emerging risks, and feed them into the strategy, roadmap, and Steering Committee.
- Report queue health and SLA performance to leadership in that context; escalate proactively.
AI Governance
- Lead and formalize AI Governance Council as a cross-functional body (Legal, Privacy, Engineering, Information Security).
- Own the framework for reviewing AI use cases (acceptable use, data privacy, auth, logging, DLP) and the decision on what's approved.
- Define and report AI-compliance KPIs so the org can see and enforce adherence to the AI and Acceptable Use policies.
- Partner with IT/Engineering on monitoring and data-filtering controls, and on steering employees to approved enterprise models.
Security Metrics and Executive Reporting
- Own a security metrics program that turns raw data into business-framed reporting for the Senior Leadership Team and Board.
- Define the KPIs and KRIs the program is measured on (e.g. vulnerability remediation vs SLA, EDR coverage, phishing rates, audit findings) with multi-year maturity targets.
- Stand up a security metrics dashboard that shows real-time metrics from our security and operational tooling.
People Leadership
- Manage and develop team members in the Information Security team.
- Own a skills matrix and staffing plan for the function: identify gaps and decide what's staffed internally vs. supplemented by external experts.
- Bring in external specialists for audit peaks, point-in-time assessments, or capabilities not worth holding in-house, and manage those engagements.
- Own people and technology resourcing, including budget implications.
Qualifications:
- Craft experience: 8+ years of experience in information security, with a strong focus on compliance, GRC, or security program management.
- People leadership experience: 3+ years of direct people management experience, with a proven ability to develop talent and build cohesive teams.
- Deep compliance expertise: Hands-on experience owning and successfully navigating PCI DSS and SOC 2 Type II audit cycles.
- Risk management: Proven track record of operating an enterprise risk register and translating risk into a prioritized engineering/IT roadmap.
- Program management: Strong project and program management skills with meticulous organization, attention to detail, and a focus on driving accountability across Engineering, IT, Product, and Legal.
- Vendor and resource management: Experience managing external specialists/consultants for point-in-time assessments or audit peaks.
- Education and certifications: Active security certification (e.g., CISSP, CISM, CRISC, or equivalent) is highly preferred.
Additional Valuable Skills, Experience, or Credentials
- Undergraduate Degree in Computer Science, Cybersecurity, Business, or a related field, or equivalent practical experience.
- Experience managing AI governance or emerging technology risk is a strong asset.
- Experience designing and executing incident response tabletop exercises and security awareness programs.
What Success Looks Like in Year 1
- PCI DSS and SOC 2 Type II audits were completed cleanly: no material findings, attestations maintained without lapse.
- Risk register live and current: open risks owned, dated, tied to business impact, and driving roadmap decisions.
- Service-queue SLAs defined and met, with a documented prioritization model and a quarterly trend read feeding the roadmap.
- Security metrics program live: KPI/KRI set reported monthly to leadership and quarterly to the risk committee/Board.
- AI Governance Council runs on a consistent cadence with a documented review framework and first compliance KPIs reported.
- First annual company-wide tabletop completed; security awareness program delivered with results tracked against benchmarks.
- The Information Security department is appropriately staffed and resourced to deliver the mission.
If you're interested in this role, click 'apply now' to forward an up-to-date copy of your CV, or call us now.
If this job isn't quite right for you, but you are looking for a new position, please contact us for a confidential discussion about your career.
This posting is for an existing vacancy with the organization.
AI may be used to screen, assess or select applicants for the position.
#LI-DNI
Senior Manager, Information SecurityJOB_540469511257352026-07-142026-10-13
Talk to Oleg Myaskovsky, the specialist consultant managing this position
Located in Vancouver (FR), 450 – 1095 W. Pender street, VancouverTelephone: 604 648 1654JOB_54046951125735