Senior Manager - Security Risk Management (Hybrid)
Company: First American
Location: Santa Ana
Posted on: April 1, 2026
|
|
|
Job Description:
Who We Are Join a team that puts its People First! Since 1889,
First American (NYSE: FAF) has held an unwavering belief in its
people. They are passionate about what they do, and we are equally
passionate about fostering an environment where all feel welcome,
supported, and empowered to be innovative and reach their full
potential. Our inclusive, people-first culture has earned our
company numerous accolades, including being named to the Fortune
100 Best Companies to Work For® list for ten consecutive years. We
have also earned awards as a best place to work for women,
diversity and LGBTQ employees, and have been included on more than
50 regional best places to work lists. First American will always
strive to be a great place to work, for all. For more information,
please visit www.careers.firstam.com. What We Do The Senior Manager
of Security Risk Management is a key leadership role responsible
for developing, maintaining, and maturing the organization’s risk
management program. This role oversees Information Security
policies and standards, Third?Party Risk Management, security
training and awareness, and contributes directly to enterprise
security strategy. The ideal candidate brings strong leadership,
deep expertise in risk frameworks, and the ability to drive
cross-functional alignment. Key Responsibilities Information
Security Policies & Standards Lead the lifecycle management of
enterprise Information Security policies, standards, baselines, and
guidelines. Ensure alignment with regulatory requirements, industry
frameworks (e.g., NIST CSF, ISO 27001), and internal risk posture.
Partner with business and technology leaders to ensure policies are
actionable, effective, and embedded into operational processes.
Oversee periodic reviews, updates, and governance activities for
all security documentation. Third?Party Information Security Risk
Management (TPRM) Lead the enterprise Information Security–focused
TPRM program, ensuring all third parties with access to corporate
data, systems, or facilities undergo rigorous security risk
assessments. Maintain assessment methodologies centered on security
controls, including data protection, access management,
vulnerability management, encryption practices, incident response
maturity, and cloud security posture. Oversee due diligence
processes, security questionnaires, evidence reviews, attestations
(SOC 2, ISO 27001, penetration tests), and follow?up remediation
activities. Partner with Procurement, Legal, and business
stakeholders to ensure contracts include appropriate security
obligations, such as breach notification requirements, minimum
security standards, and right?to?audit language. Monitor ongoing
vendor security risk through periodic reassessments, continuous
monitoring tools, and threat intelligence related to third?party
ecosystems. Deliver metrics and executive?level reporting on the
security posture of third parties, highlighting emerging risks,
systemic gaps, and required remediation actions. Security Strategy
Support the development and execution of the long?term security
strategy. Partner closely with cross?functional business teams and
IT leadership to ensure security strategy aligns with
organizational goals, technology roadmaps, and operational
priorities. Provide expert insight into risk-based prioritization,
investment planning, and roadmap development. Monitor regulatory,
threat, and technology trends to inform strategic decisions.
Support management reporting for enterprise executive committees,
risk committees, and governance forums. Security Training &
Awareness Oversee the enterprise security awareness program,
including phishing simulations, mandatory training, campaigns, and
targeted education for high?risk groups. Drive culture change by
promoting security-first behaviors and improving security literacy
across the organization. Measure effectiveness using risk metrics,
training performance, and behavior analytics. Required
Qualifications 8 years of experience in Information Security, Risk
Management, Compliance, or related fields. 3 years in a leadership
role. Strong knowledge of security frameworks (NIST, ISO, SOC 2,
CIS), risk methodologies, and regulatory requirements. Experience
leading enterprise policy programs and vendor risk management
activities. Proven ability to collaborate and influence across all
levels of the organization. Excellent written and verbal
communication skills with the ability to influence stakeholders,
present to executives, and simplify complex risk topics Preferred
Qualifications Relevant certifications such as CISSP, CISM, CRISC,
or ISO 27001 Lead Implementer/Auditor. Experience scaling programs
in large, distributed, or highly regulated environments. Background
in cloud security, business continuity, or enterprise risk
management. $148,625.00 - $195,000.00 Annually This hiring range is
a reasonable estimate of the base pay range for this position at
the time of posting. Pay is based on a number of factors which may
include job-related knowledge, skills, experience, business
requirements and geographic location. Note that the following
statements only apply to candidates who will be working from an
unincorporated area within Los Angeles County. First American will
consider for employment all qualified applicants, including those
with arrest or conviction records, in a manner consistent with the
requirements of applicable state and local laws (e.g., the Los
Angeles County Fair Chance Ordinance for Employers and the
California Fair Chance Act). First American intends to conduct a
review of an applicant’s criminal history in connection with a
conditional offer. First American reasonably believes that a
criminal history may have a direct, adverse and negative
relationship with the following material job duties for this
position potentially resulting in the withdrawal of the conditional
offer of employment: handling of confidential, proprietary or trade
secret information belonging to First American or its customers,
administrating or facilitating financial transactions, and the
ability to meet customer-imposed criminal history requirements.
What We Offer By choice, we don’t simply accept individuality – we
embrace it, we support it, and we thrive on it! Our People First
Culture celebrates diversity, equity and inclusion not simply
because it’s the right thing to do, but also because it’s the key
to our success. We are proud to foster an authentic and inclusive
workplace For All. You are free and encouraged to bring your
entire, unique self to work. First American is an equal opportunity
employer in every sense of the term. Based on eligibility, First
American offers a comprehensive benefits package including medical,
dental, vision, 401k, PTO/paid sick leave and other great benefits
like an employee stock purchase plan.
Keywords: First American, Apple Valley , Senior Manager - Security Risk Management (Hybrid), IT / Software / Systems , Santa Ana, California
