The IT & Security Governance Manager is responsible for advancing enterprise-wide technology maturity across corporate IT, cloud and product environments, and operational systems. This role strengthens governance structures, data stewardship practices, security controls, and operational risk management to ensure that systems and data effectively support the organization's mission, strategic partnerships, and sustainable growth.

This position operationalizes compliance frameworks as structured tools to enhance efficiency, accountability, and resilience — leveraging them to improve processes, mitigate risk, and elevate overall technology governance rather than treating compliance as the sole objective. 

IT Governance, Risk & Reporting

• Maintain an organization-wide IT and security roadmap aligned to mission priorities and partner obligations
• Own and manage the organization’s technology risk register (security, data, vendor, and operational risks)
• Define and maintain IT and security policies (access control, logging, data handling, endpoint standards, secure development expectations)
• Establish system ownership documentation and accountability structures
• Provide leadership with clear, actionable reporting on technology health, risk posture, and audit readiness

Data Governance & System Oversight

• Define and implement data classification, access governance, and retention standards
• Map key data flows across internal systems, partner integrations, and cloud environments
• Ensure encryption, logging, and access controls align with data sensitivity and contractual requirements
• Partner with Engineering and program teams to embed secure, scalable system design patterns
• Maintain architecture documentation, data flow diagrams, and control mappings

Identity, Access & Organizational IT Foundations

• Strengthen identity and access management (SSO, MFA, least privilege, access reviews, joiner-mover-leaver processes)
• Oversee endpoint and device management fundamentals (MDM, encryption, patching, configuration baselines, EDR/AV)
• Improve SaaS governance and reduce shadow IT risk
• Establish and validate backup, recovery, and resilience expectations for critical systems
• Deliver practical security and data-handling guidance across departments

Cloud, Application & Vulnerability Management

• Support the implementation of a practical Secure SDLC in partnership with Engineering
• Own vulnerability management workflows (scanning, triage, prioritization, remediation tracking, verification)
• Maintain cloud security guardrails (IAM standards, key management, logging, monitoring, network controls)
• Participate in secure architecture and security reviews for major initiatives

Incident Response, Vendor Risk & Partner Assurance

• Maintain incident response readiness, runbooks, and severity definitions
• Lead tabletop exercises and track follow-up actions to closure
• Support business continuity and disaster recovery validation
• Conduct vendor and partner security reviews and remediation follow-ups
• Support audits, customer trust requests, and partner assurance needs
• Partner with Legal to operationalize data protection and security requirements
• Other Duties as Assigned

To perform the essential functions of this position successfully, an individual should demonstrate the following competencies with one or more of each:

• Strategic IT Governance & Risk Management   – Ability to develop and maintain enterprise IT roadmaps, manage technology risk registers, and translate complex risk posture into clear, actionable reporting for leadership.
• Policy Development & Control Implementation  – Experience designing, implementing, and operationalizing IT and security policies, standards, and accountability frameworks across access control, data handling, and system governance.
• Data Governance & Systems Oversight  – Strong understanding of data classification, retention, encryption, access governance, and data flow mapping to ensure controls align with contractual and operational requirements.
• Identity, Access & Infrastructure Security Foundations – Proficiency in IAM best practices (SSO, MFA, least privilege, access reviews), endpoint management fundamentals, SaaS governance, and resilience planning.
• Cloud, Application & Vulnerability Management – Experience supporting Secure SDLC practices, maintaining cloud security guardrails, and leading vulnerability management workflows from identification through remediation and verification.
• Incident Response & Third-Party Risk Management – Ability to maintain incident readiness, conduct tabletop exercises, support business continuity validation, and manage vendor security reviews, audit support, and partner assurance obligations.

Qualifications:

• Bachelor’s degree in Information Technology, Cybersecurity, Computer Science, or a related field, or a minimum of five (5) years of progressive experience in IT governance, security, or risk management.
• Experience operating across multiple security and IT domains, including corporate IT security, cloud security, application security, incident response, and risk/compliance functions.
• Strong understanding of identity and access management principles, including SSO, MFA, least privilege, and access review processes.
• Working knowledge of common security controls and their implementation in operational environments, including logging, endpoint hardening, network controls, encryption, and backup management.
• Experience contributing to IT governance, data governance, or system oversight in addition to security operations.
• Ability to translate complex technical risk into clear, actionable plans for both technical and non-technical stakeholders.
• Demonstrated ability to work effectively in a lean, mission-driven environment, prioritizing initiatives based on risk, impact, and organizational needs.
• Experience leading or supporting audits and security frameworks such as PCI-DSS, SOC 2, ISO 27001, NIST 800-53 Rev. 5, or HIPAA-adjacent controls (preferred).
• Hands-on experience with cloud platforms (AWS, Azure, or GCP) and modern CI/CD pipelines (preferred).
• Experience with endpoint management (MDM) and security tooling, including EDR, vulnerability scanners, and SIEM/log management platforms (preferred).
• Familiarity with secure software development practices and threat modeling methodologies (preferred).
• Relevant industry certifications such as Security+, SSCP, CISSP, CISM, CCSP, or equivalent (preferred).
• Experience supporting grant-funded initiatives, multi-partner collaborations, or externally funded programs.