Groupon is an experiences marketplace that brings people more ways to get the most out of their city or wherever they may be. By enabling real-time mobile commerce across local businesses, live events and travel destinations, Groupon helps people find and discover experiences––big and small, new and familiar––that make for a full, fun and rewarding life. Groupon helps local businesses grow and strengthen customer relationships––resulting in strong, vibrant communities. Even with thousands of employees spread across multiple continents, we still maintain a culture that inspires innovation, rewards risk-taking and celebrates success.
The Sr. Director of IT Risk Management is responsible for maintaining the IT Risk Management function including performing Risk Management (inclusive of assessments, reports, escalations), Compliance (inclusive of control assessment and governance), and supporting strategic planning and tactical management as part of the Security Department leadership team. The Sr. Director draws on extensive real-world experience in similar positions and can interact with management and staff at all levels. The position requires excellent project management and communication skills, as well as a strong knowledge of technology controls, and solid experience and expertise with risk management, security, and privacy frameworks.
We're a "best of both worlds" kind of company. We're big enough to have resources and scale, but small enough that a single person has a surprising amount of autonomy and can make a meaningful impact. We're curious, fun, a little intense, and kind of obsessed with helping local businesses thrive. Does that sound like a great way to grow your career? Let's get into the details:
- Manage resources, priorities and tasks associated with the IT Risk and Compliance team functions to achieve stated goals.
- Engage with compliance program requirements and other regulatory standards to set company standards, policies and processes to maintain secure systems. This task will include working with external auditors or assessors, readiness assessment of controls, and achieving compliant program certifications.
- Work closely with legal and contractual teams to meet security and privacy compliance requirements from state, federal and international standards. Perform internal assessments for self-assessment, assertions and compliance mandates. Work with appropriate teams on the messaging, training and security controls required to apply privacy controls in conjunction with security measures.
- Manage IT related risk assessments for company systems, programs and products. Provide risk management dashboard/reporting for risk posture and management consumption. Work with control owners on improving security control effectiveness. Provide reporting on risk matters, including escalations.
- Manage risk acceptance/exception processes to ensure tracking and remediation.
- Provide key or material support for core security functions of Business Continuity/Disaster recovery, Incident Management and Security Operations. Strive to improve these functions and processes through testing, annual assessments, and measuring or examining program approach. Perform Business Impact and Security Impact assessments when needed.
- Manage security review of third-party vendors providing supply chain and/or service support to company systems, technology, and products. Work with vendors legal and procurement teams to improve security awareness, risk/change reporting, and compliance with Groupon standards. Perform regular assessments of vendors for compliance.
- Provide expert knowledge of security, compliance and IT risk management to staff and programs needing clarification, decision support and management of issues.
We're excited about you if you have:
- 15+ years experience in a combination of IT Operations, Information Security, and risk management roles in or supporting regulated industries. Should have experience with secure development processes and DevOps methodology and modern systems development technologies and techniques.
- Prior experience leading project management efforts and coordinating resources, deadlines, priorities, and budgets (PMP preferred).
- Experience coordinating a staff with a range of technical skills and a variety of backgrounds.
- Experience in technical and/or policy writing in a technology environment including authorship of Security Policy, Standards and Guidance, and document and records management.
- Experience in global/regional privacy issues including addressing security integration, control identification and compliance.
- Experience in leading security compliance program activities – especially with technical programs such as PCI DSS.
- Prior background working with information technology (IT) teams to implement security policy and procedures in support of security and privacy requirements.
- Prior experience working as lead or integral participant in evaluating and deploying software products to support business and security program functions.
- Experience in Cloud security topics with large Cloud Service Providers (e.g. AWS, GCE) to integrate shared and mixed control environments. Experience with maintaining security and compliance programs with CSPs.
- Experience with IT and information security auditing and compliance program management (providing governance and readiness).
- Experience with security operations center (SOC) techniques and technical vulnerability management. Experience with variety of tools and techniques.
- Experience working with incident response and escalation, management of program operations and annual assessment training.
- Experience working with business continuity planning and disaster recovery operations, clarification of key controls and management of program readiness.
- Demonstrable experience and skills in Cyber Security (practices, domains, approaches) – CISSP preferred
- Experience with IT and Security regulations, standards and certification programs. Knowledge of methods to keep and maintain audited program compliance – CISA preferred.
- Project Management experience towards achieving program and project goals within time and resource constraints – PMP preferred.
- Experience in assessment and configuration of security within cloud environments, CCSK preferred.
- Experience with privacy program management and engagement for compliance and security integration – CIPP preferred.
- Knowledge and experience working with a variety of risk management processes and methodologies including qualitative and quantitative techniques.
Groupon’s purpose is to build strong communities through thriving small businesses. To learn more about the world’s largest local ecommerce marketplace, click here for the latest Groupon news. Plus, be sure to check out the values that shape our culture, guide our strategy and make our company a great place to work. And just don’t take our word for it. Hear from real Groupon team members and learn more about our inclusive employee groups. If all of this sounds like something that’s a great fit for you, then click apply and let’s see where this takes us.
Groupon is an Equal Opportunity Employer
Qualifications for employment, promotion, and other terms and conditions of employment are based upon the ability to perform the job. Equal-employment opportunities are provided to all applicants and employees without regard to race, creed, religion, color, age, national origin, sex, disability, medical condition, sexual orientation, gender identity or expression, genetic information, ancestry, marital status, military discharge status (excluding dishonorable discharge), veteran status, citizenship status, or other legally protected status. We are all responsible for maintaining this policy. Groupon is committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans in our job application procedures. If you need assistance or an accommodation due to a disability, you may email us at hraccommodations at groupon.com. If you have concerns related to Groupon’s equal employment opportunities, you may contact Groupon’s Ethics Reporting Service Ethicspoint.