Information Security Manager – SecOps

Bright Defense
· Sec Ops Team
· Now Hiring

Sec Ops — Continuous Monitoring & Client Risk Management

Full-Time
• Remote
• Sec Ops
• Compliance & Risk Focus

You’ll be the person clients trust to keep their security program on track between audits. This role lives at the intersection of technical rigor and clear communication — translating control monitoring, risk findings, and compliance gaps into actionable guidance that customers can act on.

As an Information Security Manager on the Bright Defense Sec Ops Team, you’ll manage a portfolio of customer security programs through asynchronous collaboration, lead continuous control monitoring, assess maturity, and develop risk management strategies that strengthen client security postures. You’ll work closely with Security Consultants, Offensive Security, and other Sec Ops functions — and serve as the primary written voice keeping customers informed on findings, progress, and next steps.

• Manage a portfolio of customer security programs with continuous oversight via async channels
• Serve as the primary point of accountability for program health, milestone tracking, and escalation
• Coordinate with assigned Security Consultants to align monitoring with each client’s overall strategy
• Participate in internal syncs and contribute to broader Sec Ops objectives

• Lead ongoing assessments of security controls against ISO 27001, SOC 2, NIST CSF, and other applicable frameworks
• Monitor and evaluate control effectiveness, maturity levels, and residual risk exposure
• Identify, track, and support remediation of control weaknesses and compliance gaps
• Maintain current records of risk assessments, audit findings, and corrective action plans

• Review evidence and documentation to validate compliance posture across multiple frameworks
• Support audit readiness for SOC 2, HIPAA, ISO 27001, PCI DSS, CMMC, and related engagements
• Perform Third Party Risk Management assessments for new and existing vendors
• Respond to security questionnaires on behalf of clients within a 5-business‑day SLA

• Prepare accurate, professional, and actionable written reports and customer updates
• Deliver data‑driven insights and recommendations with clarity and specificity
• Ensure transparency across all customer‑facing communications regarding monitoring, findings, and remediation status
• Continuously improve reporting standards, evidence management, and monitoring methodologies

• Security Consulting
• Offensive Security
• Sec Ops Functions
• Client Stakeholders

• 3–6 years in information security, GRC, or compliance‑adjacent roles
• Hands‑on experience with SOC 2, ISO 27001, NIST CSF, HIPAA, PCI DSS, or CMMC
• Demonstrated ability to assess control effectiveness and document residual risk
• Experience conducting or supporting security audits and evidence reviews

• Practical experience building or maintaining risk registers and treatment plans Communication & async work
  • Exceptional written communication — client‑facing reports, findings summaries, executive updates
  • Comfortable managing multiple engagements through async channels (Slack, email, project tools)
  • Able to communicate technical findings clearly to non‑technical stakeholders
  Tools & platforms
  • GRC platforms — Drata, Vanta, Thoropass, or equivalent
  • Asana or similar PM tools for task and program tracking
  • Safe Base or equivalent for security questionnaire management
  • Google Workspace or Microsoft 365 proficiency
  Nice to have
  • CISA, CISM, CISSP, or CRISC certification
  • MSSP or consulting firm background
  • Experience supporting CMMC Level 2 or ITAR‑adjacent programs
  • Familiarity with NYDFS 23 NYCRR Part 500 or other state‑level frameworks
  • Exposure to cloud security environments (AWS, Azure, GCP)
  • Background in healthcare, defense, or fintech regulated industries
  Performance benchmarks
  • 5 days SLA for security questionnaire responses
  • Monthly written updates delivered to every active client
  • 0 gaps untracked audit findings at any point in time
  • Current risk registers and corrective action logs maintained
  • Aligned control monitoring mapped to each client’s framework scope
  • 100% TPRM assessments completed before vendor onboarding
  Compensation & perks
  • Competitive base salary — range shared during screening
  • Remote‑first with flexible working hours
  • Certification reimbursement (CISA, CISM, CISSP, CRISC, and others)
  • Direct collaboration with Bright Defense co‑founders
  • Broad client exposure across defense, healthcare, and fintech verticals
  • Clear growth path toward Senior ISM or vCISO functions

  Bright Defense is an equal opportunity employer. We build diverse, high‑trust teams.