Security Risk Manager
San Francisco, San Francisco County, California, 94199, USA
Listed on 2026-07-03
-
IT/Tech
Cybersecurity, Information Security
At the company, security is foundational to our mission of helping teams work together effortlessly. Our security team protects the company's employees, users, and customers by proactively addressing threats, ensuring compliance, and fostering a culture of security throughout our product and operations.
As the Security Risk Manager, you will own the company's internal security risk management program end-to-end. This is a senior role for someone who goes beyond frameworks and checklists — you will engineer the quantitative and automated foundations that let the company continuously measure and make confident decisions about security risk. You'll build the systems and processes that make risk scalable, not just the policies that describe it, and serve as a trusted advisor to senior leadership.
This role is based in our San Francisco office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. If you're interviewing for this role, your recruiter will share more about the in-office requirements.
What you'll achieve- Own the company's security risk management program: Design and continuously mature a quantitative risk framework — including risk scoring methodologies, likelihood and impact modeling, and risk appetite thresholds — that enables consistent, data-driven risk decisions across the organization.
- Build and maintain a living risk register: Own the company's central security risk register, developing KRIs, tracking trends over time, and driving accountability for risk treatment and remediation with business and technical owners.
- Automate risk identification and monitoring: Design and implement automated data pipelines and integrations that continuously surface security risks — pulling signals from vulnerability scanners, cloud security tooling, SIEMs, and third-party risk sources — so the company's risk posture is always current and not dependent on manual review cycles.
- Deliver quantitative risk reporting: Develop executive-level dashboards that communicate security risk in business terms — probability, potential impact, cost of control vs. cost of breach, and residual risk exposure — to inform investment and prioritization decisions.
- Partner cross-functionally on risk: Act as the primary security risk partner to Legal, Privacy, Finance, and Engineering. Influence security investment decisions and build a culture of risk awareness across the company.
- 7+ years of experience in information security with a strong focus on security risk management and GRC.
- Demonstrated experience building or leading a security risk management program — not just contributing to one.
- Hands‑on experience with quantitative risk methodologies such as FAIR, risk scoring models, or statistical risk analysis. You back up risk ratings with numbers, not just color codes.
- Hands‑on experience scripting or building automation to integrate security tooling, build data pipelines, or automate risk monitoring — you've built things, not just directed others to build them. Deep knowledge of security frameworks including NIST CSF, NIST SP 800‑30, ISO 27001, SOC 2, and FedRAMP.
- Proven ability to develop risk metrics, KRIs, and executive‑level reporting that drives decision‑making.
- Strong understanding of cloud environments and SaaS architecture — enough to have credible risk conversations with technical teams.
- Excellent communicator who can translate technical risk findings for both engineering teams and C‑suite stakeholders.
- Demonstrates curiosity about AI tools and emerging technologies, with a willingness to learn and leverage them to enhance productivity and decision‑making.
At the company, we're committed to building teams that include a variety of backgrounds, perspectives, and skills. If you're interested in this role and don't meet every listed requirement, we still encourage you to apply.
What we'll offerFor this role, the estimated base salary range is between $194,000–$220,000. The actual base salary will vary based on various factors, including market and individual qualifications objectively assessed during the…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).