CarMax - Richmond, VA
posted about 2 months ago
Full-time - Senior
Richmond, VA
10,001+ employees
Motor Vehicle and Parts Dealers
About the position
The Sr Manager, IT Risk Management at CarMax is a pivotal leadership role focused on enhancing the Cybersecurity program for a Fortune 200 company. This position requires a blend of technical expertise and strategic relationship management across various information risk functions, including information security risk management, third-party risk management, privacy operations, and business continuity. The individual will lead the development and implementation of an Information Risk Management framework, ensuring compliance with industry standards and fostering strong relationships with stakeholders to ensure cohesive risk management strategies.
Responsibilities
- Lead the adoption and adaptation of a comprehensive information risk management framework, integrating privacy operations, security controls design & implementation, and continuous improvement mechanisms.
- Develop and manage security policies and procedures, ensuring compliance with legal, regulatory, and industry standards.
- Conduct thorough risk assessments, identifying potential threats and vulnerabilities, and implement robust security measures to protect organizational assets.
- Oversee the design and delivery of security awareness training and communications programs, enhancing the security culture within the organization.
- Manage business continuity risk & resiliency planning, ensuring the organization's ability to operate during and recover from adverse events.
- Conduct third-party security due diligence and vendor risk assessments to safeguard against third-party risks.
- Lead cyber regulatory readiness initiatives, preparing the organization for compliance with current and future security and privacy regulations.
- Engage in strategic board reporting, providing insights and updates on the organization's security posture and risk management efforts.
- Foster a culture of continuous improvement, regularly reviewing and enhancing security and risk management practices.
Requirements
- Bachelor's degree in Technology, Computer Science, Business, or a related field.
- Master's degree or relevant professional certification (e.g., CRISC, CIA, CIPP, CISM, GIAC, CISSP) is preferred. CRISC and CISA required.
- A minimum of 10 years of leadership experience in information risk management or a similar role.
- Proven expertise in information security, information risk management, and compliance frameworks (NIST, CIS, ISO27001/2, etc.).
- Demonstrated leadership in privacy operations, security awareness training, business continuity, and third-party risk management.
- Strong understanding of cyber regulatory environments and experience in senior leadership reporting and communication.
- Extensive experience in information risk assessment, policy development, and incident response management.
- Excellent communication skills, with the ability to effectively lead teams and influence stakeholders.
- Excellent analytical, problem-solving, and decision-making skills; high level of accuracy and attention to detail.
- Strong leadership and organizational skills; ability to manage multiple projects and teams in a fast-paced environment.
Nice-to-haves
- Experience with strategic stakeholder engagement and collaboration.
- Ability to explain complex compliance issues to stakeholders at all levels.
- Proven ability to influence without authority the information risk management direction of others.
Benefits
- Hybrid work arrangement
- Commitment to training and diversity
- Opportunities for career growth and development
