Security Risk Management Role (Third Party Program)

Company: Affirm
Location: Remote (US)

About Us:
Affirm is reinventing credit to make it more honest and friendly, offering consumers flexibility to buy now and pay later without hidden fees or compounding interest. We value security as critical to our success, cultivating a culture of security to build honest financial products. Our Security Risk Management team is evolving into an engineering-driven program that designs, automates, and scales controls, workflows, and tooling to protect Affirm and our customers.

What You'll Do:
The ideal candidate will design, develop, configure, and implement solutions for complex technical and business problems within the Security Third Party Program and the broader Security Risk Management program. You will shape policy, ship automation using modern tooling (Python, Cursor, Claude), and replace manual GRC work with scalable, code-defined workflows. You will act as a subject matter expert, interface with business and engineering stakeholders, and transform Security Risk Management into a security engineering discipline.

• Lead and mature Affirm’s Security Third Party Program, including the design, implementation, and continuous improvement of processes, controls, and operational workflows.
• Build and maintain automation that replaces manual GRC tasks: intake, triage, evidence collection, control validation, tracking, escalations, and reporting, using Python, low-code platforms, and agentic coding tools (Cursor, Claude, etc.).
• Design and operate workflow orchestration and integrations across systems like ticketing, GRC platforms, vendor management tools, identity providers, and cloud control planes.
• Partner closely with Procurement, Legal, Engineering, IT, Compliance, Privacy, and business stakeholders to assess and manage security risk across third-party relationships.
• Translate ambiguous business and security requirements into practical, scalable program solutions and decision frameworks.
• Identify opportunities to automate manual processes and prototype solutions.
• Drive program operational excellence by establishing repeatable processes, service-level expectations, metrics, and reporting for third-party security risk management.
• Evaluate third-party security controls, cloud architectures (AWS/GCP), integration patterns, and risk posture, providing clear recommendations.
• Conduct light threat models on high-risk integrations and partner with Security SMEs for deeper diligence.
• Manage and prioritize a portfolio of complex security risk reviews and initiatives simultaneously, balancing business enablement with risk reduction.
• Partner with technical teams to implement or optimize systems and tools that support program automation and workflow orchestration.
• Develop dashboards, reporting mechanisms, and program insights (SQL, BI tools, or custom tooling) to improve visibility into risk trends, bottlenecks, and program performance.
• Act as a trusted advisor and SME on third-party security risk management, helping stakeholders make informed, risk-based decisions.
• Contribute to the broader Security Risk Management strategy by identifying opportunities to scale, simplify, and strengthen security governance processes through engineering.

What We Look For:

• 5+ years of experience in Information Security, Risk Management, Engineering, or relevant roles.
• Hands-on experience using agentic coding tools (Cursor, Claude Code, Copilot, etc.) and a working knowledge of Python (fluent enough to read, modify, run scripts, build automations, and ship small tools).
• Familiarity with cloud environments (AWS, GCP, or Azure) — IAM, logging, common services, and the security risks/controls for cloud-deployed third parties and integrations.
• Excellent written and verbal communication skills.
• Experience engineering solutions via Python, Claude, Cursor, or other agentic coding tooling.
• Experience with industry-based information security & control frameworks (NIST Cyber Security Framework, ISO 2700x, SOC1&2(SSAE18), PCI DSS, NIST-800-53, FFIEC Cybersecurity Assessment Tool, SANS Top 20, etc.).
• BA or BS degree in Information Security, Cyber Security, Computer Science, or related field, or commensurate experience.
• Attention to detail and experience with security practices and tooling.
• Demonstrated ability to drive projects to completion.
• Ability to understand and communicate technical issues to non-technical teams.
• Professional certification in Information Security or Risk Management (e.g., CISSP, CISM, CISA, CRISC) is a plus.

Compensation:

• Base Pay Grade: L
• Equity Grade: 5
• USA Pacific Base Pay Range (CA, WA, NY, NJ, CT) per year: $165,000 - $225,000
• USA Sapphire Base Pay Range (all other U.S. states) per year: $146,000 - $206,000
• Total Compensation: Includes base pay, equity rewards, monthly stipends for health, wellness, and tech spending, and benefits (including 100% subsidized medical coverage, dental, and vision for you and your dependents).

Additional Information:

• This is a remote-first position.
• Visa sponsorship is not available.
• Benefits include: Health care coverage (Affirm covers all premiums), Flexible Spending Wallets (Technology, Food, Lifestyle, family forming expenses), competitive Time off, and ESPP.
• Affirm is committed to providing an inclusive interview experience, including reasonable accommodations for candidates with disabilities.
• Affirm will consider qualified applicants with arrest and conviction records for employment in Los Angeles or San Francisco.