Senior Manager, Information Security GRC

Employment Type: Full-time

Who We Are

Join a team that puts its People First! Since 1889, First American (NYSE: FAF) has held an unwavering belief in its people. They are passionate about what they do, and we are equally passionate about fostering an environment where all feel welcome, supported, and empowered to be innovative and reach their full potential. Our inclusive, people-first culture has earned our company numerous accolades, including being named to the Fortune 100 Best Companies to Work For® list for ten consecutive years. We have also earned awards as a best place to work for women, diversity and LGBTQ+ employees, and have been included on more than 50 regional best places to work lists. First American will always strive to be a great place to work, for all. For more information, please visit www.careers.firstam.com.

What We Do

Reporting to the VP of InfoSec GRC, the Senior Manager is responsible for the execution of enterprise-wide governance, risk, and compliance strategies to ensure alignment with regulatory requirements and cybersecurity best practices. This role is responsible for leading the information security RCSA program, control testing, and issue lifecycle management to strengthen the organization’s risk posture. Serving as a key liaison between infosec, technology, and business stakeholders, the senior manager provides strategic oversight and actionable insights to executive leadership.

Location: Santa Ana, CA (Hybrid - in office three days a week)

What You'll Do

• Lead the strategic execution of the enterprise-wide Information Security Governance, Risk, and Compliance (GRC) program.
• Develop, implement, and mature a robust Risk and Control Self-Assessment (RCSA) program to identify, assess, and mitigate cybersecurity risks across business units.
• Oversee security assurance activities, including control design evaluations, walkthroughs, and control effectiveness testing aligned with regulatory and framework requirements (e.g., NIST CSF, ISO 27001, SOX, SOC2, FFIEC CAT).
• Direct the testing of security controls, including coordination with internal audit, external assessors, and business stakeholders.
• Advise management on the design and implementation of control activities that reduce risk, add value, and mature the control environment.
• Lead enterprise-wide information security risk assessments, including risk identification, evaluation, and prioritization, to support informed decision-making and resource allocation.
• Collaborate with business units and technology teams to assess the impact and likelihood of cybersecurity threats, integrating findings into broader risk management and mitigation strategy.
• Manage the full issue lifecycle, including issue identification, root cause analysis, remediation planning, tracking, validation, and closure, ensuring timely and effective resolution of risk and compliance gaps.
• Provide subject matter expertise and guidance for Information Security policies and standards.
• Provide leadership and subject matter expertise during regulatory examinations, internal audits, and third-party assessments.
• Collaborate with business and IT stakeholders to integrate GRC practices into key business and technology initiatives.
• Leverage GRC tools (e.g., Archer, ServiceNow GRC, LogicGate) to automate risk management workflows and enhance reporting capabilities.
• Support KPI/KRI’s to facilitate risk prioritization and articulation for the enterprise and senior leadership reporting.
• Develop and present executive-level reporting and dashboards to senior leadership and board committees on risk posture, control effectiveness, and compliance status.
• Stay current on emerging threats, industry trends, and regulatory changes to proactively adjust GRC strategies.
• Provide excellent customer service in support of program activities.
• Manages technical professionals (typically skilled exempt level employees) who have responsibility for operations and project outcomes. Provides direct and indirect support.

Requirements

• (Specific requirements not provided in the original text)

Application Instructions

• (Specific application instructions not provided in the original text)