Manager, Security Risk & Compliance

At IBM Software, we transform client challenges into solutions. Building the world's leading AI-powered, cloud-native products that shape the future of business and society. Our legacy of innovation creates endless opportunities for IBMers to learn, grow, and make an impact on a global scale. Working in Software means joining a team fueled by curiosity and collaboration. You'll work with diverse technologies, partners, and industries to design, develop, and deliver solutions that power digital transformation. With a culture that values innovation, growth, and continuous learning, IBM Software places you at the heart of IBM's product and technology landscape. Here, you'll have the tools and opportunities to advance your career while creating software that changes the world.

Your role and responsibilities

Leadership & People Management

• Lead the Security GRC program for Apptio's Commercial, FedRAMP, and DoD offerings within IBM Software GRC.
• Manage, coach, and develop a high-performing team; set goals, prioritize work, and provide continuous feedback.
• Oversee additional team members in performing routine activities (evidence collection, access reviews, ticket triage, control run-books), ensuring quality and timeliness.
• Communicate program status, audit outcomes, key risks, POA&M progress, and control maturity to IBM Software leadership through dashboards and executive briefings.

ISSO Responsibilities (FedRAMP & DoD)

• Serve as ISSO for Apptio's FedRAMP Moderate and DoD IL systems; steward the security authorization boundary and control inheritance.
• Own and maintain SSP, POA&M, Continuous Monitoring Plan, Configuration Management Plan, Incident Response Plan, and other required artifacts.
• Review and approve security-relevant changes; ensure security impact analyses are performed prior to implementation.
• Coordinate annual assessments with the 3PAO and interface with government Authorizing Officials and stakeholders as required.

Continuous Monitoring Oversight (FedRAMP & DoD)

• Provide governance oversight of Continuous Monitoring (ConMon) activities performed by platform, SRE, vulnerability management, and other partner teams.
• Define and monitor SLAs/SLOs for scanning cadence, patch timelines, configuration baseline drift, account reviews, and log/alert review frequency.
• Ensure monthly/quarterly ConMon submissions are complete, accurate, and timely (vulnerability scans, inventory, POA&M updates, plans of action closures).
• Consolidate ConMon evidence, validate control effectiveness, and escalate risks; drive remediation and risk acceptance decisions.
• Track metrics (e.g., mean time to remediate, findings of aging, control exceptions) and lead operational reviews with accountable owners.

Engineering & Change Management Engagement (FedRAMP Environment)

• Engage directly with respective engineering and platform teams to plan and execute audit/compliance activities within the FedRAMP environment.
• Embed security-by-design guidance in engineering backlogs; ensure user stories map to required controls and evidence.
• Partner on secure change management: perform security impact analyses, maintain control traceability, and verify completion of pre/post-implementation validation.
• Facilitate control walkthroughs, tabletop exercises, and technical deep-dives for auditors and assessors with engineering SMEs.

Governance, Risk & Compliance (Commercial + Federal)

• Oversee compliance programs for SOC 2, ISO 27001, PCI-DSS, HIPAA, data privacy, and internal IBM standards.
• Establish and maintain unified control mappings to reduce duplication across frameworks and environments.
• Maintain risk registers, track exceptions, and manage corrective action plans to closure.
• Implement automation and tooling for evidence management, control validation, and reporting where feasible.

Audit & Assessment Management

• Direct internal and external assessments (SOC 2, ISO 27001, PCI-DSS, HIPAA, FedRAMP) and customer due diligence.
• Serve as primary contact for 3PAOs, external auditors, internal audit, and customer assurance teams.
• Oversee evidence collection, control testing, documentation completeness, and timely remediation.
• Validate control design and operating effectiveness; drive sustainable corrective actions.

Business Continuity & Disaster Recovery (BCDR)

• Oversee development, maintenance, and periodic testing of BCDR plans for Apptio SaaS offerings.
• Document test results, lessons learned, and corrective actions; ensure alignment with regulatory requirements and IBM standards.

Policy, Documentation & Reporting

• Maintain high-quality policy documents, standards, procedures, SSPs, and audit artifacts.
• Produce leadership reports on compliance status, risk posture, audit outcomes, and ConMon metrics.
• Ensure documentation quality, versioning, and approvals meet federal and IBM Software GRC requirements.

Required education

High School Diploma/GED

Preferred education

Bachelor's Degree

Required technical and professional expertise

• Extensive experience in Information Security, GRC, or IT Audit with experience in FedRAMP Moderate, NIST SP 800-53, SOC 2, ISO 27001, PCI-DSS, and HIPAA.
• Hands-on experience with external audits, customer assessments, and collaboration with 3PAOs.
• Strong communication skills with the ability to tailor content for executives, engineers, and auditors.
• Ability to work hybrid onsite in Austin, TX, or Washington, DC, with up to 10% travel.

Preferred technical and professional experience

• Prior ISSO experience for FedRAMP or DoD cloud environments.
• Professional certifications: CISA, CRISC, CISSP, CCSP, CISM, CIA.
• Experience with automated GRC and compliance orchestration tools and dashboards.