Manager - Information Security at Envestnet

Job Summary

The Manager – Information Security will be instrumental in developing, evaluating, and ensuring alignment with cybersecurity controls and policies, maintaining compliance with standards, and embedding security into the organization’s products, services, and technology infrastructure. This position demands a subject matter expert capable of bridging the gap between security policy, risk, and technical implementation. A solid understanding of the latest security frameworks and technologies, including Cloud and AI, is essential to effectively inform and support risk-based decision-making

Key Responsibilities

Cybersecurity Policy & Governance

• Develop, review, and maintain cybersecurity policies, standards, and procedures consistent with NIST, Cloud Security Alliance, CIS, and other global security frameworks.
• Convert identified security risks into policy requirements while ensuring alignment with business objectives.
• Work with security, engineering, architecture, and operational teams to confirm that policies are technically feasible and provide guidance on implementing and enforcing controls. 

Risk Management and Assessments

• Function as a security specialist, providing advisory support or directly conducting comprehensive risk assessments and control gap analyses across services, products, infrastructure, and applications. 
• Offer recommendations and guidance on effective risk mitigation strategies that align with business objectives and maintain appropriate security standards.
• Track emerging threats, evolving industry standards, best practices, and regulatory changes in order to proactively advise on necessary updates to policies, controls, or other measures required to strengthen and modernize our risk management posture. 

Security Architecture

• Provide guidance on secure cloud, network architecture, segmentation, and system hardening.
• Work with engineering teams to monitor and maintain secure configurations and access controls. 
• Lead or advise on security reviews of new technologies and system changes. 
• Carry out Security Architecture Integration by conducting ongoing or targeted architecture reviews to confirm that security is incorporated, integrated, and verified in designs and implemented services.  
• Establish and uphold architectural security principles throughout the technology and services ecosystem.  
• Assess and integrate security tools and technologies to support the enterprise security posture.
  

Security Assurance and Attestations

• Maintain documentation and evidence repositories to facilitate internal and external support.  
• Utilize platforms such as SharePoint and Jira to ensure optimal assessment preparedness.  
• Collaborate with control owners to monitor, address, and close findings efficiently.
  

Awareness & Communication

• Develop and implement cybersecurity awareness programs designed for both technical and non-technical teams.
• Prepare concise communications regarding policy changes, risk advisories, and incident notifications.
• Deliver training sessions to stakeholders on security controls and risk management procedures.
  

Required Qualifications

• Bachelor’s / Master’s degree in Information Security, Computer Science, or related field.
• 12 –15 years of experience in Information Security with a strong focus on risk management, network security, and security architecture.  
• Hands-on experience in system/network administration (Windows/Linux/Cloud).  
• Deep understanding of frameworks such as ISO 27001, NIST, PCI DSS, and COBIT.  
• Proven experience in drafting and implementing security policies and technical standards.  
• Strong knowledge of identity lifecycle management and access governance.  
• Experience with audit documentation and evidence management tools (e.g., SharePoint, Jira).  
• Excellent communication and stakeholder engagement skills.
  

Preferred Qualifications

• Certifications: CISSP, CISM, CISA, CRISC, or equivalent.  
• Experience with GRC platforms and risk assessment methodologies.  
• Familiarity with regulatory standards such as GDPR, CCPA, and other data protection laws.  
• Exposure to cloud platforms (Azure, AWS) and security tools (e.g., Defender, CrowdStrike, Tenable).  
• Knowledge of enterprise architecture frameworks and secure design principles.