Sr Manager, IT Risk Management

8116 - Midtown Office - 2220 W. Broad Street, Richmond, Virginia, 23220

CarMax, the way your career should be

Do you want to play a key role in enhancing the Cybersecurity program for a Fortune 200 company and national brand that has also been listed on the Fortune 100 Best Places to Work for the past 20 years in a row? Do you enjoy working in a collaborative environment where your experience and ideas can shape the direction and development of critical cybersecurity information risk management capabilities?

Do you want to work with a team of talented professionals that have highly advanced technical knowledge and be the subject matter expert in information security risk management, third party risk management, and business continuity?

BRIEF POSITION SUMMARY:

The Information Risk Manager is a critical leadership role that demands a comprehensive blend of technical expertise and strategic relationship management across information risk functions, including information security risk management, third party risk management, privacy operations, and business continuity. This individual is tasked with leading the development, implementation, and continuous refinement of an Information Risk Management framework, aligning with industry standards such as ISO 27001/2 and NIST 80030. Beyond technical responsibilities, this role is pivotal in fostering strong relationships with stakeholders, including business owners, regulatory bodies, third-party vendors, and internal teams, to ensure cohesive risk management strategies. The Information Risk Manager will oversee security policies, conduct risk assessments, manage security awareness training, and lead initiatives in business continuity, third-party security due diligence, and cyber regulatory readiness. This role serves as the information risk subject matter expert and strategic advisor in all facets of information risk management to all levels across the organization.

THE DAY TO DAY

1. Lead the adoption and adaptation of a comprehensive information risk management framework, integrating privacy operations, security controls design & implementation, and continuous improvement mechanisms, while maintaining strong leadership and stakeholder relationships.
2. Develop and manage security policies and procedures, ensuring compliance with legal, regulatory, and industry standards.
3. Conduct thorough risk assessments, identifying potential threats and vulnerabilities, and implement robust security measures to protect organizational assets, with a focus on transparent communication and collaboration with stakeholders.
4. Oversee the design and delivery of security awareness training and communications programs, enhancing the security culture within the organization and engaging with stakeholders to ensure widespread adoption and understanding.
5. Manage business continuity risk & resiliency planning, ensuring the organization's ability to operate during and recover from adverse events, while working closely with stakeholders to align continuity plans with business needs.
6. Conduct third-party security due diligence and vendor risk assessments to safeguard against third-party risks, collaborating with stakeholders to ensure third-party practices align with organizational security standards.
7. Lead cyber regulatory readiness initiatives, preparing the organization for compliance with current and future security and privacy regulations, and engaging with regulatory stakeholders to ensure alignment and readiness.
8. Engage in strategic board reporting, providing insights and updates on the organization's security posture and risk management efforts, and fostering strong relationships with leadership to support informed decision-making.
9. Foster a culture of continuous improvement, regularly reviewing and enhancing security and risk management practices, with a focus on stakeholder feedback and collaboration to drive organizational resilience and security.

EDUCATION AND/OR EXPERIENCE

1. Bachelor’s degree in Technology, Computer Science, Business, or a related field.
2. Master’s degree or relevant professional certification (e.g., CRISC, CIA, CIPP, CISM, GIAC, CISSP) is preferred. CRISC and CISA required.
3. A minimum of 10 years of leadership experience in information risk management or a similar role, with a focus on leadership and stakeholder management.
4. Proven expertise in information security, information risk management, and compliance frameworks (NIST, CIS, ISO27001/2, etc.).
5. Demonstrated leadership in privacy operations, security awareness training, business continuity, and third-party risk management, with a track record of successful stakeholder engagement and collaboration.
6. Strong understanding of cyber regulatory environments and experience in senior leadership reporting and communication, with the ability to build and maintain effective stakeholder relationships.
7. Extensive experience in information risk assessment, policy development, and incident response management, with a focus on strategic stakeholder communication and collaboration.
8. Excellent communication skills, with the ability to effectively lead teams, influence stakeholders, and drive organizational change through strong leadership and stakeholder relationships.
9. Excellent analytical, problem-solving, and decision-making skills; high level of accuracy and attention to detail.
10. Strong leadership and organizational skills; ability to manage multiple projects and teams in a fast-paced environment.
11. Exceptional interpersonal and communication skills, both written and verbal, with the ability to explain complex compliance issues to stakeholders at all levels.
12. Demonstrated leadership - ability to gain consensus across teams without direct reporting responsibility.
13. Strong leadership skills, with the ability to manage and mentor a team of risk management professionals.
14. Dedication and commitment to top-quality service and to exceeding customer expectations.
15. Proven ability to influence without authority the information risk management direction of others.
16. Ability to build relationships that help overcome obstacles and time constraints to successfully deliver remediation to completion.

WORK ENVIRONMENT

This role operates in a dynamic, fast-paced office setting, reporting directly to the VP, Chief Information Security Officer. The environment demands high levels of focus, collaboration, adaptability, and strategic stakeholder engagement to manage multiple, simultaneous demands and ensure the organization's security risk and compliance posture.

Work Location and Arrangement: This role will be based out of the Richmond, VA Technology Innovation Center and have a Hybrid work arrangement.

Work Authorization: Applicants must be currently authorized to work in the United States on a full-time basis.

About CarMax

CarMax disrupted the auto industry by delivering the honest, transparent, and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation’s largest retailer of used cars, with over 200 locations nationwide.

Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community. We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For.

Our Commitment to Diversity and Inclusion: CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.

CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.

Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.