Sr. Manager, Information Security Risk Management (REMOTE)

Dick's Sporting Goods

Salary: $95k - $158k
Experience: 7+ yrs
Location: United States
Job type: Full-time

Required skills

GRC platforms
ServiceNow GRC
Archer
OneTrust
LogicGate
MetricStream
risk management tools

About the role

At DICK’S Sporting Goods, we believe in how positively sports can change lives. On our team, everyone plays a critical role in creating confidence and excitement by personally equipping all athletes to achieve their dreams. We are committed to creating an inclusive and diverse workforce, reflecting the communities we serve.

If you are ready to make a difference as part of the world’s greatest sports team, apply to join our team today!

OVERVIEW:

The Senior Manager, Information Security & Risk Management is responsible for building, leading, and maturing the enterprise information security risk management program and the Governance, Risk, and Compliance (GRC) platform that enables it. This role owns the people, process, and technology underpinning risk identification, assessment, treatment, reporting, and assurance. The ideal candidate brings deep experience in security risk frameworks, control assurance, and GRC product ownership - translating complex risk into clear business decisions and automating workflows for scale.

Strategy & Leadership (People)

Build and lead a high-performing GRC/risk team (analysts, engineers, control owners), including hiring, coaching, performance management, and succession planning.

Serve as the product owner for the GRC platform, setting vision, roadmap, priorities, and adoption goals; lead a cross-functional virtual team of process owners (IT, Engineering, Privacy, Legal, Procurement, Audit).

Act as a trusted advisor to senior leaders on risk appetite, emerging risks, and investment trade-offs; communicate risk in business terms.

Establish a culture of accountability and continuous improvement across control owners and process stakeholders.

Risk Management Program (Process)

Design, implement, and mature an enterprise Information Security Risk Management (ISRM) program aligned to business strategy and regulatory requirements.

Define and operationalize risk taxonomy, risk appetite/thresholds, and risk assessment methodologies (inherent/residual, likelihood/impact, qualitative/quantitative where appropriate).

Stand up end-to-end risk workflows: identification → assessment → treatment planning → control implementation → monitoring → metrics → reporting.

Integrate risk management with strategic planning, project/architecture reviews, third-party risk, privacy, resilience/BCP/DR, and audit.

Establish and maintain the Information Security Policy & Standards framework; ensure clear control ownership and maintenance cadence.

Run the issue/exception/waiver process: risk acceptance, remediation tracking, and expiration governance.

Coordinate audit readiness and responses (internal audit, external audit, regulatory inquiries); ensure defensible evidence management.

GRC Platform Ownership (Technology)

Own the selection, implementation, configuration, and continuous improvement of the GRC platform (e.g., ServiceNow GRC, Archer, OneTrust, LogicGate, MetricStream, similar).

Engineer scalable workflows for risk assessments, control testing, issue management, vendor risk, policy lifecycle, SOX/ITGC, and automated evidence collection.

Build and maintain authoritative control libraries mapped to frameworks (e.g., NIST CSF/800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, SOX, CIS).

Implement integrations with core systems (e.g., IAM, CMDB, ticketing, CI/CD, cloud security tools, vulnerability management, procurement, ERP) to drive control automation and near-real-time monitoring.

Define and publish dashboards and KPIs/KRIs for executive reporting; enable self-service analytics and board-level reporting packages.

Assurance & Continuous Monitoring

Establish a risk-based control testing and continuous control monitoring (CCM) program; leverage automation for evidence capture and evaluation.

Oversee security exceptions, findings, and remediation programs with clear SLAs and escalation paths.

Coordinate scenario analysis and tabletop exercises for key risks (e.g., ransomware, data exfiltration, third-party outage).

Partner with Security Engineering and Operations to connect risk insights to detection, vulnerability, and incident response priorities.

Third-Party & Product/Project Risk

Mature third-party risk management (TPRM) with tiering, due diligence, contract clauses, continuous monitoring, and exit strategies.

Embed risk reviews in SDLC and project governance (architecture boards, change management, M&A diligence/integration).

Preferred Qualifications:

Demonstrated experience standing up or significantly maturing an enterprise risk management program and owning a GRC solution end-to-end.

Strong knowledge of risk and control frameworks and regulations: NIST CSF/800-53, ISO 27001, SOC 2, SOX/ITGC, PCI DSS, HIPAA, CIS, and data protection/privacy (e.g., GDPR, CCPA/CPRA).

Hands-on experience designing automated workflows, building dashboards, and integrating GRC with IT/security tooling.

Exceptional communication and stakeholder management skills; proven ability to translate technical risk into business impacts and priorities.

Security or audit certifications: CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, CISA.

Experience with risk quantification approaches (e.g., FAIR) and board-level reporting.

Background in cloud and modern engineering environments (AWS/Azure/GCP, DevSecOps, SaaS).

QUALIFICATIONS:

7-10 years progressive experience in Information Security, Risk, or Audit with 3–5+ years leading teams and/or owning a GRC platform.

Bachelors Degree: Information Systems, Computer Science, Cybersecurity, or related; or equivalent experience.

#LI-CB1

VIRTUAL REQUIREMENTS:

At DICK’S, we thrive on innovation and authenticity. That said, to protect the integrity and security of our hiring process, we ask that candidates do not use AI tools (like ChatGPT or others) during interviews or assessments.

To ensure a smooth and secure experience, please note the following:

Cameras must be on during all virtual interviews.
AI tools are not permitted to be used by the candidate during any part of the interview process.
Offers are contingent upon a satisfactory background check which may include ID verification.

If you have any questions or need accommodations, we’re here to help. Thanks for helping us keep the process fair and secure for everyone!

Targeted Pay Range: $95,200.00 - $158,800.00. This is part of a competitive total rewards package that could include other components such as: incentive, equity and benefits. Individual pay is determined by a number of factors including experience, location, internal pay equity, and other relevant business considerations. We review all teammate pay regularly to ensure competitive and equitable pay.DICK'S Sporting Goods complies with all state paid leave requirements. We also offer a generous suite of benefits. To learn more, visit www.benefityourliferesources.com.

About Dick's Sporting Goods

Sells sporting goods, apparel, footwear, and outdoor equipment.

This page is fully interactive when JavaScript is enabled. Please enable JavaScript to apply or browse related roles.