Security Risk Management Lead

Affirm is reinventing credit to make it more honest and friendly, giving consumers the flexibility to buy now and pay later without any hidden fees or compounding interest.

Affirm values security as being critical to the company's continued success. Our mission is to cultivate a culture of security at Affirm, enabling the company to succeed in building honest financial products. The Security Risk Management team is evolving beyond traditional governance, risk, and compliance; we are building an engineering driven program that designs, automates, and scales the controls, workflows, and tooling that protect Affirm and our customers.

The ideal candidate will design, develop, configure, and implement solutions to complex technical and business problems across the Security Third Party Program and the broader Security Risk Management program. They are equally comfortable shaping policy and shipping automation using modern tooling (Python, Cursor, Claude, and other agentic coding platforms) to replace manual GRC work with scalable, code-defined workflows. They will operate as a subject matter expert, interface with business and engineering stakeholders, and play a key role in transforming Security Risk Management from a compliance oriented function into a security engineering discipline.
What You'll Do

• Lead and mature Affirm's Security Third Party Program, including the design, implementation, and continuous improvement of processes, controls, and operational workflows
• Build and maintain automation that replaces manual GRC tasks: intake, triage, evidence collection, control validation, tracking, escalations, and reporting, using either Python, low code platforms, and agentic coding tools (Cursor, Claude, etc.)
• Design and operate workflow orchestration and integrations across systems like ticketing, GRC platforms, vendor management tools, identity providers, and cloud control planes
• Partner closely with Procurement, Legal, Engineering, IT, Compliance, Privacy, and business stakeholders to assess and manage security risk across third party relationships
• Translate ambiguous business and security requirements into practical, scalable program solutions and decision frameworks
• Identify opportunities to automate manual processes across the program and prototype solutions yourself rather than waiting on an engineering backlog
• Drive program operational excellence by establishing repeatable processes, service-level expectations, metrics, and reporting for third party security risk management
• Evaluate third party security controls, cloud architectures (AWS/Google Cloud Platform), integration patterns, and risk posture, and provide clear recommendations to stakeholders and leadership
• Conduct light threat models on high risk integrations and partner with Security SMEs for deeper diligence
• Manage and prioritize a portfolio of complex security risk reviews and initiatives simultaneously, balancing business enablement with risk reduction
• Partner with technical teams to implement or optimize systems and tools that support program automation and workflow orchestration
• Develop dashboards, reporting mechanisms, and program insights (SQL, BI tools, or custom tooling) that improve visibility into risk trends, bottlenecks, and program performance
• Act as a trusted advisor and SME on third party security risk management, helping stakeholders make informed, risk based decisions
• Contribute to the broader Security Risk Management strategy by identifying opportunities to scale, simplify, and strengthen security governance processes through engineering

What We Look For

• 5+ years of experience in Information Security, Risk Management, Engineering and/or relevant roles
• Hands-on experience using agentic coding tools (Cursor, Claude Code, Copilot, etc.) and a working knowledge of Python; you don't need to be a software engineer, but you should be fluent enough to read, modify, and run scripts, build automations, and ship small tools end-to-end
• Familiarity with cloud environments (AWS, Google Cloud Platform, or Azure) - IAM, logging, common services, and the security risks/controls that apply to cloud-deployed third parties and integrations
• Excellent written and verbal communications skills
• Experience engineering solutions via Python, Claude, Cursor or other agentic coding tooling
• Experience with industry based information security & control frameworks (NIST Cyber Security Framework, ISO 2700x, SOC1&2(SSAE18), PCI DSS, NIST-800-53, FFIEC Cybersecurity Assessment Tool, SANS Top 20, etc.)
• BA or BS degree in Information Security, Cyber Security, Computer Science or related field or commensurate experience
• Attention to detail and experience with security practices and security tooling
• Demonstrated ability to drive projects towards completion
• Ability to understand and communicate technical issues to non-technical teams
• Professional certification in Information Security or Risk Management (such as CISSP, CISM, CISA, CRISC, etc.) is a plus

Base Pay Grade - L

Equity Grade - 5

Employees new to Affirm typically come in at the start of the pay range. Affirm focuses on providing a simple and transparent pay structure which is based on a variety of factors, including location, experience and job-related skills. Base pay is part of a total compensation package that may include equity rewards, monthly stipends for health, wellness and tech spending, and benefits (including 100% subsidized medical coverage, dental and vision for you and your dependents.)

USA Pacific base pay range (CA, WA, NY, NJ, CT) per year: $165,000 - $225,000

USA Sapphire base pay range (all other U.S. states) per year: $146,000 - $206,000

Please note that visa sponsorship is not available for this position.

#LI-Remote

Affirm is proud to be a remote-first company! The majority of our roles are remote and you can work almost anywhere within the country of employment. Affirmers in proximal roles have the flexibility to work remotely, but will occasionally be required to work out of their assigned Affirm office. A limited number of roles remain office-based due to the nature of their job responsibilities.

We're extremely proud to offer competitive benefits that are anchored to our core value of people come first. Some key highlights of our benefits package include:

• Health care coverage - Affirm covers all premiums for all levels of coverage for you and your dependents
• Flexible Spending Wallets - generous stipends for spending on Technology, Food, various Lifestyle needs, and family forming expenses
• Time off - competitive vacation and holiday schedules allowing you to take time off to rest and recharge
• ESPP - An employee stock purchase plan enabling you to buy shares of Affirm at a discount

We believe It's On Us to provide an inclusive interview experience for all, including people with disabilities. We are happy to provide reasonable accommodations to candidates in need of individualized support during the hiring process.

[For U.S. positions that could be performed in Los Angeles or San Francisco] Pursuant to the San Francisco Fair Chance Ordinance and Los Angeles Fair Chance Initiative for Hiring Ordinance, Affirm will consider for employment qualified applicants with arrest and conviction records.

By clicking "Submit Application," you acknowledge that you have read Affirm's Global Candidate Privacy Notice and hereby freely and unambiguously give informed consent to the collection, processing, use, and storage of your personal information as described therein.