Information Security Manager

About this Role: The Information Security Manager is a key individual contributor on Kibo's Information Security team, owning day-to-day execution of our compliance and assurance programs — primarily PCI DSS v4.0.1 and SOC 2, with growing scope across ISO 27001, GDPR / UK GDPR, and US state privacy regimes (e.g., CCPA). This role reports directly to Kibo's Head of Engineering and partners closely with Cloud Engineering, DevOps, IT, Legal, and Product. Success requires strong information security and compliance fundamentals, working knowledge of cloud environments (AWS and GCP), excellent vendor and stakeholder management, and the ability to translate framework requirements into concrete, prioritised work for engineering teams. ABOUT KIBO KIBO is a composable digital commerce platform for B2C, D2C, and B2B organizations who want to simplify the complexity in their businesses and deliver modern customer experiences. KIBO is the only modular, modern commerce platform that supports experiences spanning B2B and B2C Commerce, Order Management, and Subscriptions. Companies like Ace Hardware, Zwilling, Jelly Belly, Nivel, and Honey Birdette trust Kibo to bring simplicity and sophistication to commerce operations and deliver experiences that drive value. KIBO's cutting-edge solution is MACH Alliance Certified and has been recognized by Forrester, Gartner, IDC, Internet Retailer, and TrustRadius. KIBO has been named a leader in The Forrester Wave™: Order Management Systems, Q1 2025 and in the IDC MarketScape report “Worldwide Enterprise Headless Digital Commerce Applications 2024 Vendor Assessment”. By joining KIBO, you will be part of a team of Kibonauts all over the world in a remote-friendly environment. Whether your job is to build, sell, or support KIBO’s commerce solutions, we tackle challenges together with the approach of trust, growth mindset, and customer obsession. If you’re seeking a unique challenge with amazing growth potential, then come work with us! What You’ll Do: Essential Responsibilities Compliance program ownership ● Audit & assessment lead — Coordinate all information security assessments and audits, including PCI DSS v4.0.1, SOC 2, ISO 27001, and any internal governance or controls oversight. ● Auditor engagement — Manage external auditor and assessor relationships end-to-end: requests, evidence packages, findings, status, remediation plans, and follow-up validation. ● PCI scope management — Maintain Cardholder Data Environment (CDE) and non-CDE boundaries, network architecture diagrams, firewall / ACL rules, VPN access reviews, and critical-asset inventories. ● Portfolio mandates — Track and report compliance posture against Kibo's investor/portfolio-level security mandates, including private-equity portfolio hardening and Mythos-era requirements. External assessment and vendor management ● Pen-test / VAPT engagements — Manage relationships with external assessment firms (e.g., Accorian, TAC Security, Ampcus Cyber). Drive scope, timelines, fieldwork, retests, and reporting. ● Security tooling evaluations — Lead evaluations and onboarding of MDR / XDR, CNAPP, EDR, PAM, threat intelligence (e.g., CloudSEK, Cyble, SecurityScorecard), and vulnerability-scanning solutions. Risk, vulnerability, and exposure management ● Vulnerability remediation — Drive CVE and dependency remediation across a large software estate (hundreds of repositories), partnering with Cloud Engineering on Dependabot rollout, prioritization, and developer hygiene. ● Exposure triage — Triage external exposure findings, threat-intel hits, and third-party security disclosure reports to documented closure. ● Incident response — Participate in IR preparation, detection, containment, eradication, recovery, and post-incident review. Own the IR program's compliance artifacts. Policy, training, and awareness ● Policy & standards — Maintain Information Security Policy and Standards documentation. Manage waivers, exceptions, and review cycles. ● Awareness program — Own the security awareness and training program: content development, scheduled annual training, reporting metrics, and audience-specific tracks (engineering, customer support, leadership). Client and partner support ● Customer assurance — Respond to client security questionnaires (SIG, CAIQ, custom), RFP security sections, and contract security schedules. ● Legal & HR support — Support investigations, e-discovery, and court-ordered data submission requests as needed. Operational security ● Subject-matter guidance — Advise DevOps, Cloud Engineering, IT, Product, and business teams on controls, risk, and process improvements. ● Day-to-day operations — Assist with operational security activities including data loss prevention, vulnerability scanning, WAF tuning and alert review, and periodic access reviews.