To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.

Job Category
Product

Job Details

About Salesforce

We're Salesforce, the Customer Company, inspiring the future of business with AI+ Data +CRM. Leading with our core values, we help companies across every industry blaze new trails and connect with customers in a whole new way. And, we empower you to be a Trailblazer, too - driving your performance and career growth, charting new paths, and improving the state of the world. If you believe in business as the greatest platform for change and in companies doing well and doing good - you've come to the right place.

• In this role, you will lead the team responsible for enhancing Salesforce's Policy Framework, including the review and update of policy management structure, operationalization of governance documents (Policies, Standards, and Procedures) and the Policy Lifecycle Management Process. Additionally, your responsibilities will include:
  
  
  • Enhancing and Operationalizing the Policy Exception Management Process
  • Preparing and presenting risk dashboards and program-level performance reports to executive leadership
  • Conducting periodic reviews of policy structures to ensure alignment of governance documents (Policies, Standards, Procedures, and Security Baselines) with Enterprise Risk Management (ERM) and the evolving security landscape.
  • Reviewing security policy exceptions and managing the policy exception lifecycle as per the defined Policy Exception Process.
  • Completing the security exception intake process, which includes request validation, ensuring request completeness, conducting exception risk assessments, and assigning reviewers in line with the Policy Structure and Salesforce Common Controls Framework requirements.
  • Managing the exception lifecycle, including regular follow-ups with requestors, reviewers, remediation owners, and risk owners.

• Lead the Vendor Risk Management team, and operationalizing the Third-Party Risk Management Framework globally:
  
  
  • Overseeing the execution of the TPRM framework by business and functional owners to ensure that third-party outsourced risks are identified, monitored, managed, and reported.
  • Performing control evaluations to ensure the operational effectiveness of the framework in compliance with regulatory and management expectations.
  • Providing subject matter expertise and support to TPRM stakeholders.

• Liaising with Business Groups:
  
  
  • Collaborating with various business groups, including but not limited to Finance, Legal, Engineering, IT, Product, Support, Marketing, and Sales, as well as other stakeholders globally, to implement new compliance solutions and processes.
  • Documenting and track remediation of outstanding control findings.
• Lead a team to drive Compliance Program for Global SaaS Offerings:
  
  
  • Executing internal controls readiness checks and external audits with third-party auditors.
  • Working across multiple frameworks and regulatory standards, including but not limited to NIST, ISO, EUCS, ISMAP, IRAP, AICPA SOC, FedRAMP, StateRAMP, and TxRAMP.
• Maintaining updated Knowledge in Compliance and Risk Management:
  
  
  • Staying current in the field of compliance and risk management to efficiently work on evolving frameworks.
  • Mastering new compliance regimes that support the company's go-to-market strategy, enabling success in new geographies or market segments.

• 12 + years of relevant experience in implementing unified compliance strategies for large organizations, including leadership roles in the execution, planning, tracking, and delivery of audit programs.
• 12+ years of experience working in the complex Information Technology-related audit domain.
• Prior management experience in IT, Information Security, Application Development, and/or Cybersecurity Risk Management.
• Proven ability to lead and manage a geographically dispersed, highly talented, and fast-paced team.
• Strong understanding of qualitative vs. quantitative risk management and inherent vs. residual risk, enabling proper determination, evaluation, and reporting on technology risk levels at both the project and enterprise levels.
• In-depth knowledge of security functions, including Incident Management, Change Management, Identity and Access Management, and Vendor Security Risk Management.
• Exceptional ability to effectively communicate complex and esoteric principles to non-technical stakeholders.
• Demonstrated capability to influence, create a compelling vision, and drive alignment across complex stakeholders and functions to deliver results.
• Certified in security and compliance certifications such as CISSP, CISA, CEH, etc is a plus
• University degree or equivalent demonstrated education and/or work experience in fields such as Computer Information Systems, Software Engineering, Information Technology Management, Computer Science, Systems Engineering, or Information Systems/Application Security Architecture.