Program Manager (Governance, Risk, Compliance and Continuity)
Redmond , Washington
December 17, 2017
Core Services Engineering builds and manages the critical products and services that Microsoft runs on. We boldly pursue big ideas that power transformational advances at Microsoft and for our customers, while helping Microsoft teams work smarter, faster and more securely every day. Core Services Engineering employees have deep technical and business expertise, customer insights, and a clear point of view that comes from first-hand, large-scale experience with Microsoft and industry solutions. We are engineers, technology leaders and experts, digital transformation change agents, and customer advocates. We have exciting opportunities for you to innovate, influence, transform, inspire and grow within our organization and we encourage you to apply to learn more!
Are you a Digital Security Program Manager or Risk Manager who is passionate about assessing and managing risk, and safeguarding company assets? Are you interested in taking a leading-edge risk management program to the next level, effecting change and driving decisions that will have Corporate Services Engineering (CSE) (formerly known as IT) and enterprise-wide impacts? If yes, then this is the role is for you!
Microsoft CSE’s Digital Security & Risk Engineering (DSRE) team is looking for an experienced and motivated team player to enhance DSREs Detailed Risk Assessments and Risk Management Services. The role reports into DSRE’s Governance, Risk, Compliance and Continuity (GRCC) team. GRCC’s mission is to ensure risk reduction and accountability of high risks while driving compliance with Microsoft’s Security Policy and applicable regulations enterprise wide.
As a Risk Manager, you will work alongside a team of information security and risk SMEs and be responsible for creating and executing on the strategic roadmap and maturity model for our program. The ideal candidate must have technical expertise in information security with experience improving security posture and practices, command of information security better practices, proven Project Management skills, experience performing risk assessments using Industry Standard Frameworks, and proven track record with stakeholder management.
This candidate must have excellent written and verbal communication skills, and strong attention to details. Key to being successful in this role is the ability to communicate with technical and business oriented individuals providing them with a balanced view of business need and security information to address enterprise impacting information security risks. The Digital Security Risk Manager plays a vital role in the timely identification and management of high risks (risk identification, remediation plans, policy exceptions, risk management, risk tracking and reporting), many that are time critical for Microsoft CSE, Company-wide Engineering Groups, and Corporate Functions to sustain their business.
Core responsibilities will include, but are not limited to:
• Perform DSRE organization risk assessments, security domain risk assessments, execute organization and security domain risk management and associated program management activities

• Co-lead DSRE organization risk assessments and risk management activities to facilitate the identification, assessment, management, reduction, tracking and reporting of top risks to the DSRE organization.
• Coordinate with business decision makers, DSRE & CSE leadership, and technical SMEs to gather information required for completing risk assessments.
• Strategically partner with other risk stakeholders to continually identify trends and discover underlying issues that are important to quantify risks, guide decision making, and/or be used as a model for others to apply consistently.
• Facilitate end-to-end risk management and tactical processing of risk and remediation plans using existing tools such as RSA Archer.
•Communicate to stakeholder’s findings from risk analyses, as well as data required to perform risk assessments.
• Build strong relationships and collaborate with external Microsoft customers and internal technical, business and legal partners.
• Deliver against an aggressive set of individual and team commitments while contributing to the success of others to motivate and inspire others to accomplish business goals.
• Perform, validate and present CSE’s NIST cybersecurity maturity assessment with leadership
• Perform detailed security risk assessments and stakeholder cross-training activities:
• Lead information security detailed risk assessments to enable risk-based decisions to remediate and or acknowledge high risk findings identified from various security and privacy technical assessments within Microsoft CSE and across the enterprise.
• Perform cross-training activities to better enable partner teams to perform risk assessments to make risk-related decisions in their day-to-day operations.
• Communicate to stakeholder’s findings from risk analyses, as well as data required to perform risk assessments.
• Facilitate end-to-end risk management and tactical processing of risk and remediation plans using existing tools such as RSA Archer.

• Bachelors degree required
• 5+ years’ experience in Information Security or related fields
• 5+ years’ experience in project management
• 5+ years of professional experience in the computer software industry or services industry with exposure to product development
• 5+ years’ experience working with risk management frameworks to identify and manage security and other risks
• 3+ years’ experience using Microsoft products and technologies
• Demonstrated experience with controls based information security frameworks (e.g., ISO 27001, NIST CSF, COBIT) and/or Enterprise Risk Management frameworks (e.g., COSO ERM, ISO 31000) - Proven business acumen
• Excellent interpersonal communication, executive presence, and presentation skills - Strong cross group collaboration
• Ability to deal with ambiguity
•A solid track record of achieving success through teamwork and collaboration
• Proven track-record influencing without authority, resolving conflict, and measuring results
• Ability to be adaptable

• CRISC, CISM, or CISSP certification preferred
•7+ years of experience using risk methodologies to identify and manage non-security risks
• Demonstrated experience creating a sustainable risk or compliance program
• Demonstrated experience using RSA
• Archer’s EGRC platform

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, ethnicity, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to


A little about us:
Microsoft offers training and employment opportunities to help you turn your military experience and skills into a civilian technology career.

Know someone who would be interested in this job? Share it with your network.