Information Security Manager
Job Description
Description
About this Role:
The Information Security Manager is a key individual contributor on Kibo's Information Security
team, owning day-to-day execution of our compliance and assurance programs — primarily PCI
DSS v4.0.1 and SOC 2, with growing scope across ISO 27001, GDPR / UK GDPR, and US state
privacy regimes (e.g., CCPA). This role reports directly to Kibo's Head of Engineering and partners
closely with Cloud Engineering, DevOps, IT, Legal, and Product.
Success requires strong information security and compliance fundamentals, working knowledge
of cloud environments (AWS and GCP) , excellent vendor and stakeholder management, and the
ability to translate framework requirements into concrete, prioritised work for engineering
teams.
ABOUT KIBO
KIBO is a composable digital commerce platform for B2C, D2C, and B2B organizations who want to simplify the complexity in their businesses and deliver modern customer experiences. KIBO is the only modular, modern commerce platform that supports experiences spanning B2B and B2C Commerce, Order Management, and Subscriptions. Companies like Ace Hardware, Zwilling, Jelly Belly, Nivel, and Honey Birdette trust Kibo to bring simplicity and sophistication to commerce operations and deliver experiences that drive value.
KIBO's cutting-edge solution is MACH Alliance Certified and has been recognized by Forrester, Gartner, IDC, Internet Retailer, and TrustRadius. KIBO has been named a leader in The Forrester Wave™: Order Management Systems, Q1 2025 and in the IDC MarketScape report “Worldwide Enterprise Headless Digital Commerce Applications 2024 Vendor Assessment”.
By joining KIBO, you will be part of a team of Kibonauts all over the world in a remote-friendly environment. Whether your job is to build, sell, or support KIBO’s commerce solutions, we tackle challenges together with the approach of trust, growth mindset, and customer obsession. If you’re seeking a unique challenge with amazing growth potential, then come work with us!
What You’ll Do:
Essential Responsibilities
The Information Security Manager is a key individual contributor on Kibo's Information Security team, owning day-to-day execution of our compliance and assurance programs — primarily PCI DSS v4.0.1 and SOC 2, with growing scope across ISO 27001, GDPR / UK GDPR, and US state privacy regimes (e.g., CCPA). This role reports directly to Kibo's Head of Engineering and partners closely with Cloud Engineering, DevOps, IT, Legal, and Product. Success requires strong information security and compliance fundamentals, working knowledge of cloud environments (AWS and GCP), excellent vendor and stakeholder management, and the ability to translate framework requirements into concrete, prioritized work for engineering teams. This role is being filled on a contract-to-hire basis through Kibo's partner staffing firm. The successful contractor is expected to convert to a full-time Kibo employee on successful completion of the contract period.
Compliance program ownership.
%CF; Audit & assessment lead — Coordinate all information security assessments and audits,
including PCI DSS v4.0.1, SOC 2, ISO 27001, and any internal governance or controls
oversight.
%CF; Auditor engagement — Manage external auditor and assessor relationships end-to-end:
requests, evidence packages, findings, status, remediation plans, and follow-up validation.
%CF; PCI scope management — Maintain Cardholder Data Environment (CDE) and non-CDE
boundaries, network architecture diagrams, firewall / ACL rules, VPN access reviews, and
critical-asset inventories.
%CF; Portfolio mandates — Track and report compliance posture against Kibo's
investor/portfolio-level security mandates, including private-equity portfolio hardening and
Mythos-era requirements.
External assessment and vendor management
%CF; Pen-test / VAPT engagements — Manage relationships with external assessment firms (e.g.,
Accorian, TAC Security, Ampcus Cyber). Drive scope, timelines, fieldwork, retests, and
reporting.
%CF; Security tooling evaluations — Lead evaluations and onboarding of MDR / XDR, CNAPP, EDR,
PAM, threat intelligence (e.g., CloudSEK, Cyble, SecurityScorecard), and
vulnerability-scanning solutions.
Risk, vulnerability, and exposure management
%CF; Vulnerability remediation — Drive CVE and dependency remediation across a large software
estate (hundreds of repositories), partnering with Cloud Engineering on Dependabot rollout,
prioritization, and developer hygiene.
%CF; Exposure triage — Triage external exposure findings, threat-intel hits, and third-party
security disclosure reports to documented closure.
%CF; Incident response — Participate in IR preparation, detection, containment, eradication,
recovery, and post-incident review. Own the IR program's compliance artifacts.
Policy, training, and awareness
%CF; Policy & standards — Maintain Information Security Policy and Standards documentation.
Manage waivers, exceptions, and review cycles.
%CF; Awareness program — Own the security awareness and training program: content
development, scheduled annual training, reporting metrics, and audience-specific tracks
(engineering, customer support, leadership).
Client and partner support
%CF; Customer assurance — Respond to client security questionnaires (SIG, CAIQ, custom), RFP
security sections, and contract security schedules.
%CF; Legal & HR support — Support investigations, e-discovery, and court-ordered data
submission requests as needed.
Operational security
%CF; Subject-matter guidance — Advise DevOps, Cloud Engineering, IT, Product, and business
teams on controls, risk, and process improvements.
%CF; Day-to-day operations — Assist with operational security activities including data loss
prevention, vulnerability scanning, WAF tuning and alert review, and periodic access reviews.
Required Qualifications:
%CF; 5 to 8 years of progressive experience in information security, IT risk management,
compliance, audit, or technology governance.
%CF; Demonstrable, hands-on PCI DSS experience — ideally including v4.0 / v4.0.1 — for a
multi-tenant SaaS or payment-processing environment.
%CF; Experience with one or more additional compliance / regulatory regimes: SOC 2, ISO 27001,
SOX 404, GDPR / UK GDPR, CCPA / US state privacy.
%CF; Working knowledge of one or both major public cloud platforms (AWS and GCP), including
networking fundamentals — VPCs, VPC flow logs, NAT gateways, security groups, IAM —
and how those underpin a secure cloud architecture.
%CF; Familiarity with the modern security tooling landscape: CNAPP, EDR, PAM, MDR, SIEM,
WAF, vulnerability scanning, and secrets management — including a clear understanding of
where CNAPP and EDR each fit in a production environment.
%CF; Excellent written and verbal English communication, organizational, and documentation
skills.
%CF; Strong program management — able to drive multiple parallel workstreams (audit,
remediation, vendor engagement, policy updates) to closure on deadline.
%CF; Ability to maintain meaningful overlap with North American working hours; occasional
later-evening (India time) meetings with US-based stakeholders.
%CF; University degree, or equivalent industry experience.
Strongly Preferred
%CF; Certifications — One or more of CISA, CISM, or CISSP. ISO 27001 Lead Auditor / Lead
Implementer and/or PCI ISA are a strong plus.
%CF; CVE triage — Hands-on experience triaging a freshly-published CVE with limited context:
assessing impact, identifying vulnerable assets, and recommending mitigation or
remediation.
%CF; PE-portfolio context — Experience supporting a private-equity-backed portfolio company's
security mandate (e.g., Vista Equity Partners, KKR, Thoma Bravo).
%CF; Security posture platforms — Familiarity with SecurityScorecard, BitSight, or similar
third-party security-rating services.
%CF; Legal & e-discovery — Experience with court-ordered or law-enforcement data submission
processes.
In the first 90 days:
You will have absorbed Kibo's PCI scope, audit calendar, open assessment
findings, in-flight vendor engagements, policy baseline, and the current state of the vulnerability
backlog.
In the first 6 months, you will own and run at least one external assessment cycle end-to-end,
close a substantial portion of the open vulnerability backlog in partnership with Cloud
Engineering, and have a refreshed, board-ready view of Kibo's overall security posture.
