ForgeApply
Try it free

ForgeApply · Job listing

Lead Security Governance & Risk Engineer

Klaviyo

Boston, MA, USonsite

Apply in about a minute — without sacrificing quality.

ForgeApply autofills this application and tailors your resume to this exact posting. You review everything before it's sent. Free trial, no card required.

About this role

At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you’re a close but not exact match with the description, we hope you’ll still consider applying. Want to learn more about life at Klaviyo? Visit klaviyo.com/careers to see how we empower creators to own their own destiny.

An exciting opportunity within the Security Trust and Risk (STAR) team whose mission is to ensure the safety and security of our customers, partners and Klaviyos as well as deliver best in class technology solutions, infrastructure and services. This is achieved by providing a robust and secure technology foundation to do great work. We solve problems using technology, embrace automation and AI, and support Klaviyo's continued scalability and sustainable employee growth in a rapidly evolving environment.

The STAR team assists the Global Security Services (GSS) organization in developing and refining information security policies, standards and strategy, enterprise risk management, creating metrics and reporting, coordinating cross-functional projects, and strategically aligning global information security initiatives with the broader CISO vision amongst other governance, risk and compliance efforts. The STAR team is highly collaborative and cross-functional, working closely with various functions within the GSS team (namely Security Product and Development and Security Intelligence Operations), Global Technology Solutions (GTS) team and the broader Klaviyo organization.

About the role:

The Lead Security Governance & Risk Engineer is a senior, hands-on role at the point where security governance meets risk engineering. You will own the parts of the risk programme that turn policy and standards into measured, monitored, and automated risk decisions. Reporting to the Senior Manager, Security Risk Engineering and operating as a second line of defense, you will run the technology and third-party risk register, lead AI risk governance and ISO 42001 readiness, and build the automation that gives Klaviyo a continuously updated, quantified view of its risk posture.

You will work alongside the Trust and Compliance team who are the custodians of our security policies and standards, making sure each one connects to a specific risk it reduces and is enforced through operational controls rather than living as a document. You will partner closely with Engineering, Product, GTS, Legal, Internal Audit, the ARIA team, and Finance to make risk legible across the business, and you will challenge first-line teams credibly while keeping your independence. This is a role for an engineer who thinks like a risk professional: someone who automates repeatable assessment, instruments controls, quantifies risk in financial terms, and treats AI as foundational infrastructure rather than an afterthought.

​​ How you’ll have an impact:

• Operate and maintain the risk register and taxonomy. Run the technology and third-party risk register on a consistent standard (threat actor, technique, scenario, safeguard, loss event, quantification) so that risks aggregate, prioritise, and report meaningfully across the business.

• Lead AI risk governance and ISO 42001 readiness. Maintain the AI risk assessment methodology and risk criteria, maintain the consolidated AI risk register against the K:AI inventory, and define AI risk treatment plans that map each risk to specific controls and treatment decisions. Drive ISO/IEC 42001 readiness (Clauses 6.1 and 8.2/8.3) toward the certification target, working with the Trust & Compliance and ARIA teams.

• Drive third-party risk automation and risk scoring. Contribute vendor and application risk signals into the composite risk score, partnering with the TPRM lead who owns vendor onboarding automation and the TPRM process.

• Perform the hands-on risk quantification. Apply cyber risk quantification (expected loss, probability, and cost of remediation versus acceptance) so leadership and the Technology Risk Committee can make rational investment and risk-acceptance decisions rather than relying on qualitative severity labels.

• Support the risk governance cadence. Contribute to weekly risk huddles, monthly risk reviews, and the quarterly Technology Risk Committee (CIO, CISO, CTO), preparing accurate, succinct, decision-ready risk materials and translating high-severity findings into clear business impact.

• Operate as a second line of defense. Provide independent oversight, credible challenge, and guidance to first-line teams, apply consistent risk taxonomies and reporting standards, and escalate risks that exceed established tolerance.

• Partner cross-functionally and close the loop. Work with Engineering, Product, GTS, Legal, Internal Audit, ARIA, and Finance on risk and audit findings affecting systems and processes, tracking findings and remediation through to closure with clear ownership.

Who you are:

• 7+ years of experience in information security, technology risk, cyber risk, or operational risk within a large, complex, or high-growth organization, including hands-on risk engineering or quantitative risk work.

• Strong command of cyber risk quantification, able to express risk in financial and business terms (FAIR, riskquant, or similar) rather than qualitative severity ratings alone.

• Hands-on engineering ability: SQL, Python, and integrating with APIs to extract, transform, and load data between systems and to automate risk reporting.

• Experience building and running a technology and/or third-party risk register and taxonomy, with the tooling and process automation behind it.

• Working knowledge of security and AI frameworks (NIST CSF and RMF, ISO 27000 series, ISO 42001, SOC 2, PCI DSS, CIS Controls) and how they translate into credible control

Salary insight

This posting doesn't disclose pay. Across 537 Boston jobs with disclosed salaries on ForgeApply, the median is $155k.

Based on live postings with disclosed pay on ForgeApply; refreshed daily. Not an estimate of this employer's offer.

Ready to apply to Klaviyo?

Apply in about a minute

Similar jobs

More like this: More jobs at Klaviyo · Browse all jobs