**Associate Director/Senior Manager, Information Risk Management (IT Controls & Governance)** **Position Responsibilities:** + Security Testing: Execute security testing using methodologies such as SAST, SCA, and DAST to identify vulnerabilities. Leverage tools like Snyk for open-source dependency and container image security + Information Risk Assessments: Conduct risk assessments for IT initiatives prior to go-live, review release evidence, and ensure compliance with internal and industry standards + Third-Party Risk Management: Oversee vendor onboarding and governance, ensuring procurement aligns with security requirements and contractual clauses + Vulnerability Management: Apply OWASP Top 10 and NIST guidelines to prevent common vulnerabilities such as injection flaws and broken access controls + Secure Development: Embed security practices into SDLC and DevOps workflows, ensuring integration with CI/CD pipelines and version control systems + Cloud Security: Assess and validate security controls for cloud platforms (e.g., Microsoft Azure, Alibaba Cloud) and cloud-native services such as Kubernetes and microservices + GenAI Security Evaluation: Evaluate security risks in Generative AI projects, ensuring responsible use and compliance with data privacy and integrity standards + Communication & Compliance: Translate technical risks into actionable insights for technical and non-technical stakeholders, including presenting security concerns and posture to all levels—from developers to senior executives, and providing regular updates to C-level leadership. + Reviewing penetration testing reports and automated scans (Snyk, GitGuardian). + Developing automated security reports using Power BI, Python, or Power Automate. + Leading security audits and implementing remediation plans. + Acting as product owner for enterprise SCA & SAST solutions, driving migration strategies and improving DevSecOps maturity. + Managing penetration testing programs and refining methodologies based on stakeholder feedback. + Enhancing AppSec risk metrics for accurate visualization and remediation guidance. **Required Qualifications:** + Bachelor’s degree in Computer Science, Information Security, or related field (or equivalent experience) + Proven experience in information security and compliance monitoring, preferably in cloud environments + Strong analytical skills and ability to interpret complex security reports. + Familiarity with penetration testing and DevOps tools (BurpSuite, Snyk, GitHub, GitGuardian) + Knowledge of OWASP trends and Generative AI risk considerations + Programming proficiency in Python or experience with Microsoft Power Automate + Experience with Power BI or similar visualization tools + Excellent communication and collaboration skills + Relevant certifications (CISSP, CISM, CEH) preferred + Understanding of IT control frameworks and regulatory requirements (ISO 27001, NIST, COBIT, PDPO, GDPR) **When you join our team:** + We’ll empower you to learn and grow the career you want. + We’ll recognize and support you in a flexible environment where well-being and inclusion are more than just words. + As part of our global team, we’ll support you in shaping the future you want to see. **Acerca de Manulife y John Hancock** Manulife Financial Corporation es un importante proveedor internacional de servicios financieros que ayuda a las personas a tomar decisiones de una manera más fácil y a vivir mejor. Para obtener más información acerca de nosotros, visite http://www.manulife.com . **Manulife es un empleador que ofrece igualdad de oportunidades** En Manulife/John Hancock, valoramos nuestra diversidad. Nos esforzamos por atraer, formar y retener una fuerza laboral tan diversa como los clientes a los que prestamos servicios, y para fomentar un entorno laboral inclusivo en el que se aprovechen las fortalezas de las culturas y las personas. Estamos comprometidos con la equidad en las contrataciones, la retención de talento, el ascenso y la remuneración, y administramos todas nuestras prácticas y programas sin discriminación por motivos de raza, ascendencia, lugar de origen, color, origen étnico, ciudadanía, religión o creencias religiosas, credo, sexo (incluyendo el embarazo y las afecciones relacionadas con este), orientación sexual, características genéticas, condición de veterano, identidad de género, expresión de género, edad, estado civil, estatus familiar, discapacidad, o cualquier otro aspecto protegido por la ley vigente. Nuestra prioridad es eliminar las barreras para garantizar la igualdad de acceso al empleo. Un representante de Recursos Humanos trabajará con los solicitantes que requieran una adaptación razonable durante el proceso de solicitud. Toda la información que se haya compartido durante el proceso de solicitud de adaptación se almacenará y utilizará de manera congruente con las leyes y las políticas de Manulife/John Hancock correspondientes. Para solicitar una adaptación razonable en el proceso de solicitud, envíenos un mensaje a recruitment@manulife.com . **Modalidades de Trabajo** Híbrido