Manager, Cyber Risk Management

ABOUT THE DEPARTMENT

The University of Southern California (USC) is advancing its cybersecurity posture with a renewed focus on resilience, cyber risk management, and threat-informed defense. As a world-class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape.

This role sits within a newly restructured cybersecurity organization that's leading this transformation. You'll join a team focused on scalable, proactive defense strategies, incident preparedness, and operational excellence-working alongside experts who are deeply committed to service, innovation, and impact.

If you're driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your leadership to the table.

POSITION SUMMARY

As the Manager, Cyber Risk Management you will be an integral leader of the cybersecurity department while also collaborating with stakeholders across the university ecosystem, and reporting to the Senior Director, Cyber Governance. This is a full-time exempt position, eligible for all of USC's fantastic Benefits + Perks. This opportunity is remote.

The Manager, Cyber Risk Management develops, implements, and supports cybersecurity risk management plans, as well as governance and remediation strategies. Plays a crucial role in establishing that the university's cybersecurity risk management procedures are comprehensive, up-to-date, and effectively mitigate risks to provide consistency and enable the departments, schools, and units to perform processes in a more secure manner. Manages the development, enhancement, and maintenance of cybersecurity policies and standards. Ensures the university complies with relevant laws, regulations, and standards related to cybersecurity and privacy. Collaborates with various stakeholders to align cybersecurity policies with strategic goals and operational needs. Collaborates and manages relationship with managed service providers as required to support ongoing operations across in scope capabilities. Identifies and mitigates potential risks through threat analysis and carries out assessments on the effectiveness of established strategies. Responsible for overseeing both internal/external cyber risk management, third-party related risks, responding to audit needs, and collaborating with departments, schools, units, and functions across the university.

The Manager, Cyber Risk Management will:

• Develops, implements and supports cybersecurity risk management plans, as well as governance and remediation strategies. Drives the execution of second line of defense risk management plans. Provides structured consulting in cyber risk management; promotes and instills a risk-aware and action-oriented culture throughout the university. Oversees third-party management and risk policy managed services.

• Manages the development, enhancement, and maintenance of cybersecurity policies and standards. Drafts, reviews, and updates cybersecurity policies, standards, and guidelines in accordance with regulatory requirements and best practices. Develops and enforces cybersecurity policies that protect sensitive information (e.g., health records, personal data) from cyber threats. Ensures policies and procedures are robust and effective.

• Supports university compliance with relevant laws, regulations, and standards related to cybersecurity and privacy (e.g., FERPA, HIPAA, GDPR). Collaborates with various stakeholders across the university (e.g., IT staff, faculty, and administration). Aligns cybersecurity policies with strategic goals and operational needs. Supports the verification that departments, schools, and units (DSUs) adhere to the latest security and privacy legal, regulatory, and contractual requirements.

• Identifies and mitigates potential risks through threat analysis. Carries out regular assessments on the effectiveness of existing governance and risk management strategies. Monitors compliance with security policies; reports on the effectiveness of the security program to the chief information security officer (CISO) and executive leadership. Collaborates with OCEC Policy change management to identify change impacts; provides communications team with information necessary to disseminate any changes or additions to policy and/or standard requirements.

• Serves as the second line of defense (works with other second line of defense, e.g., Ethics & Compliance) and works with the third line of defense which includes Internal Audit (providing Assurance services) and privacy teams to gain input and maintain knowledge of the latest applicable security and privacy legal, regulatory and contractual requirements as well as industry best practices and security frameworks.

• Promotes and instills a risk-aware and action oriented culture throughout the university. Keeps abreast of emerging security threats, technologies and regulatory changes that may impact the university's security posture.

• Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

MINIMUM QUALIFICATIONS

Great candidates for the position of Manager, Cyber Risk Management will meet the following qualifications:

• 5 years of experience in risk management and security frameworks.

• A bachelor's degree or combined experience and education as substitute for minimum education.

• Understanding of cybersecurity principles, IT systems, and cybersecurity technologies.

• Working knowledge and understanding of cybersecurity fundamentals and risk-based approaches to cybersecurity (e.g., hardening of operating systems, identity provisioning, vendor risk management).

• Ability to analyze complex security requirements, translate them into effective policies and strategies, and manage the change associated with implementing new policies and procedures.

• Understanding of cybersecurity policy framework management, exception handling processes, and regulatory and industry controls frameworks (e.g., PCI, ISO, NIST).

• Excellent written and verbal communication skills for drafting policies and communicating with stakeholders.

• Ability to identify and resolve security policy-related issues.

• Demonstrated skills in managing projects (e.g., policy development, implementation initiatives).

• Capacity to develop long-term strategies for cybersecurity policy management.

• Demonstrated leadership and interpersonal skills with the ability to manage complex, high-performing teams and foster an environment of trust, collaboration, transparency, and accountability.

• Ability to build consensus among stakeholders and balance security needs with operational requirements.

• Experience working with faculty, researchers, and physicians.

PREFERRED QUALIFICATIONS

Exceptional candidates for the position of Manager, Cyber Risk Management will also bring the following qualifications or more:

• 7 years of related experience.

• Understanding of the three lines of defense risk model.

• Experience working with top down business risk management.

• Understanding of cyber threat landscape and interplay with business strategic efforts.

• CISSP, GIAC, CISM, or any combo of ISSA/ISACA/GSEC.

In addition, the successful candidate must also demonstrate, through ideas, words and actions, a strong commitment to USC's Unifying Values of integrity, excellence, community, well-being, open communication, and accountability.

SALARY AND BENEFITS

The annual base salary range for this position is $167,373.57 to $194,563.75. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate's work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.

To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents' health, wealth, and future. These benefits are available as part of the overall compensation and total rewards package. You can learn more about USC's comprehensive benefits here.

Join the USC cybersecurity team within an environment of innovation and excellence.

Minimum Education: Bachelor's degree In Computer Science Or in related field(s)
Addtional Education Requirements Combined experience/education as substitute for minimum education
Minimum Experience: 5 years in risk management and security frameworks.
Minimum Skills: Understanding of cybersecurity principles, IT systems, and cybersecurity technologies. Working knowledge and understanding of cybersecurity fundamentals and risk-based approaches to cybersecurity (e.g., hardening of operating systems, identity provisioning, vendor risk management). Ability to analyze complex security requirements, translate them into effective policies and strategies, and manage the change associated with implementing new policies and procedures. Understanding of cybersecurity policy framework management, exception handling processes, and regulatory and industry controls frameworks (e.g., PCI, ISO, NIST). Excellent written and verbal communication skills for drafting policies and communicating with stakeholders. Ability to identify and resolve security policy-related issues. Demonstrated skills in managing projects (e.g., policy development, implementation initiatives). Capacity to develop long-term strategies for cybersecurity policy management. Demonstrated leadership and interpersonal skills with the ability to manage complex, high-performing teams and foster an environment of trust, collaboration, transparency, and accountability. Ability to build consensus among stakeholders and balance security needs with operational requirements. Experience working with faculty, researchers, and physicians.
Preferred Certifications: CISSP, GIAC, CISM, or any combo of ISSA/ISACA/GSEC
Preferred Experience: 7 years
Preferred Skills: Understanding of the three lines of defense risk model. Experience working with top down business risk management. Understanding of cyber threat landscape and interplay with business strategic efforts.