Klaviyo
Klaviyo7h ago
New
USD 156000-234000/yr

Lead Security Governance & Risk Engineer

United StatesUnited States·Bostonlead
EngineeringSecurity
0 views0 saves0 applied

Quick Summary

Overview

At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day.

Technical Tools
EngineeringSecurity

At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you’re a close but not exact match with the description, we hope you’ll still consider applying. Want to learn more about life at Klaviyo? Visit klaviyo.com/careers to see how we empower creators to own their own destiny.

An exciting opportunity within the Security Trust and Risk (STAR) team whose mission is to ensure the safety and security of our customers, partners and Klaviyos as well as deliver best in class technology solutions, infrastructure and services. This is achieved by providing a robust and secure technology foundation to do great work. We solve problems using technology, embrace automation and AI, and support Klaviyo's continued scalability and sustainable employee growth in a rapidly evolving environment.

The STAR team assists the Global Security Services (GSS) organization in developing and refining information security policies, standards and strategy, enterprise risk management, creating metrics and reporting, coordinating cross-functional projects, and strategically aligning global information security initiatives with the broader CISO vision amongst other governance, risk and compliance efforts. The STAR team is highly collaborative and cross-functional, working closely with various functions within the GSS team (namely Security Product and Development and Security Intelligence Operations), Global Technology Solutions (GTS) team and the broader Klaviyo organization.

About the Role

~2 min read

The Lead Security Governance & Risk Engineer is a senior, hands-on role at the point where security governance meets risk engineering. You will own the parts of the risk programme that turn policy and standards into measured, monitored, and automated risk decisions. Reporting to the Senior Manager, Security Risk Engineering and operating as a second line of defense, you will run the technology and third-party risk register, lead AI risk governance and ISO 42001 readiness, and build the automation that gives Klaviyo a continuously updated, quantified view of its risk posture.

You will work alongside the Trust and Compliance team who are the custodians of our security policies and standards, making sure each one connects to a specific risk it reduces and is enforced through operational controls rather than living as a document. You will partner closely with Engineering, Product, GTS, Legal, Internal Audit, the ARIA team, and Finance to make risk legible across the business, and you will challenge first-line teams credibly while keeping your independence. This is a role for an engineer who thinks like a risk professional: someone who automates repeatable assessment, instruments controls, quantifies risk in financial terms, and treats AI as foundational infrastructure rather than an afterthought.

  • Operate and maintain the risk register and taxonomy. Run the technology and third-party risk register on a consistent standard (threat actor, technique, scenario, safeguard, loss event, quantification) so that risks aggregate, prioritise, and report meaningfully across the business.
  • Lead AI risk governance and ISO 42001 readiness. Maintain the AI risk assessment methodology and risk criteria, maintain the consolidated AI risk register against the K:AI inventory, and define AI risk treatment plans that map each risk to specific controls and treatment decisions. Drive ISO/IEC 42001 readiness (Clauses 6.1 and 8.2/8.3) toward the certification target, working with the Trust & Compliance and ARIA teams.
  • Drive third-party risk automation and risk scoring. Contribute vendor and application risk signals into the composite risk score, partnering with the TPRM lead who owns vendor onboarding automation and the TPRM process.
  • Perform the hands-on risk quantification. Apply cyber risk quantification (expected loss, probability, and cost of remediation versus acceptance) so leadership and the Technology Risk Committee can make rational investment and risk-acceptance decisions rather than relying on qualitative severity labels.
  • Support the risk governance cadence. Contribute to weekly risk huddles, monthly risk reviews, and the quarterly Technology Risk Committee (CIO, CISO, CTO), preparing accurate, succinct, decision-ready risk materials and translating high-severity findings into clear business impact.
  • Operate as a second line of defense. Provide independent oversight, credible challenge, and guidance to first-line teams, apply consistent risk taxonomies and reporting standards, and escalate risks that exceed established tolerance.
  • Partner cross-functionally and close the loop. Work with Engineering, Product, GTS, Legal, Internal Audit, ARIA, and Finance on risk and audit findings affecting systems and processes, tracking findings and remediation through to closure with clear ownership.
  • 7+ years of experience in information security, technology risk, cyber risk, or operational risk within a large, complex, or high-growth organization, including hands-on risk engineering or quantitative risk work.
  • Strong command of cyber risk quantification, able to express risk in financial and business terms (FAIR, riskquant, or similar) rather than qualitative severity ratings alone.
  • Hands-on engineering ability: SQL, Python, and integrating with APIs to extract, transform, and load data between systems and to automate risk reporting.
  • Experience building and running a technology and/or third-party risk register and taxonomy, with the tooling and process automation behind it.
  • Working knowledge of security and AI frameworks (NIST CSF and RMF, ISO 27000 series, ISO 42001, SOC 2, PCI DSS, CIS Controls) and how they translate into credible control requirements.
  • Hands-on familiarity with modern risk and security tooling: third-party risk platforms, cyber risk quantification, vulnerability management, and endpoint and data-security telemetry, with a clear point of view on where AI augments versus replaces human judgement.
  • Experience authoring and maintaining security policies and standards, with a governance mindset that ties policy to the risk it reduces and to operational controls.
  • Able to operate independently as a second line of defense while engaging credibly with senior engineers, architects, and security teams.
  • Proficiency discussing complex, nuanced topics with technical and non-technical audiences alike, and translating technical risk into clear business impact.
  • Excellent ability to plan, prioritise, and execute work cross-functionally and on time.

Nice to Have

~1 min read
  • Experience leading an evolution from a traditional GRC / compliance model toward an automated, engineering-led, or AI-enabled risk capability.
  • AI governance, model risk, or responsible-AI programme experience, and ISO 42001 readiness or certification work.
  • Experience building metrics and dashboards (KPIs, KRIs, KCIs) using business intelligence or dashboarding tools like Tableau and so on.
  • Experience in a regulated or high-trust environment (SOC 2, ISO 27000 series, ISO 42001, HIPAA, GDPR).
  • Threat modeling or secure design reviews, and experience designing or implementing technical security controls in AWS.
  • Experience securing web applications, Kubernetes clusters, and/or containers.
  • Relevant professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Auditor / Lead Implementer, an ISO 42001 / AI governance certification, or Open FAIR.

What We Offer

~2 min read

We’re Klaviyo (pronounced clay-vee-oh). We empower creators to own their destiny by making first-party data accessible and actionable like never before. We see limitless potential for the technology we’re developing to nurture personalized experiences in ecommerce and beyond. To reach our goals, we need our own crew of remarkable creators—ambitious and collaborative teammates who stay focused on our north star: delighting our customers. If you’re ready to do the best work of your career, where you’ll be welcomed as your whole self from day one and supported with generous benefits, we hope you’ll join us.

AI fluency at Klaviyo includes responsible use of AI (including privacy, security, bias awareness, and human-in-the-loop). We provide accommodations as needed. 

By participating in Klaviyo’s interview process, you acknowledge that you have read, understood, and will adhere to our Guidelines for using AI in the Klaviyo interview Process. For more information about how we process your personal data, see our Job Applicant Privacy Notice.

Klaviyo is committed to a policy of equal opportunity and non-discrimination. We do not discriminate on the basis of race, ethnicity, citizenship, national origin, color, religion or religious creed, age, sex (including pregnancy), gender identity, sexual orientation, physical or mental disability, veteran or active military status, marital status, criminal record, genetics, retaliation, sexual harassment or any other characteristic protected by applicable law.

IMPORTANT NOTICE: Our company takes the security and privacy of job applicants very seriously. We will never ask for payment, bank details, or personal financial information as part of the application process. All our legitimate job postings can be found on our official career site. Please be cautious of job offers that come from non-company email addresses (@klaviyo.com), instant messaging platforms, or unsolicited calls.
 
By clicking "Submit Application" you consent to Klaviyo processing your Personal Data in accordance with our Job Applicant Privacy Notice.  If you do not wish for Klaviyo to process your Personal Data, please do not submit an application.  You can find our Job Applicant Privacy Notice here and here (FR).
 

Location & Eligibility

Where is the job
Boston, United States
On-site at the office
Who can apply
US

Listing Details

Posted
July 15, 2026
First seen
July 15, 2026
Last seen
July 15, 2026

Posting Health

Days active
0
Repost count
0
Trust Level
79%
Scored at
July 15, 2026

Signal breakdown

freshnesssource trustcontent trustemployer trust
Klaviyo
Klaviyo
greenhouse

We help businesses of every size — from entrepreneurs to iconic brands.

Employees
750
Founded
2012
View company profile
Newsletter

Stay ahead of the market

Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.

A
B
C
D
Join 12,000+ marketers

No spam. Unsubscribe at any time.

KlaviyoLead Security Governance & Risk EngineerUSD 156000-234000