Sr. Manager, Information Security Risk Management (REMOTE)

At DICK’S Sporting Goods, we believe in how positively sports can change lives. On our team, everyone plays a critical role in creating confidence and excitement by personally equipping all athletes to achieve their dreams. We are committed to creating an inclusive and diverse workforce, reflecting the communities we serve. If you are ready to make a difference as part of the world’s greatest sports team, apply to join our team today! OVERVIEW: The Senior Manager, Information Security & Risk Management is responsible for building, leading, and maturing the enterprise information security risk management program and the Governance, Risk, and Compliance (GRC) platform that enables it. This role owns the people, process, and technology underpinning risk identification, assessment, treatment, reporting, and assurance. The ideal candidate brings deep experience in security risk frameworks, control assurance, and GRC product ownership - translating complex risk into clear business decisions and automating workflows for scale. Strategy & Leadership (People) Build and lead a high-performing GRC/risk team (analysts, engineers, control owners), including hiring, coaching, performance management, and succession planning. Serve as the product owner for the GRC platform, setting vision, roadmap, priorities, and adoption goals; lead a cross-functional virtual team of process owners (IT, Engineering, Privacy, Legal, Procurement, Audit). Act as a trusted advisor to senior leaders on risk appetite, emerging risks, and investment trade-offs; communicate risk in business terms. Establish a culture of accountability and continuous improvement across control owners and process stakeholders. Risk Management Program (Process) Design, implement, and mature an enterprise Information Security Risk Management (ISRM) program aligned to business strategy and regulatory requirements. Define and operationalize risk taxonomy, risk appetite/thresholds, and risk assessment methodologies (inherent/residual, likelihood/impact, qualitative/quantitative where appropriate). Stand up end-to-end risk workflows: identification → assessment → treatment planning → control implementation → monitoring → metrics → reporting. Integrate risk management with strategic planning, project/architecture reviews, third-party risk, privacy, resilience/BCP/DR, and audit. Establish and maintain the Information Security Policy & Standards framework; ensure clear control ownership and maintenance cadence. Run the issue/exception/waiver process: risk acceptance, remediation tracking, and expiration governance. Coordinate audit readiness and responses (internal audit, external audit, regulatory inquiries); ensure defensible evidence management. GRC Platform Ownership (Technology) Own the selection, implementation, configuration, and continuous improvement of the GRC platform (e.g., ServiceNow GRC, Archer, OneTrust, LogicGate, MetricStream, similar). Engineer scalable workflows for risk assessments, control testing, issue management, vendor risk, policy lifecycle, SOX/ITGC, and automated evidence collection. Build and maintain authoritative control libraries mapped to frameworks (e.g., NIST CSF/800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, SOX, CIS). Implement integrations with core systems (e.g., IAM, CMDB, ticketing, CI/CD, cloud security tools, vulnerability management, procurement, ERP) to drive control automation and near-real-time monitoring. Define and publish dashboards and KPIs/KRIs for executive reporting; enable self-service analytics and board-level reporting packages. Assurance & Continuous Monitoring Establish a risk-based control testing and continuous control monitoring (CCM) program; leverage automation for evidence capture and evaluation. Oversee security exceptions, findings, and remediation programs with clear SLAs and escalation paths. Coordinate scenario analysis and tabletop exercises for key risks (e.g., ransomware, data exfiltration, third-party outage). Partner with Security Engineering and Operations to connect risk insights to detection, vulnerability, and incident response priorities. Third-Party & Product/Project Risk Mature third-party risk management (TPRM) with tiering, due diligence, contract clauses, continuous monitoring, and exit strategies. Embed risk reviews in SDLC and project governance (architecture boards, change management, M&A diligence/integration).