Lead Security Governance & Risk Engineer

Posted An Hour Ago
Easy Apply
Be an Early Applicant
Boston, MA, USA
Hybrid
156K-234K Annually
Senior level
Consumer Web • eCommerce • Marketing Tech • Retail • Software • Analytics • Generative AI
Best place for ambitious people to learn and grow.
The Role
Own and automate Klaviyo's technology and third-party risk register and taxonomy, lead AI risk governance and ISO 42001 readiness, perform quantitative cyber risk analysis (financial expected loss), drive third-party risk scoring automation, produce decision-ready risk reporting for leadership, and provide independent second-line oversight while partnering cross-functionally to track and close remediation.
Summary Generated by Built In

At Klaviyo, we value the unique backgrounds, experiences and perspectives each Klaviyo (we call ourselves Klaviyos) brings to our workplace each and every day. We believe everyone deserves a fair shot at success and appreciate the experiences each person brings beyond the traditional job requirements. If you’re a close but not exact match with the description, we hope you’ll still consider applying. Want to learn more about life at Klaviyo? Visit klaviyo.com/careers to see how we empower creators to own their own destiny.

An exciting opportunity within the Security Trust and Risk (STAR) team whose mission is to ensure the safety and security of our customers, partners and Klaviyos as well as deliver best in class technology solutions, infrastructure and services. This is achieved by providing a robust and secure technology foundation to do great work. We solve problems using technology, embrace automation and AI, and support Klaviyo's continued scalability and sustainable employee growth in a rapidly evolving environment.

The STAR team assists the Global Security Services (GSS) organization in developing and refining information security policies, standards and strategy, enterprise risk management, creating metrics and reporting, coordinating cross-functional projects, and strategically aligning global information security initiatives with the broader CISO vision amongst other governance, risk and compliance efforts. The STAR team is highly collaborative and cross-functional, working closely with various functions within the GSS team (namely Security Product and Development and Security Intelligence Operations), Global Technology Solutions (GTS) team and the broader Klaviyo organization.

About the role:

The Lead Security Governance & Risk Engineer is a senior, hands-on role at the point where security governance meets risk engineering. You will own the parts of the risk programme that turn policy and standards into measured, monitored, and automated risk decisions. Reporting to the Senior Manager, Security Risk Engineering and operating as a second line of defense, you will run the technology and third-party risk register, lead AI risk governance and ISO 42001 readiness, and build the automation that gives Klaviyo a continuously updated, quantified view of its risk posture.

You will work alongside the Trust and Compliance team who are the custodians of our security policies and standards, making sure each one connects to a specific risk it reduces and is enforced through operational controls rather than living as a document. You will partner closely with Engineering, Product, GTS, Legal, Internal Audit, the ARIA team, and Finance to make risk legible across the business, and you will challenge first-line teams credibly while keeping your independence. This is a role for an engineer who thinks like a risk professional: someone who automates repeatable assessment, instruments controls, quantifies risk in financial terms, and treats AI as foundational infrastructure rather than an afterthought.

​​How you’ll have an impact:
  • Operate and maintain the risk register and taxonomy. Run the technology and third-party risk register on a consistent standard (threat actor, technique, scenario, safeguard, loss event, quantification) so that risks aggregate, prioritise, and report meaningfully across the business.
  • Lead AI risk governance and ISO 42001 readiness. Maintain the AI risk assessment methodology and risk criteria, maintain the consolidated AI risk register against the K:AI inventory, and define AI risk treatment plans that map each risk to specific controls and treatment decisions. Drive ISO/IEC 42001 readiness (Clauses 6.1 and 8.2/8.3) toward the certification target, working with the Trust & Compliance and ARIA teams.
  • Drive third-party risk automation and risk scoring. Contribute vendor and application risk signals into the composite risk score, partnering with the TPRM lead who owns vendor onboarding automation and the TPRM process.
  • Perform the hands-on risk quantification. Apply cyber risk quantification (expected loss, probability, and cost of remediation versus acceptance) so leadership and the Technology Risk Committee can make rational investment and risk-acceptance decisions rather than relying on qualitative severity labels.
  • Support the risk governance cadence. Contribute to weekly risk huddles, monthly risk reviews, and the quarterly Technology Risk Committee (CIO, CISO, CTO), preparing accurate, succinct, decision-ready risk materials and translating high-severity findings into clear business impact.
  • Operate as a second line of defense. Provide independent oversight, credible challenge, and guidance to first-line teams, apply consistent risk taxonomies and reporting standards, and escalate risks that exceed established tolerance.
  • Partner cross-functionally and close the loop. Work with Engineering, Product, GTS, Legal, Internal Audit, ARIA, and Finance on risk and audit findings affecting systems and processes, tracking findings and remediation through to closure with clear ownership.
Who you are:
  • 7+ years of experience in information security, technology risk, cyber risk, or operational risk within a large, complex, or high-growth organization, including hands-on risk engineering or quantitative risk work.
  • Strong command of cyber risk quantification, able to express risk in financial and business terms (FAIR, riskquant, or similar) rather than qualitative severity ratings alone.
  • Hands-on engineering ability: SQL, Python, and integrating with APIs to extract, transform, and load data between systems and to automate risk reporting.
  • Experience building and running a technology and/or third-party risk register and taxonomy, with the tooling and process automation behind it.
  • Working knowledge of security and AI frameworks (NIST CSF and RMF, ISO 27000 series, ISO 42001, SOC 2, PCI DSS, CIS Controls) and how they translate into credible control requirements.
  • Hands-on familiarity with modern risk and security tooling: third-party risk platforms, cyber risk quantification, vulnerability management, and endpoint and data-security telemetry, with a clear point of view on where AI augments versus replaces human judgement.
  • Experience authoring and maintaining security policies and standards, with a governance mindset that ties policy to the risk it reduces and to operational controls.
  • Able to operate independently as a second line of defense while engaging credibly with senior engineers, architects, and security teams.
  • Proficiency discussing complex, nuanced topics with technical and non-technical audiences alike, and translating technical risk into clear business impact.
  • Excellent ability to plan, prioritise, and execute work cross-functionally and on time.
Nice to have:
  • Experience leading an evolution from a traditional GRC / compliance model toward an automated, engineering-led, or AI-enabled risk capability.
  • AI governance, model risk, or responsible-AI programme experience, and ISO 42001 readiness or certification work.
  • Experience building metrics and dashboards (KPIs, KRIs, KCIs) using business intelligence or dashboarding tools like Tableau and so on.
  • Experience in a regulated or high-trust environment (SOC 2, ISO 27000 series, ISO 42001, HIPAA, GDPR).
  • Threat modeling or secure design reviews, and experience designing or implementing technical security controls in AWS.
  • Experience securing web applications, Kubernetes clusters, and/or containers.
  • Relevant professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Auditor / Lead Implementer, an ISO 42001 / AI governance certification, or Open FAIR.

Massachusetts Applicants:
It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.

Our salary range reflects the cost of labor across various U.S. geographic markets. The range displayed below reflects the minimum and maximum target salaries for the position across all our US locations. The base salary offered for this position is determined by several factors, including the applicant’s job-related skills, relevant experience, education or training, and work location.

In addition to base salary, our total compensation package may include participation in the company’s annual cash bonus plan, variable compensation (OTE) for sales and customer success roles, equity, sign-on payments, and a comprehensive range of health, welfare, and wellbeing benefits based on eligibility. 

Your recruiter can provide more details about the specific salary/OTE range for your preferred location during the hiring process.

Base Pay Range For US Locations:
$156,000$234,000 USD

This role may require up to 10% travel for purposes such as new hire onboarding, client or partner work if applicable, team meetings, and industry events. Travel is coordinated in advance.

Get to Know Klaviyo

We’re Klaviyo (pronounced clay-vee-oh). We empower creators to own their destiny by making first-party data accessible and actionable like never before. We see limitless potential for the technology we’re developing to nurture personalized experiences in ecommerce and beyond. To reach our goals, we need our own crew of remarkable creators—ambitious and collaborative teammates who stay focused on our north star: delighting our customers. If you’re ready to do the best work of your career, where you’ll be welcomed as your whole self from day one and supported with generous benefits, we hope you’ll join us.

AI fluency at Klaviyo includes responsible use of AI (including privacy, security, bias awareness, and human-in-the-loop). We provide accommodations as needed. 

By participating in Klaviyo’s interview process, you acknowledge that you have read, understood, and will adhere to our Guidelines for using AI in the Klaviyo interview Process. For more information about how we process your personal data, see our Job Applicant Privacy Notice.

Klaviyo is committed to a policy of equal opportunity and non-discrimination. We do not discriminate on the basis of race, ethnicity, citizenship, national origin, color, religion or religious creed, age, sex (including pregnancy), gender identity, sexual orientation, physical or mental disability, veteran or active military status, marital status, criminal record, genetics, retaliation, sexual harassment or any other characteristic protected by applicable law.

IMPORTANT NOTICE: Our company takes the security and privacy of job applicants very seriously. We will never ask for payment, bank details, or personal financial information as part of the application process. All our legitimate job postings can be found on our official career site. Please be cautious of job offers that come from non-company email addresses (@klaviyo.com), instant messaging platforms, or unsolicited calls.
 
By clicking "Submit Application" you consent to Klaviyo processing your Personal Data in accordance with our Job Applicant Privacy Notice.  If you do not wish for Klaviyo to process your Personal Data, please do not submit an application.  You can find our Job Applicant Privacy Notice here and here (FR).
 

Skills Required

  • 7+ years experience in information security, technology risk, cyber risk, or operational risk in a large or high-growth organization, including hands-on risk engineering or quantitative risk work.
  • Strong command of cyber risk quantification and ability to express risk in financial/business terms (FAIR, riskquant, or similar).
  • Hands-on engineering ability with SQL, Python, and integrating with APIs to ETL data and automate risk reporting.
  • Experience building and running a technology and/or third-party risk register and taxonomy, including tooling and process automation.
  • Working knowledge of security and AI frameworks (NIST CSF, NIST RMF, ISO 27000 series, ISO 42001, SOC 2, PCI DSS, CIS Controls).
  • Hands-on familiarity with modern risk and security tooling: third-party risk platforms, cyber risk quantification tools, vulnerability management, and endpoint/data-security telemetry.
  • Experience authoring and maintaining security policies and standards with a governance mindset linking policy to controls and risk reduction.
  • Ability to operate independently as a second line of defense and provide credible challenge to first-line teams.
  • Proficiency communicating complex technical and risk topics to technical and non-technical audiences and translating risk into business impact.
  • Strong planning, prioritization, and cross-functional execution skills.
  • Experience leading AI risk governance or ISO 42001 readiness/certification work.
  • Experience building metrics and dashboards (KPIs, KRIs) using BI/dashboarding tools such as Tableau.
  • Experience in regulated or high-trust environments (SOC 2, ISO 27000 series, HIPAA, GDPR).
  • Threat modeling, secure design reviews, or implementing security controls in AWS; securing web applications, Kubernetes, and containers.
  • Relevant certifications (CISSP, CISM, CRISC, ISO 27001 Lead Auditor/Lead Implementer, ISO 42001/AI governance certification, Open FAIR).

What the Team is Saying

Amit
Eva
Tai
Mads
Uche
Ben
Risa
Kit
Angela
Laksh
Laksh
Devin
Anthoney Kelley
Carmel
Carmel
Andrew Bialecki
Mohamed Ali

Klaviyo Compensation & Benefits Highlights

How does Klaviyo ensure its pay and bonus plans are competitive?

Klaviyo supports competitive pay through a total rewards approach that combines salary, equity, bonus opportunities, benefits, learning support and a performance culture tied to measurable impact. 

  • Competitive total rewards: Klaviyo’s benefits overview highlights competitive salaries, 401(k) match, employee referral bonuses, equity, an employee stock purchase plan, flexible paid time off, commuter/transit support, fitness reimbursements, mental and emotional wellbeing programming and learning support. External reviews reinforce the value of the package, with employees citing competitive pay, bonuses, RSUs, ESPP, health insurance, parental leave, unlimited PTO and learning stipends as meaningful parts of the employee experience.
  • Pay connected to impact and outcomes: Klaviyo’s handbook frames performance around ownership, clarity and measurable results. The value “Know the score” states that results matter more than effort alone, while “Drivers wanted” emphasizes proactive ownership and “Be meticulous in your craft” reinforces a high bar for work quality. That creates a compensation and recognition philosophy where strong outcomes, not just activity, are central to advancement and rewards.
  • Equity and long-term value: Equity is a visible part of Klaviyo’s rewards story. Klaviyo offers equity packages to all full-time employees, vesting over four years, and provides an employee stock purchase plan. That ownership opportunity sits within a growing business: in Q1 2026, Klaviyo reported $358 million in revenue, up 28% year over year, and raised full-year 2026 revenue guidance to $1.514 billion to $1.522 billion. Those business results give employees a clear connection between company performance, long-term growth and the value of ownership-based compensation.
  • Rewards supported by growth and development benefits: Klaviyo’s compensation package is paired with benefits that help employees grow their careers and build long-term value. K-Pro Learn, learning stipends, mentorship, Career Architecture and manager development programs support continued skill-building. A customer success manager noted that Klaviyo offers a learning stipend for job-related coaching or training, while employee survey insights show 78% of respondents feel they are gaining the skills and experience to grow their careers.
  • External signals:
    • Compensation Sentiment: External reviews frequently praise Klaviyo’s competitive salary, bonuses, equity, RSUs, ESPP, 401(k) match, learning stipend and generous benefits. (Glassdoor; Comparably)
    • Rewards Ratings: Comparably rates Klaviyo’s compensation an A and perks and benefits an A. (Comparably)
    • Employee Value Signals: Reviews highlight PTO, health insurance, parental leave, office amenities, learning support and work-life balance as part of the overall rewards package. (Glassdoor; Comparably)

Bottom line: Klaviyo keeps compensation competitive by combining salary, bonus opportunities, equity, ESPP, retirement support, benefits and learning resources with a culture that rewards ownership, measurable outcomes and long-term impact.

Klaviyo Insights

Am I A Good Fit?
beta
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.

The Company
Boston, MA
2,400 Employees
Year Founded: 2012

What We Do

Klaviyo (NYSE: KVYO) is the B2C CRM. Powered by its built-in data platform and AI, Klaviyo combines marketing automation, analytics, and customer service into one unified solution, making it easy for businesses to know their customers and grow faster. Klaviyo (CLAY-vee-oh) helps over 183,000 brands like Mattel, Glossier, Daily Harvest, and Liquid Death deliver 1:1 experiences at scale, improve efficiency, and drive revenue.

Why Work With Us

We refer to our employees as ‘Klaviyos’, and we make up a diverse community united around shared values: We’re curious, collaborative, driven, innovative, fun, and fully ourselves at work. No matter which team you join, your work won’t just impact Klaviyo. It’ll help empower our customers and enable creators across the globe to own their destinies.

Gallery

Gallery
Gallery
Gallery
Gallery
Gallery
Gallery
Gallery
Gallery
Gallery
Gallery

Klaviyo Offices

Hybrid Workspace

Employees engage in a combination of remote and on-site work.

Typical time on-site: 3 days a week
Company Office Image
Boston, MA
Company Office Image
Denver, CO
Company Office Image
Dublin, IE
Company Office Image
London, GB
Company Office Image
San Francisco, CA
Company Office Image
Sydney, New South Wales
Learn more

Similar Jobs

Klaviyo Logo Klaviyo

Senior Recruiter

Consumer Web • eCommerce • Marketing Tech • Retail • Software • Analytics • Generative AI
Easy Apply
Hybrid
Boston, MA, USA
2400 Employees
102K-154K Annually

Klaviyo Logo Klaviyo

Sr. Manager of GTM Incentive Compensation

Consumer Web • eCommerce • Marketing Tech • Retail • Software • Analytics • Generative AI
Easy Apply
Hybrid
Boston, MA, USA
2400 Employees
156K-234K Annually

Klaviyo Logo Klaviyo

Account Manager

Consumer Web • eCommerce • Marketing Tech • Retail • Software • Analytics • Generative AI
Easy Apply
Hybrid
Boston, MA, USA
2400 Employees
88K-133K Annually

Klaviyo Logo Klaviyo

Product Manager

Consumer Web • eCommerce • Marketing Tech • Retail • Software • Analytics • Generative AI
Easy Apply
Hybrid
Boston, MA, USA
2400 Employees
104K-156K Annually

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account