Information Security & Risk Manager

Position Summary

The Information Security and Risk Manager will lead the company’s efforts to strengthen information security practices, manage organizational risk, and achieve and maintain SOC 2 compliance. This role is responsible for designing, implementing, and operating security and risk management programs tailored to a SaaS environment. The ideal candidate combines a hands-on understanding of cloud security and compliance frameworks with the ability to influence cross-functional teams and drive continuous improvement in a fast-growing technology company. 

Key Responsibilities

Security Program Development & SOC 2 Readiness 

  • Design and maintain the company’s information security program aligned with SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, and Privacy). 

  • Lead the SOC 2 audit readiness and ongoing compliance program, including documentation, evidence collection, and auditor coordination. 

  • Implement and manage security controls across infrastructure, applications, and business operations. 

  • Coordinate with Engineering, IT, and Operations to ensure security by design practices are embedded in product development and deployment. 

 

Cloud & Infrastructure Security 

  • Manage security posture on Hubio’s cloud environment (AWS), including access controls, encryption, logging, and monitoring. 

  • Conduct periodic vulnerability assessments, configuration reviews, and penetration test coordination

  • Collaborate with DevOps to strengthen CI/CD pipeline security and enforce secure coding practices. 

 

Risk Management 

  • Develop and maintain a risk management framework identifying, assessing, and mitigating security, operational, and third-party risks. 

  • Maintain a risk register, track mitigation progress, and report metrics to leadership. 

  • Lead vendor security due diligence, assessing third-party providers’ controls and compliance. 

  • Support business continuity and incident response planning and exercises. 

 

Compliance & Governance 

  • Maintain ongoing compliance with SOC 2, ISO 27001, and data protection regulations (e.g., GDPR, CCPA). 

  • Manage internal security reviews, audits, and evidence collection to support certification and attestation processes. 

  • Collaborate with management team to align on data handling, retention, and protection policies. 

 

Awareness, Training & Culture 

  • Lead company-wide security awareness and training programs to promote a culture of security-first thinking. 

  • Provide guidance and best practices to internal teams to ensure consistent control adherence. 

  • Communicate clearly with technical and non-technical stakeholders on risk posture and security initiatives. 

Qualifications

Education & Experience 

  • Bachelor’s degree in Information Security, Computer Science, or a related field. 

  • 5+ years of experience in information security or risk management, preferably within a SaaS or cloud-based organization

  • Proven experience managing or supporting SOC 2, ISO 27001, or similar compliance frameworks. 

  • Familiarity with cloud security principles and tools (AWS IAM, CloudTrail, GuardDuty, Azure Security Center, etc.). 

Certifications (preferred) 

  • CISSP, CISM, CRISC, or ISO 27001 Lead Implementer. 

  • CSA CCSK or CCSP (Cloud Security certifications) are an asset. 

Skills 

  • Strong understanding of SaaS architectures, DevSecOps, and shared responsibility models in the cloud. 

  • Excellent grasp of risk assessment methodologies, internal controls, and audit processes. 

  • Strong communication and stakeholder management skills; able to influence without authority. 

  • Analytical mindset with a balance of technical depth and strategic oversight. 

Key Performance Indicators (KPIs) 

  • Successful achievement and renewal of SOC 2 Type II attestation

  • Reduction in identified security risks and vulnerabilities. 

  • Timely completion of risk assessments and remediation plans. 

  • Increased employee engagement in security awareness training. 

  • Positive audit findings and minimal remediation actions required. 

Why Join Us?

  • Opportunity to own the GRC function end-to-end. 

  • Be part of a fast-growing Insurtech SaaS company making an impact in the insurance industry. 

  • Chance to collaborate with all parts of the organization. 

  • Work in a values-driven culture that emphasizes accountability, innovation, and client trust. 

  • Flexible hybrid work model with occasional travel to client sites  

Working Environment

  • Established company with a great start-up culture

  • Hybrid work model

  • Located in the heart of Downtown Toronto, 7-minute walk from Union Station

How to Apply: If you're ready to take on an exciting new challenge and help drive innovation in the insurance industry, we'd love to hear from you! Please submit your resume and cover letter to jobs@hubio.com with the subject line "Information Security and Risk Manager".  

Previous

Finance Manager – Senior Finance Analyst
Next

Software Engineer – Level 1