About Canoo

Canoo has developed breakthrough electric vehicles that are reinventing the automotive landscape with bold innovations in design, pioneering technologies, and a unique business model that defies traditional ownership to put customers first. Distinguished by its experienced team – totaling over 500 employees from leading technology and automotive companies – Canoo has designed a modular electric platform purpose-built to deliver maximum vehicle interior space and adaptable to support a wide range of vehicle applications for consumers and businesses. With offices around the country, the company is scaling quickly and seeking candidates who love to challenge themselves, are motivated by autonomy and purpose, and get things done.

Job Purpose

The Information Security Risk Management (ISRM) team is responsible for establishing and maintaining a corporate wide information security management program to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating, and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise. The ISRM position requires an experienced individual with sound knowledge of Cyber Security, Cyber Security frameworks, Privacy, Risk Assessments and control design and assessment. The ISRM team will proactively work with business units and IT (Process Owners) to implement practices that meet defined policies and standards for information security.

Responsibilities

  • Manage 2nd line of defense for Technology Risk Governance, policies and compliance
  • Assess the accuracy and adequacy of risks and controls
  • Develop and manage an integrated repository of authoritative risks and controls, (across Canoo regulatory requirements and industry standards like NIST), and work across Canoo to assign Process and Control ownership, testing cadence, RCSA, and Enterprise Cyber Security Risk reporting (a/k/a Risk and Control Matrix - RCM)
  • Rollout and facilitate routine Cyber Security Risk Assessments per a schedule and cadence agreed to by Process Owners and Internal Audit
  • Rollout and operate Third Party Cyber Security Risk Management (TPCRM) program, in conjunction with Canoo Legal and Procurement stakeholders
  • Rollout and operate Privacy program, including CCPA and GDPR compliance
  • Rollout and operate Business Continuity Management (BCM), and Disaster Recovery (DR) program
  • Rollout and operate a Cyber Security Risk Registrar and Exception process, including tools and technologies. Engage with Process and Control owners to operationalize
  • Team with Canoo Internal Audit (3rd line of defense) to prioritize technology risks, align audit schedules and engage with External Auditor (4th line of defense)
  • Identify and ensure compliance with all laws and regulations relating to Cyber Security
  • Perform intakes on new programs, projects and changes, determine the information security impact and provide relevant security requirements
  • Create security awareness
  • Facilitate control walk through activities with internal/external auditors for IT SOX activities including but not limited to ITGC coordination, SOC1/2 report reviews, and key report testing
  • Participate in in annual planning and maintenance of the IT risk control matrix
  • Collaborate with internal and external auditors to ensure IT SOX and compliance requirements are being met
  • Support and manage the detailed testing of controls to ensure risks are appropriately identified, audit procedures are applied and controls are operating to mitigate the identified risks
  • Build strong relationships with IT, other internal departments, internal and external auditors

    Experience

    • Minimum of 8 years of relevant experience in ISRM and assessments/audits
    • Must have knowledge and experience with security standards and frameworks, including NIST and ISO 27001 and ISO 31000 Risk Management frameworks
    • Experience in Enterprise Risk Management and ISRM, including RCM’s and control testing
    • Must have 1 – 2 of the following certifications CRISC, CDPSE, CISA, CISM, CISSP, and/or CRISC
    • Strong understanding of SOX IT requirements, COSO/COBIT framework, experience testing ITGCs and ITACs, Separation of Duties (SoD) rules reports, interfaces, and integrations
    • Ability to communicate technical concepts effectively across functions and all levels of management
    • Ability to function in a changing environment and obtain alignment when requirements are not clear
    • Excellent verbal and written communication skills
    • Confident in asking questions and raising concerns/issues to ensure risks are mitigated

    What's Cool About Working Here...

    • Work in a high-growth start-up company that will redefine urban mobility
    • Be part of an inspirational, energetic, collaborative, authentic, and diverse environment
    • Participate in excellent benefits and a flexible PTO policy
    • Participate in the Employee Equity Compensation Plan
    • Enjoy a casual workplace with an unbelievable feeling of energy

    Canoo is an equal opportunity-affirmative action employer and considers all qualified applicants for employment based on business needs, job requirements and individual qualifications without regard to race, color, religion, sex, age, disability, sexual orientation, gender identity or expression, marital status, past or present military service or any other status protected by the laws or regulations in the locations where we operate.

    Any unsolicited resumes or candidate profiles submitted in response to our job posting shall be considered the property of Canoo Inc. and its subsidiaries and are not subject to payment of referral or placement fees if any such candidate is later hired by Canoo unless you have a signed written agreement in place with us which covers the applicable job posting.