Cybersecurity Program Manager - Third Party Risk Management & Technology Risk Management

Region: United States of America

State: Remote

City: Remote

Business Unit: Store Support Centre (SSC)

Time Type: Full-time

Description & Requirements

Cybersecurity Program Manager - Third Party Risk Management & Technology Risk Management

Who we are

lululemon is a yoga-inspired technical apparel company up to big things. The practice and philosophy of yoga informs our overall purpose to elevate the world through the power of practice.  We are proud to be a growing global company with locations all around the world, from Vancouver to Shanghai, and places in between.  We owe our success to our innovative product, our emphasis on our stores, our commitment to our people, and the incredible connections we get to make in every community we are in.

About this team

The IT Security and Compliance team are cybersecurity experts, problem solvers, insight and solution generators, and trusted compliance advisors to the business.  We leverage our risk, information security and control expertise to support risk management, IT Security, Regulatory Compliance and to drive continuous process improvements and cost savings.  We also partner with various parts of the business (Brand, Product, IT, and Finance, to name a few) and engage in open dialogue to tap into the creativity of our people and action innovative solutions.  Ability to work Pacific Standard Time hours.

A day in the life:

·       Support a culture of risk management, risk and control visibility with measurable risk reduction and effective reporting and governance of risk reduction activities.

·       Develop a Third Party Risk Management assessment lifecycle, establish new policy, review / update existing risk management policy, standards and procedures.

·       Establish a Technology Risk Management methodology by adopting NIST RMF (SP800-37), CIS v8 Top 18, COBIT 2019, CSA CCM / CSA STAR registry or ISO 31000:2018  frameworks.

·       Optimize program capabilities in planning, organize, and integrate cross-functional information technology projects that are significant in scope and impact to the IT Risk and Third Party Management team goals.

·       Measure, Manage & Mature the program, track progress, drive improvements, develop and report KPIs, KRIs, process metrics and management dashboards.

·       Maintain organization's effectiveness and efficiency by defining, delivering, and supporting strategic analysis and plans for implementing IT Risk and Third Party program management process.

·       Participate in performing IT Risk Assessments of all new projects, technology implementations, new & existing vendor onboarding assessments

·       Determine information security risk profiles for various systems, assets, data, vendors etc., using knowledge of lululemon policy, frameworks, standards and relevant industry best practices.

·       Ability to conduct risk assessments, characterize the system, identify threats / vulnerabilities, control deficiencies, likelihood determination, impact analysis, risk levels, compensatory control recommendation and results documentation.

·       Collaborate in stakeholder management, risk articulation, communication, risk reviews, driving risk acceptance and risk treatment activities

·       Execute automation in applying GRC work flows, tracking risk life-cycle, engaging, monitoring, remediating and reporting risks

·       Identifies needs, develops and implements technology-related continuous improvement initiatives for the department.


·       5+ years Technology Risk Management & Third Party Risk Management experience or a combination of IT-GRC and information security experience

·       Bachelor’s degree with proficiency in Management Information Systems, Technology Management or Cybersecurity

·       Expertise in technical program management, particularly in areas of security, and/or technology risk management

·       Demonstrated ability to analyze information and assimilate into consumable management reporting

·       Professional certification such as CISM, CRISC, CISSP or PMP is a plus

·       Knowledge/experience with data security and privacy regulations (e.g. NIST CSF, ISO 27001, PCI DSS, GDPR).

·       Effective communication and relationship-building skills, a natural affinity for being curious and inquisitive, and an ability to work with ambiguity, analyze situations and problem solve.

Must haves:

·       Acknowledges the presence of choice in every moment and takes personal responsibility for their life.

·       Possesses an entrepreneurial spirit and continuously innovates to achieve great results.

·       Communicates with honesty and kindness, and creates the space for others to do the same.

·       Leads with courage, knowing the possibility of greatness is bigger than the fear of failure.

·       Fosters connection by putting people first and building trusting relationships.

·       Integrates fun and joy as a way of being and working, aka doesn’t take themselves too seriously.