Information Security Manager

About this Role: 

The Information Security Manager is a key individual contributor on Kibo's Information Security
team, owning day-to-day execution of our compliance and assurance programs — primarily PCI
DSS v4.0.1 and SOC 2, with growing scope across ISO 27001, GDPR / UK GDPR, and US state
privacy regimes (e.g., CCPA). This role reports directly to Kibo's Head of Engineering and partners
closely with Cloud Engineering, DevOps, IT, Legal, and Product.
Success requires strong information security and compliance fundamentals, working knowledge
of cloud environments (AWS and GCP), excellent vendor and stakeholder management, and the
ability to translate framework requirements into concrete, prioritised work for engineering
teams.

ABOUT KIBO 

KIBO is a composable digital commerce platform for B2C, D2C, and B2B organizations who want to simplify the complexity in their businesses and deliver modern customer experiences.  KIBO is the only modular, modern commerce platform that supports experiences spanning B2B and B2C Commerce, Order Management, and Subscriptions. Companies like Ace Hardware, Zwilling, Jelly Belly, Nivel, and Honey Birdette trust Kibo to bring simplicity and sophistication to commerce operations and deliver experiences that drive value.   

KIBO's cutting-edge solution is MACH Alliance Certified and has been recognized by Forrester, Gartner, IDC, Internet Retailer, and TrustRadius. KIBO has been named a leader in The Forrester Wave™: Order Management Systems, Q1 2025 and in the IDC MarketScape report “Worldwide Enterprise Headless Digital Commerce Applications 2024 Vendor Assessment”.

By joining KIBO, you will be part of a team of Kibonauts all over the world in a remote-friendly environment. Whether your job is to build, sell, or support KIBO’s commerce solutions, we tackle challenges together with the approach of trust, growth mindset, and customer obsession. If you’re seeking a unique challenge with amazing growth potential, then come work with us!

What You’ll Do:

Essential Responsibilities
Compliance program ownership
● Audit & assessment lead — Coordinate all information security assessments and audits,
including PCI DSS v4.0.1, SOC 2, ISO 27001, and any internal governance or controls
oversight.
● Auditor engagement — Manage external auditor and assessor relationships end-to-end:
requests, evidence packages, findings, status, remediation plans, and follow-up validation.
● PCI scope management — Maintain Cardholder Data Environment (CDE) and non-CDE
boundaries, network architecture diagrams, firewall / ACL rules, VPN access reviews, and
critical-asset inventories.
● Portfolio mandates — Track and report compliance posture against Kibo's
investor/portfolio-level security mandates, including private-equity portfolio hardening and
Mythos-era requirements.
External assessment and vendor management
● Pen-test / VAPT engagements — Manage relationships with external assessment firms (e.g.,
Accorian, TAC Security, Ampcus Cyber). Drive scope, timelines, fieldwork, retests, and
reporting.
● Security tooling evaluations — Lead evaluations and onboarding of MDR / XDR, CNAPP, EDR,
PAM, threat intelligence (e.g., CloudSEK, Cyble, SecurityScorecard), and
vulnerability-scanning solutions.
Risk, vulnerability, and exposure management
● Vulnerability remediation — Drive CVE and dependency remediation across a large software
estate (hundreds of repositories), partnering with Cloud Engineering on Dependabot rollout,
prioritization, and developer hygiene.
● Exposure triage — Triage external exposure findings, threat-intel hits, and third-party
security disclosure reports to documented closure.
● Incident response — Participate in IR preparation, detection, containment, eradication,
recovery, and post-incident review. Own the IR program's compliance artifacts.
Policy, training, and awareness
● Policy & standards — Maintain Information Security Policy and Standards documentation.
Manage waivers, exceptions, and review cycles.
● Awareness program — Own the security awareness and training program: content
development, scheduled annual training, reporting metrics, and audience-specific tracks
(engineering, customer support, leadership).
Client and partner support
● Customer assurance — Respond to client security questionnaires (SIG, CAIQ, custom), RFP
security sections, and contract security schedules.
● Legal & HR support — Support investigations, e-discovery, and court-ordered data
submission requests as needed.
Operational security
● Subject-matter guidance — Advise DevOps, Cloud Engineering, IT, Product, and business
teams on controls, risk, and process improvements.
● Day-to-day operations — Assist with operational security activities including data loss
prevention, vulnerability scanning, WAF tuning and alert review, and periodic access reviews.