Sr. Program Manager – Governance Risk & Compliance (GRC)


Primary duties and responsibilities will include:

•    Navigate, and evolve the Information Security Risk Management program by driving best practice improvements to the identification, remediation, and risk reporting processes.
•    Responsible for executing Sleep Number’s Third-Party Risk Management capability and recommending improvements. 
o    This includes executing assessments, reviewing attestations, identifying efficiency opportunities, partnering with the legal team on contract provisions relating to security, championing maturation initiatives, and improving end user experience and reporting.
•    As directed, manage Information Security Policy & Standards which may include some security awareness activities to support the Policy and Standards and tracking feedback for future iterations.
•    Ability to assess security Risks against industry standards, and regulatory requirements, while maintaining a clear understanding of the Sleep Number business. Ability to flex between inherent and residual Risk is imperative as is the ability to innately recognize various Risk levels, focusing time and effort on the most critical Risks.
•    Ability to problem-solve and work through day to day blockers and know when to escalate vs. self-solve while building and maintaining productive business relationships.
•    Work closely with Information Security Architecture, Security Engineering, Enterprise Architecture, Legal and relevant operational teams to gather data and insights leading to holistic security risk
•    Communicate information security and compliance Risks to leadership to ensure proper awareness and decision making.
•    Maintain Risk management initiatives and/or assessments in a GRC platform such as Service Now or others.
•    Contribute security for the development of metrics, reporting and insights

Minimum Qualifications:

•    4-6 years of experience within large-scale information security Risk management programs or information security audit.
•    4-6 years of Information Technology and/or Information Security experience
•    Demonstrated knowledge of a broad range of technical concepts: logical access control, agile development process/DevSecOps, secure coding principles, security architecture frameworks and methods, information security, cloud security, network security, and privacy
•    Strong organizational skills with ability to thrive in a sense-of-urgency environment, navigate ambiguity, leveraging best practices, and approaching any problem as a team-player with a can-do attitude
•    Strong written and verbal communication skills and ability to interface with all levels of business and executive leadership
•    In-depth knowledge of information security management system standards, frameworks (ISO 27001, NIST CSF), information technology regulatory and compliance requirements (e.g., PCI-DSS, GDPR, CCPA, HIPAA), and industry best practices.

Some intermittent travel may be required (5-10%)

Preferred Qualifications:

•    Bachelor of Science and/or Master’s in CIS/MIS/CS/CE, Engineering/Technology or related field or equivalent experience/training
•    Strong understanding of Information Security industry standards/best practices (e.g., NIST, ISO 27001, HITRUST) and various regulatory bodies and related security requirements (PCI-DSS, HIPAA, CCPA, SOX, GDPR) including a working knowledge of key privacy concerns
•    Strong oral and written communication skills required, including a natural ability to tailor communication to various audiences.  Ability to solve problems.
•    Must be a creative problem solver, flexible, proactive, and work in a fast paced, ever-changing environment

Preferred Skills:
Experience in Retail and/or eCommerce.
•    PCI QSA or ISA certification a plus
•    Experience with HITRUST
•    Familiarity with cloud security controls in a cloud environment (e.g., AWS, Azure, Rackspace)
•    Ability to advise legal teams on information security requirements within contracts.
•    CISSP Certification (exceeding years of confirmed experience can circumvent this requirement)
•    Non-CISSP-certified candidates would be expected to pursue CISSP certification as part of developmental expectations within 18 months of start date

Working Conditions
•     Intermittent weekend and evening work may be required for production or operational support, during implementations and to meet project deadlines
•     Ability to travel up to 10%

Job ID R7087
Sophia, Customer Service Representative

“Sleep is integral to a happy healthy lifestyle and it has such a huge impact on everyday life. Sleep Number is a unique company to work for because you’re truly helping people.”

Sophia, Customer Service Representative

Job Alerts

Be the first to know about events, exclusive updates and get the job info that matches what you’re looking for. Simply type to search for a job category or location – and then click “ADD.” You can even add multiple categories and locations. Press “SIGN UP” and your job alerts will be on their way.


  • Information Technology, Minneapolis, Minnesota, United StatesRemove