Security Program Manager

About Norm Ai Norm Ai, the agentic law company, has a client base with a combined $30 trillion in assets under management. Norm Ai pioneered Legal Engineering, the process that empowers lawyers to build and supervise domain-specific AI agents with Norm’s proprietary suite of no-code software tools. Norm Ai technology is deployed inside many of the largest and most consequential institutions in the world. Norm Ai is also the technology behind Norm Law, LLP, a separate but affiliated AI-native law firm built for the era of agentic AI. Norm Law’s attorneys advise leading institutions across private funds, private equity, venture capital, real estate, registered funds, and financial regulation, using the same legal intelligence platform that powers Norm Ai’s products. AI Fluency: Norm Ai expects all team members to be fluent in AI. Successful candidates actively use AI in their day-to-day work to support thinking, creation, and problem-solving. They use it to improve the quality and speed of their work and to continuously refine how work gets done end-to-end. Candidates should be prepared to demonstrate and discuss their AI usage throughout the interview process, including concrete examples of tools, workflows, and outcomes. We look for practical, hands-on experience, not theoretical familiarity. This Role: The Security Program Manager at Norm Ai is a hybrid between a GRC Manager and a Program Manager within the Office of the Chief Security Officer. You will own the execution of Norm Ai's security compliance programs, serve as the CSO's operational right hand, and drive cross-functional security and compliance initiatives across Engineering, Legal, IT, and the affiliated Norm Law practice. Security is your primary function, but this role sits at the intersection of compliance execution, risk management, and day-to-day program operations. You are the person who brings structure to ambiguity and makes sure nothing falls through the cracks. You Will: Own and mature the GRC program across SOC 2 Type II, ISO 27001, and other applicable frameworks, including control mapping, evidence collection, gap analysis, remediation tracking, and audit coordination. Serve as the primary liaison with external auditors and certification bodies; manage the full audit lifecycle from scoping and evidence gathering through report issuance. Build and maintain the enterprise risk register; conduct periodic risk assessments and track risk treatment plans to closure with clear stakeholder accountability. Lead the vendor security assessment program: evaluate third-party security posture, manage security questionnaires, and track remediation to completion. Maintain and update security policies, standards, and procedures; own the policy review lifecycle from drafting through approval. Manage priorities, track deliverables, and maintain operational cadence across the security organization including but not limited to staff meetings, quarterly planning, board reporting. Drive cross-functional security initiatives and ensure alignment between Security, Engineering, Product, Legal, IT, and Business teams. Manage security OKRs, KPIs, and metrics reporting; prepare dashboards and executive summaries for leadership and board audiences. Coordinate incident response program readiness: maintain runbooks, organize tabletop exercises, and drive post-incident reviews to ensure lessons learned are captured and tracked. Design, implement, and manage the security awareness and training program, including phishing simulations and effectiveness reporting. Participate in client due diligence reviews and manage the intake process for inbound security questionnaires. Support business continuity and disaster recovery planning in coordination with Engineering and IT. Skills & Experience - Core: 5+ years of experience in security program management, GRC, or a related security operations role. Hands-on experience managing compliance programs across at least two major frameworks (e.g., SOC 2, ISO 27001, GDPR, HIPAA). You don't need to be a security controls expert, but you need to know how audits work and how to run one. Working knowledge of risk management frameworks such as NIST RMF, ISO 31000, or FAIR. Experience with GRC and compliance automation tooling; we use Vanta. Strong project management skills with the ability to manage multiple concurrent initiatives; experience with Linear, Jira, Notion, or equivalent tools. Comfortable using AI tools to accelerate security and compliance work. Experience coordinating external audits and working directly with auditors. Familiar enough with cloud environments (AWS) and developer tooling (GitHub) to have substantive conversations with engineering teams. Proven ability to drive cross-functional work without direct authority. Clear, concise communicator; experienced preparing executive-level updates and board materials. Background in a fast-paced startup, scale-up, or boutique consulting environment where you had to build programs with limited resources. Skills & Experience - Pluses: Experience in a strategic operations role within a security or technology organization. Background in government, financial services, or other highly regulated industries. Relevant certifications: CISSP, CISM, CRISC, CISA, CGRC, or PMP. What Success Looks Like 30 Days: Map the existing security program and compliance calendar; understand Norm Ai's current control environment, open audit gaps, and active risks. Get fully onboarded into Vanta, Linear, and Notion and establish working relationships with the CSO, Director of Compliance, Engineering leads, and Legal. Identify the most pressing open thread and start driving it. 60 Days: Own the GRC program calendar with a clear view of upcoming audit milestones, evidence collection owners, and remediation timelines. Establish a regular reporting cadence for the CSO, including OKR tracking and cross-functional status updates. Have moved at least one active compliance or risk initiative from intake to measurable progress. Location / Office Requirement This role is open to candidates based anywhere on the East Coast. Travel to the office is expected approximately once per quarter for remote employees. Candidates local to New York City and within commuting distance of our office will be expected to come in 3-4 days per week. Compensation and Benefits $140,000-$155,000 per year plus equity. The range displayed in this job posting reflects the minimum and maximum target for new hire salary for this position. Within the range, individual pay is determined by various factors, including job-related skills (as uncovered during the interview process), experience, and relevant education or training. Please note that the compensation details listed here reflect the base salary only, and do not include equity or benefits. We offer a competitive salary along with equity compensation. Our comprehensive benefits package includes a 401(k) plan with an employer match. Employees enjoy top-tier insurance coverage, encompassing health, dental, hospital, accident, and vision plans. For candidates needing to relocate to NYC, we provide relocation reimbursement. You'll thrive in our fast-paced learning environment where professional growth is constant. To learn more about Norm Ai, visit our website .

{
  "content_hash": "1fd500cb223587c7a0ac7447faa30ba75b05613ce07da3099667024a1e7912a2",
  "source_hash": "175bc09aaea66b1e01cc558fc949c9efb1bfce9df82963c989a01d012331b40b",
  "last_changed_at": "2026-06-06T08:47:34.521Z",
  "active_status": "active"
}

{
  "language": "en",
  "location": {
    "raw": "New York City",
    "city": "New York City",
    "region": "NY",
    "country": "United States",
    "is_remote": true,
    "confidence": 0.75
  },
  "salary_max": 155000,
  "salary_min": 140000,
  "inferred_at": "2026-06-06T19:30:31.615Z",
  "launch_scope": {
    "reason": "english_us_canada",
    "included": true,
    "language": "en",
    "location": {
      "raw": "New York City",
      "city": "New York City",
      "region": "NY",
      "country": "United States",
      "is_remote": true,
      "confidence": 0.75
    },
    "countries": [
      "United States"
    ]
  },
  "remote_policy": "remote",
  "salary_period": "year",
  "workplace_type": "remote",
  "salary_currency": "USD"
}

{}

{
  "id": "3fd0b773-58b9-48d9-9ab1-ba8078072c88",
  "team": "Information Security ",
  "title": "Security Program Manager",
  "jobUrl": "https://jobs.ashbyhq.com/norm-ai/3fd0b773-58b9-48d9-9ab1-ba8078072c88",
  "address": null,
  "applyUrl": "https://jobs.ashbyhq.com/norm-ai/3fd0b773-58b9-48d9-9ab1-ba8078072c88/application",
  "isListed": true,
  "isRemote": true,
  "location": "East Coast ",
  "updatedAt": null,
  "apiVersion": "ashby-non-user-graphql-v1",
  "department": "Information Security ",
  "publishedAt": null,
  "workplaceType": "Remote",
  "employmentType": "FullTime",
  "secondaryLocations": [
    {
      "location": "New York City"
    }
  ]
}