Information Security Manager

About this Role: 

The Information Security Manager is a key individual contributor on Kibo's Information Security

team, owning day-to-day execution of our compliance and assurance programs — primarily PCI

DSS v4.0.1 and SOC 2, with growing scope across ISO 27001, GDPR / UK GDPR, and US state

privacy regimes (e.g., CCPA). This role reports directly to Kibo's Head of Engineering and partners

closely with Cloud Engineering, DevOps, IT, Legal, and Product.

Success requires strong information security and compliance fundamentals, working knowledge

of cloud environments (AWS and GCP), excellent vendor and stakeholder management, and the

ability to translate framework requirements into concrete, prioritised work for engineering

teams.

ABOUT KIBO 

KIBO is a composable digital commerce platform for B2C, D2C, and B2B organizations who want to simplify the complexity in their businesses and deliver modern customer experiences.  KIBO is the only modular, modern commerce platform that supports experiences spanning B2B and B2C Commerce, Order Management, and Subscriptions. Companies like Ace Hardware, Zwilling, Jelly Belly, Nivel, and Honey Birdette trust Kibo to bring simplicity and sophistication to commerce operations and deliver experiences that drive value.   

KIBO's cutting-edge solution is MACH Alliance Certified and has been recognized by Forrester, Gartner, IDC, Internet Retailer, and TrustRadius. KIBO has been named a leader in The Forrester Wave™: Order Management Systems, Q1 2025 and in the IDC MarketScape report “Worldwide Enterprise Headless Digital Commerce Applications 2024 Vendor Assessment”.

By joining KIBO, you will be part of a team of Kibonauts all over the world in a remote-friendly environment. Whether your job is to build, sell, or support KIBO’s commerce solutions, we tackle challenges together with the approach of trust, growth mindset, and customer obsession. If you’re seeking a unique challenge with amazing growth potential, then come work with us!

What You’ll Do:

Essential Responsibilities

Compliance program ownership

● Audit & assessment lead — Coordinate all information security assessments and audits,

including PCI DSS v4.0.1, SOC 2, ISO 27001, and any internal governance or controls

oversight.

● Auditor engagement — Manage external auditor and assessor relationships end-to-end:

requests, evidence packages, findings, status, remediation plans, and follow-up validation.

● PCI scope management — Maintain Cardholder Data Environment (CDE) and non-CDE

boundaries, network architecture diagrams, firewall / ACL rules, VPN access reviews, and

critical-asset inventories.

● Portfolio mandates — Track and report compliance posture against Kibo's

investor/portfolio-level security mandates, including private-equity portfolio hardening and

Mythos-era requirements.

External assessment and vendor management

● Pen-test / VAPT engagements — Manage relationships with external assessment firms (e.g.,

Accorian, TAC Security, Ampcus Cyber). Drive scope, timelines, fieldwork, retests, and

reporting.

● Security tooling evaluations — Lead evaluations and onboarding of MDR / XDR, CNAPP, EDR,

PAM, threat intelligence (e.g., CloudSEK, Cyble, SecurityScorecard), and

vulnerability-scanning solutions.

Risk, vulnerability, and exposure management

● Vulnerability remediation — Drive CVE and dependency remediation across a large software

estate (hundreds of repositories), partnering with Cloud Engineering on Dependabot rollout,

prioritization, and developer hygiene.

● Exposure triage — Triage external exposure findings, threat-intel hits, and third-party

security disclosure reports to documented closure.

● Incident response — Participate in IR preparation, detection, containment, eradication,

recovery, and post-incident review. Own the IR program's compliance artifacts.

Policy, training, and awareness

● Policy & standards — Maintain Information Security Policy and Standards documentation.

Manage waivers, exceptions, and review cycles.

● Awareness program — Own the security awareness and training program: content

development, scheduled annual training, reporting metrics, and audience-specific tracks

(engineering, customer support, leadership).

Client and partner support

● Customer assurance — Respond to client security questionnaires (SIG, CAIQ, custom), RFP

security sections, and contract security schedules.

● Legal & HR support — Support investigations, e-discovery, and court-ordered data

submission requests as needed.

Operational security

● Subject-matter guidance — Advise DevOps, Cloud Engineering, IT, Product, and business

teams on controls, risk, and process improvements.

● Day-to-day operations — Assist with operational security activities including data loss

prevention, vulnerability scanning, WAF tuning and alert review, and periodic access reviews.