OverviewMedallia is the pioneer and market leader in Experience Management. Our award-winning SaaS platform, Medallia Experience Cloud, leads the market in the understanding and management of experience for candidates, customers, employees, patients, citizens and residents.
We are more than a software company. We want to be known as a company that does the right thing, no matter the challenge or controversy. We are committed to creating a culture that values every person and every experience. Individual life experiences shape the way we interact with the world, which is why we encourage people to bring their whole selves to work each day. The strength of our global workforce is the most significant contributor to our success.
We believe: Every Experience Matters. Talent is Everywhere. All Belong Here.
At Medallia, we hire the whole person.
Responsibilities- Conduct comprehensive assessments to identify, evaluate, and prioritize risks associated with the organization’s operations, including those related to security, privacy, compliance with different frameworks and business continuity.
- Develop, track, implement, and maintain risk mitigation strategies, including security controls, incident response plans, and disaster recovery plans, to minimize potential risks and ensure the organization’s resilience.
- Evaluate and assess the security, privacy, and compliance practices of third-party vendors and partners, including conducting AI security reviews, to ensure alignment with the organization’s standards.
- Review and assess vendor contracts to ensure compliance with the organization’s security and compliance requirements, identifying potential risks and negotiating terms to mitigate them.
- Continuously monitor third-party vendors for any changes in their operations, security postures, or compliance statuses that could introduce new risks to the organization.
- Establish and maintain robust access control policies to ensure that employees have appropriate access levels based on their roles and responsibilities ensuring minimum privileges and need-to-know principles and preventing unauthorized access to sensitive information.
- Conduct regular reviews and audits of user access to systems and data to ensure compliance with established access policies, identifying and revoking unnecessary or outdated access.
- Define and manage roles within the organization, ensuring that access to sensitive information is granted based on role requirements and that only authorized personnel have access.
- Develop and deliver comprehensive training programs aimed at educating employees on compliance, security, and risk management practices, ensuring that all personnel are aware of their responsibilities and best practices.
- Design and execute awareness campaigns to keep security, compliance, and risk management top-of-mind for all employees, reinforcing the importance of adherence to policies and procedures.
- Support security audits and compliance governance activities across the company.
- Support maintenance of the controls matrix in alignment with multiple compliance frameworks including SOC 2, ISO 27001/27701/27017/27018, PCI, HITRUST and HIPAA.
QualificationsMinimum Qualifications
- 3+ years of experience in risk management, security assessments, or a related role.
- Strong understanding of risk management frameworks, regulatory requirements, and industry best practices. Experience working with technology governance, internal controls, and compliance activities such as IT Audit, ISO 27001/17/18, SOC 2, PCI, HIPAA, FedRAMP, HITRUST and Data Privacy laws and regulations.
- Experience supporting, assessing, certifying, and driving execution of technology risk assessment methodologies, audits, or regulatory compliance initiatives
- Proficient with audit testing best practices and relevant documentation standards.
- Experience with third-party risk management, including vendor assessments and contract reviews.
- Proficiency in developing and implementing access control policies and conducting periodic access reviews.
- Highly-organized with proven ability to oversee and manage multiple work streams across diverse stakeholder groups
- Excellent written and oral communication skills with an ability to effectively communicate security topics to a variety of audiences.
Preferred Qualifications
- Strong leadership capabilities, collaborative attitude and motivation to work in a fast paced environment.
- Ability to analyze, communicate, articulate governance and compliance trends and program requirements.
- Big 4 or SaaS company experience and Industry certifications such as CISA, CISSP, CISM, PMP or CRISC is a plus.
- Ability to work closely with people at all levels of the organization and facilitate the implementation of corrective action as needed.
- Demonstrated ability to articulate complex technical and security information into business terms and solutions.
Medallia also offers competitive health and wellness benefits, including but not limited to medical, dental, vision, 401(k), short term and long term disability, life and AD&D insurance, statutory leaves, paid parental leave, and paid holidays. Benefits and eligibility may vary by location and role.
At Medallia, we celebrate diversity and recognize the value it brings to our customers and employees. Medallia is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, national origin, genetic information, disability, veteran status, or any other applicable status protected by state or local law. Individuals with a disability who need an accommodation to apply please contact us at ApplicantAccessibility@medallia.com. For information regarding how Medallia collects and uses personal information, please review our Privacy Policies. Applications will be accepted for 30 days from the date this role was posted or until the role has been filled.