About this Role:

The Information Security Manager is a key individual contributor on Kibo's Information Security

team, owning day-to-day execution of our compliance and assurance programs — primarily PCI

DSS v4.0.1 and SOC 2, with growing scope across ISO 27001, GDPR / UK GDPR, and US state

privacy regimes (e.g., CCPA). This role reports directly to Kibo's Head of Engineering and partners

closely with Cloud Engineering, DevOps, IT, Legal, and Product.

Success requires strong information security and compliance fundamentals, working knowledge

of cloud environments (AWS and GCP), excellent vendor and stakeholder management, and the

ability to translate framework requirements into concrete, prioritised work for engineering

teams.

ABOUT KIBO

KIBO is a composable digital commerce platform for B2C, D2C, and B2B organizations who want to simplify the complexity in their businesses and deliver modern customer experiences. KIBO is the only modular, modern commerce platform that supports experiences spanning B2B and B2C Commerce, Order Management, and Subscriptions. Companies like Ace Hardware, Zwilling, Jelly Belly, Nivel, and Honey Birdette trust Kibo to bring simplicity and sophistication to commerce operations and deliver experiences that drive value.

KIBO's cutting-edge solution is MACH Alliance Certified and has been recognized by Forrester, Gartner, IDC, Internet Retailer, and TrustRadius. KIBO has been named a leader in The Forrester Wave™: Order Management Systems, Q1 2025 and in the IDC MarketScape report “Worldwide Enterprise Headless Digital Commerce Applications 2024 Vendor Assessment”.

By joining KIBO, you will be part of a team of Kibonauts all over the world in a remote-friendly environment. Whether your job is to build, sell, or support KIBO’s commerce solutions, we tackle challenges together with the approach of trust, growth mindset, and customer obsession. If you’re seeking a unique challenge with amazing growth potential, then come work with us!

What You’ll Do:

Essential Responsibilities

Compliance program ownership

● Audit & assessment lead — Coordinate all information security assessments and audits,

including PCI DSS v4.0.1, SOC 2, ISO 27001, and any internal governance or controls

oversight.

● Auditor engagement — Manage external auditor and assessor relationships end-to-end:

requests, evidence packages, findings, status, remediation plans, and follow-up validation.

● PCI scope management — Maintain Cardholder Data Environment (CDE) and non-CDE

boundaries, network architecture diagrams, firewall / ACL rules, VPN access reviews, and

critical-asset inventories.

● Portfolio mandates — Track and report compliance posture against Kibo's

investor/portfolio-level security mandates, including private-equity portfolio hardening and

Mythos-era requirements.

External assessment and vendor management

● Pen-test / VAPT engagements — Manage relationships with external assessment firms (e.g.,

Accorian, TAC Security, Ampcus Cyber). Drive scope, timelines, fieldwork, retests, and

reporting.

● Security tooling evaluations — Lead evaluations and onboarding of MDR / XDR, CNAPP, EDR,

PAM, threat intelligence (e.g., CloudSEK, Cyble, SecurityScorecard), and

vulnerability-scanning solutions.

Risk, vulnerability, and exposure management

● Vulnerability remediation — Drive CVE and dependency remediation across a large software

estate (hundreds of repositories), partnering with Cloud Engineering on Dependabot rollout,

prioritization, and developer hygiene.

● Exposure triage — Triage external exposure findings, threat-intel hits, and third-party

security disclosure reports to documented closure.

● Incident response — Participate in IR preparation, detection, containment, eradication,

recovery, and post-incident review. Own the IR program's compliance artifacts.

Policy, training, and awareness

● Policy & standards — Maintain Information Security Policy and Standards documentation.

Manage waivers, exceptions, and review cycles.

● Awareness program — Own the security awareness and training program: content

development, scheduled annual training, reporting metrics, and audience-specific tracks

(engineering, customer support, leadership).

Client and partner support

● Customer assurance — Respond to client security questionnaires (SIG, CAIQ, custom), RFP

security sections, and contract security schedules.

● Legal & HR support — Support investigations, e-discovery, and court-ordered data

submission requests as needed.

Operational security

● Subject-matter guidance — Advise DevOps, Cloud Engineering, IT, Product, and business

teams on controls, risk, and process improvements.

● Day-to-day operations — Assist with operational security activities including data loss

prevention, vulnerability scanning, WAF tuning and alert review, and periodic access reviews.

---

Required Qualifications:

● 3–6 years of progressive experience in information security, IT risk management,

compliance, audit, or technology governance.

● Demonstrable, hands-on PCI DSS experience — ideally including v4.0 / v4.0.1 — for a

multi-tenant SaaS or payment-processing environment.

● Experience with one or more additional compliance / regulatory regimes: SOC 2, ISO 27001,

SOX 404, GDPR / UK GDPR, CCPA / US state privacy.

● Working knowledge of one or both major public cloud platforms (AWS and GCP), including

networking fundamentals — VPCs, VPC flow logs, NAT gateways, security groups, IAM —

and how those underpin a secure cloud architecture.

● Familiarity with the modern security tooling landscape: CNAPP, EDR, PAM, MDR, SIEM,

WAF, vulnerability scanning, and secrets management — including a clear understanding of

where CNAPP and EDR each fit in a production environment.

● Excellent written and verbal English communication, organizational, and documentation

skills.

● Strong program management — able to drive multiple parallel workstreams (audit,

remediation, vendor engagement, policy updates) to closure on deadline.

● Ability to maintain meaningful overlap with North American working hours; occasional

later-evening (India time) meetings with US-based stakeholders.

● University degree, or equivalent industry experience.

Strongly Preferred

● Certifications — One or more of CISA, CISM, or CISSP. ISO 27001 Lead Auditor / Lead

Implementer and/or PCI ISA are a strong plus.

● CVE triage — Hands-on experience triaging a freshly-published CVE with limited context:

assessing impact, identifying vulnerable assets, and recommending mitigation or

remediation.

● PE-portfolio context — Experience supporting a private-equity-backed portfolio company's

security mandate (e.g., Vista Equity Partners, KKR, Thoma Bravo).

● Security posture platforms — Familiarity with SecurityScorecard, BitSight, or similar

third-party security-rating services.

● Legal & e-discovery — Experience with court-ordered or law-enforcement data submission

processes.



In the first 90 days:

You will have absorbed Kibo's PCI scope, audit calendar, open assessment

findings, in-flight vendor engagements, policy baseline, and the current state of the vulnerability

backlog.

In the first 6 months, you will own and run at least one external assessment cycle end-to-end,

close a substantial portion of the open vulnerability backlog in partnership with Cloud

Engineering, and have a refreshed, board-ready view of Kibo's overall security posture.