Sr. Program Manager, Information Security

Material Bank is the world’s largest material marketplace for the architecture and design industry. Operating in 37 countries, our platform has become the standard for design professionals around the globe. Every day, Material Bank connects thousands of designers with tens of thousands of materials from leading brands. Material Bank is the fastest and most powerful way for design professionals to search, sample, and specify materials.

Material Bank is seeking a Program Manager, Information Security to play a critical role in building and maturing the company’s enterprise information security and cybersecurity program. This role is responsible for establishing a scalable, repeatable, and auditable security operating model aligned to the NIST Cybersecurity Framework, supporting Material Bank’s cloud based platforms and systems including MB 3.0, MaterialBank.com, DesignShop.com, and fulfillment and logistics technologies. You will own security outcomes across the business, including risk management, audit readiness, data protection, and incident preparedness, with a clear focus on long term maturity over a three to five year horizon. 

This is a senior, high impact individual contributor role for someone with deep experience in security program management and a strong understanding of how modern technology platforms scale. You are accountable for progressing Material Bank toward a repeatable Tier 3 security posture across Identify, Protect, Detect, Respond, and Recover functions, directly remediating security control gaps where appropriate and clearly articulating accepted and deferred risk to executive leadership. You bring sound judgment, hands on execution, and the ability to translate complex security risk into clear business decisions, enabling growth while maintaining predictability, audit readiness, and trust. 

What You’ll Do:  

Security program leadership and governance 

• Lead and mature Material Bank’s enterprise information security program through a multi year roadmap aligned to business strategy, growth, and global expansion. 
• Establish and maintain security policies, standards, and operating procedures that scale across cloud platforms, applications, data, and emerging technologies, including AI. 
• Own the security risk management framework, including risk identification, scoring, acceptance, tracking, and executive reporting, supported by a maintained risk register and clear visibility into trends and remediation status. 
• Define and track security metrics and KPIs that demonstrate program effectiveness, predictability, and maturity. 

Audit, compliance, and assurance 

• Own audit, compliance, and assurance efforts, including SOC 2 Type I and progression to Type II, ensuring controls are implemented, evidence is maintained, and audits remain repeatable and low friction. 
• Lead customer security questionnaires and enterprise assurance requests in partnership with Legal, IT, and Engineering. 
• Support privacy and regulatory obligations, including GDPR, ROPA inventories, and regional data requirements. 

Cloud, application, and platform security 

• Define and enforce security requirements for AWS infrastructure using native cloud security services and guardrails. 
• Establish application security standards across internal and customer facing platforms, including secure SDLC practices, penetration testing, and remediation accountability. 
• Conduct security assessments for new systems, architectures, and major platform changes. 

Identity, access, and data protection 

• Own identity and access management strategy, including SSO, role based access, provisioning, and periodic access reviews. 
• Establish enterprise wide data classification and data handling standards. 
• Ensure access and data protection controls scale with growth and global expansion through partnership with IT, Engineering, and platform owners. 

Detection, response, and resilience 

• Own detection, incident response, and resilience strategy, including playbooks, third party incident response coordination, post incident analysis, security monitoring, alerting, and continuous improvement. 
• Support disaster recovery and business continuity planning from a security perspective, including tabletop exercises and recovery documentation. 

Security technology, automation, and remediation 

• Own the security technology stack, including endpoint protection, vulnerability management, monitoring, and security awareness tooling. 
• Evaluate, select, and manage security vendors for effectiveness and cost efficiency. 
• Directly implement and remediate security controls, configurations, and tooling gaps when risk, timing, or dependency constraints require hands on execution. 
• Leverage automation and AI assisted workflows to operate efficiently as a one person function. 
• Determine when remediation should be executed directly versus driven through Engineering, IT, or Infrastructure, and ensure closure in all cases. 

Third party and business risk 

• Perform vendor security reviews, ongoing third party risk monitoring, remediation tracking, and executive risk acceptance. 
• Support security due diligence for acquisitions, integrations, and major partnerships when applicable. 

What You’ll Bring:  

• 8+ years of experience in information security, security engineering, or security program leadership. 
• Direct ownership of SOC 2 or comparable assurance frameworks, including implementation, remediation, and sustained operation. 
• Strong working knowledge of AWS cloud security, identity and access management, application security, and incident response. 
• Demonstrated ability to operate independently with high accountability and limited resources. 
• Proven ability to define strategy while executing hands on remediation when needed. 
• Strong judgment in prioritizing risk and making pragmatic tradeoffs aligned to business needs. 
• Ability to communicate security risk clearly to both technical and non technical stakeholders. 
• Experience building security programs that scale globally without requiring a traditional security organization.