Security Risk and Compliance Specialist

Xero is a beautiful, easy-to-use platform that helps small businesses and their accounting and bookkeeping advisors grow and thrive.

At Xero, our purpose is to make life better for people in small business, their advisors, and communities around the world. This purpose sits at the centre of everything we do. We support our people to do the best work of their lives so that they can help small businesses succeed through better tools, information and connections. Because when they succeed they make a difference, and when millions of small businesses are making a difference, the world is a more beautiful place.

**About the role**

The Security Risk and Compliance Specialist will bring their experience to a team working with all parts of the business to improve Xero’s security risk and compliance posture, to reduce the risk of security incidents and improve the efficiency and effectiveness of Xero’s security controls.

**What you'll do**:
- Support contributors across Xero in conducting risk assessments to identify potential security threats and vulnerabilities, and evaluate security risks across all areas of Xero’s business, including product and technology, and third party software and services, to ensure these are well understood and managed within Xero’s risk tolerance.
- Ensure security compliance obligations with applicable laws, regulations and standards such as ISO 27001, SOC 2, PCI-DSS or other international or regional frameworks, are understood and met across Xero.
- Support product teams in performing threat modeling of new/updated product features.
- Perform risk assessments for Ecosystem partners and third party suppliers, ensuring that security risks are assessed and understood prior to, and during the engagement with the third party.
- Using the security risk management framework, ensure risks are documented, quantified, owned, communicated and escalated as appropriate across Xero.
- Provide input to responses to customer and supplier security assessments.
- Monitor and assess emerging security threats that could affect Xero, and propose strategies to mitigate them.
- Support process improvement and automation using technical skills and experience.
- Foster cross-disciplinary understanding of security risk and compliance and raise awareness of risk

**What success looks like**:
- Changes to Xero’s product and corporate infrastructure are in compliance with the IT Security Policy and standards and meet Xero’s compliance obligations.
- Risks are identified and managed according to Xero’s risk appetite, in a timely manner and in alignment with business objectives.
- Security assessments are completed and documented for all new third party software and technology services.
- Audits and other compliance assessment activities are completed successfully, and compliance is maintained with required standards.
- Management has timely and appropriate visibility of Xero’s security risk status.

**What you'll bring**:
- 3+ years in a role in an information security and risk management practice
- Experience with ISO27001:2022, SOC 2 Type 2 or PCI-DSS compliance frameworks
- Recognised as a high performer and leading contributor in your team.
- Experience working with AI and data to drive automation.

**Why Xero?**

Offering very generous paid leave to use however you’d like (plus statutory holidays), dedicated paid leave to care for your physical and mental wellbeing as well as an Employee Assistance Program to access mental health care for you and your family, health insurance, life insurance, and income protection, wellbeing and sports programmes, employee resource groups, 26 weeks of paid parental leave for primary caregivers, an Employee Share Plan, beautiful offices, flexible working, career development, and many other benefits that reflect our human value, you’ll do the best work of your life at Xero.