Director, Information Risk Management

8116 - Midtown Office - 2220 W. Broad Street, Richmond, Virginia, 23220

CarMax, the way your career should be! 

Do you want to play a key role in enhancing the Cybersecurity program for a Fortune 200 company and national brand that has also been listed on the Fortune 100 Best Places to Work for the past 21 years in a row. Do you enjoy working in a collaborative environment where your experience and ideas can shape the direction and development of critical cybersecurity Information Risk Management (IRM) capabilities?

Do you want to work with a team of talented professionals that have highly advanced technical knowledge and be the subject matter expert in information security risk management, Third Party security Risk Management (TPRM), and Business Continuity Management (BCM).

Then your job search begins and ends here….

The Director, Information Risk Management is responsible for shaping and driving the strategic direction of the company’s IRM program. This role demands a sophisticated blend of strategic foresight, technical acumen, and exceptional relationship management skills. The Director will spearhead the development, implementation, and continuous enhancement of a comprehensive Information Risk Management framework, ensuring alignment with industry standards such as ISO 27001/2 and NIST 80030. This role is pivotal in cultivating strong partnerships with key stakeholders, including business leaders, regulatory authorities, third-party vendors, and internal teams, to foster a cohesive and forward-thinking risk management strategy. The Director will provide executive oversight of security policies, information risk assessments, security awareness training, and programs across business continuity risk & resiliency, third-party security due diligence, and cyber regulatory readiness. As the organization's subject matter expert on information risk, this role will serve as a strategic advisor, guiding the organization in navigating the complex landscape of information risk management, and mitigating risk.

Director, Information Risk Management (IRM)

About this job

Do you want to play a key role in enhancing the Cybersecurity program for a Fortune 200 company and national brand that has also been listed on the Fortune 100 Best Places to Work for the past 21 years in a row. Do you enjoy working in a collaborative environment where your experience and ideas can shape the direction and development of critical cybersecurity Information Risk Management (IRM) capabilities?

Do you want to work with a team of talented professionals that have highly advanced technical knowledge and be the subject matter expert in information security risk management, Third Party security Risk Management (TPRM), and Business Continuity Management (BCM).

Then your job search begins and ends here….

The Director, Information Risk Management is responsible for shaping and driving the strategic direction of the company’s IRM program. This role demands a sophisticated blend of strategic foresight, technical acumen, and exceptional relationship management skills. The Director will spearhead the development, implementation, and continuous enhancement of a comprehensive Information Risk Management framework, ensuring alignment with industry standards such as ISO 27001/2 and NIST 80030. This role is pivotal in cultivating strong partnerships with key stakeholders, including business leaders, regulatory authorities, third-party vendors, and internal teams, to foster a cohesive and forward-thinking risk management strategy. The Director will provide executive oversight of security policies, information risk assessments, security awareness training, and programs across business continuity risk & resiliency, third-party security due diligence, and cyber regulatory readiness. As the organization's subject matter expert on information risk, this role will serve as a strategic advisor, guiding the organization in navigating the complex landscape of information risk management, and mitigating risk.

What you will do – Essential Responsibilities

• Lead a team of Risk Professionals to drive engagement and accomplishment of program goals.

• Define, design, and strategically lead the adoption and integration of a comprehensive information risk management strategy and framework, ensuring alignment with the company’s risk appetite, privacy operations, security controls design, and continuous improvement mechanisms, while fostering strong leadership and stakeholder relationships.
• Develop and oversee security policies and procedures framework, understanding the company’s strategic objectives, culture and regulatory landscape to ensure the policy framework aligns with overall goals and regulatory compliance.
• Define and direct a strategic approach to the Third-Party Security Risk Management program ensuring external partnerships do not introduce undue risk to the organization. Oversee thorough third-party security risk assessments, classify vendors based on risk, ensure that contracts with third parties include specific security requirements, regulatory obligations, and performance metrics tied to security standards and compliance.
• Collaborate with stakeholders to ensure third-party practices align with security standards.  Negotiate security provisions on behalf of the company.

• Oversee and guide the design and delivery of the security awareness training and communications programs, ensuring the program aligns with the organization's overall objectives and integrates seamlessly into its culture. Design the program with a focus on changing behaviors and fostering a security-conscious culture. Develop engaging and informative training materials and classes that cater to diverse learning styles. Engage with stakeholders to ensure widespread adoption and understanding of the program.
• Define, design and direct the company’s business continuity risk & resiliency program, ensuring the organization's ability to operate during and recover from adverse events. Conduct impact assessments to identify critical business functions, threats and gaps. Develop business continuity and disaster recovery plans that address all aspects of the organization, including people, process, and technology. Champion risk mitigation strategies to align to company risk tolerance. 
• Define, design and oversee the organization’s information management risk strategy and program. Identify and evaluate potential security, confidentiality, and integrity risks. Conduct risk assessment to recommend risk mitigation strategies and management plans. Disposition risks, assign clear accountability and ownership of all risk accepted and partner with the business leaders on remediation.
• Lead and coordinate the technology regulatory obligations program to ensure that the organization’s IT systems, processes, and practices comply with applicable laws, regulations and industry standards, both current and future. Understand all IT regulatory requirements that apply to the organization, including data protection laws, cybersecurity standards, and industry specific regulations. Conduct regular risk assessments and gap analyses to evaluate the organization’s compliance position. Partner with business stakeholders on risk mitigation strategies. Manage and provide consistent company posture responses and evidence to regulators and examiners in support of IT audits. Ensure a unified approach to examinations through collaboration with internal stakeholders such as IT, Legal, Compliance and Cybersecurity to gather information that demonstrates compliance with applicable laws and regulations.
• Lead the Privacy technology operations program. Facilitate Data Subject Rights Management operations and exceptions for disclosure, correction, erasure, and data portability in accordance with legal requirements.
• Engage in strategic board reporting, providing insights and updates on the organization's security posture and risk management efforts. Foster strong relationships with leadership to support informed decision-making.
• Foster a culture of continuous improvement, regularly reviewing and enhancing security and risk management practices, with a focus on stakeholder feedback and collaboration to drive organizational risk mitigation and security.

Qualifications and Requirements

• Bachelor’s degree in Technology, Computer Science, Business, or a related field.
• Master’s degree or relevant professional certification (e.g., CRISC, CIA, CIPP, CISM, GIAC, CISA, CISSP) is preferred. CRISC and CISA required.
• A minimum of 10 years of leadership experience in information risk management and/or security, with a focus on leadership and stakeholder management.
• Proven expertise in information security, information risk management, and compliance frameworks (NIST, CIS, ISO27001/2, etc.).
• Demonstrated executive leadership in privacy operations, security awareness training, business continuity, and third-party risk management, with a track record of successful stakeholder engagement and collaboration.
• Strong understanding of cyber regulatory environments and experience in senior leadership reporting and communication, with the ability to build and maintain effective stakeholder relationships.
• Extensive experience in information risk assessment, policy development, and incident response management, with a focus on strategic stakeholder communication and collaboration.
• Excellent communication skills, with the ability to effectively lead teams, influence stakeholders, and drive organizational change through strong leadership and stakeholder relationships.
• Exceptional analytical, problem-solving, and decision-making skills; high level of accuracy and attention to detail.
• Strong leadership and organizational skills; ability to manage multiple projects and teams in a fast-paced environment.
• Exceptional interpersonal and communication skills, both written and verbal, with the ability to explain complex compliance issues to stakeholders at all levels.
• Demonstrated executive leadership - ability to gain consensus across teams without direct reporting responsibility.
• Strong leadership skills, with the ability to manage and mentor a team of risk management professionals.
• Dedication and commitment to top-quality service and to exceeding customer expectations.
• Proven ability to influence without authority the information risk management direction of others.
• Ability to build relationships that help overcome obstacles and time constraints to successfully deliver remediation to completion.

  

Work Environment

This role operates in a dynamic, fast-paced office setting, reporting directly to the VP, Chief Information Security Officer (CISO). The environment demands high levels of focus, collaboration, adaptability, and strategic stakeholder engagement to manage multiple, simultaneous demands and ensure the organization's security risk and compliance posture.

Work Location and Arrangement: This role will be based out of the Richmond, VA Technology Innovation Center and have a Hybrid work arrangement   

Work Authorization:  Applicants must be currently authorized to work in the United States on a full-time basis. Sponsorship will not be considered for this specific role. 

About CarMax

CarMax disrupted the auto industry by delivering the honest, transparent and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation’s largest retailer of used cars, with over 200 locations nationwide.

Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community.  We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For®.

Our Commitment to Diversity and Inclusion:

CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.

CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.

Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.