Senior Information Security Manager

About Kalkomey

Kalkomey Enterprises is the trusted guide to outdoor success. Every year, millions of people rely on our platform to gain the knowledge and confidence needed to safely explore the outdoors.

Since 1995, Kalkomey has partnered with government agencies across North America to deliver the education that powers responsible outdoor recreation. Our courses and technology platforms support certification programs used by wildlife, parks, and boating agencies while helping outdoor enthusiasts develop the skills needed to safely enjoy activities like hunting, fishing, boating, and snowmobiling.

Today, Kalkomey offers more than 360 online learning experiences supported by integrated web and mobile applications. Together, these solutions help make outdoor recreation more accessible, responsible, and safe for generations to come.

We believe education builds confidence, and confidence opens the door to the outdoors.

About This Opportunity

The Senior Information Security Manager is a hands-on, high-impact role reporting to the SVP of Technology. You will own Kalkomey’s security posture end-to-end, spanning application security, identity, compliance, incident response, and vendor risk.

This role is deeply embedded within engineering. You will partner directly with Product, Engineering, and Platform teams to build security into how software is developed and deployed, reviewing code, influencing architecture, and ensuring security is built into how we ship. When security is done well, it makes delivery faster and more predictable. When something needs to stop, you stop it and own the call.

This is a player-coach role with a strong IC focus. We are looking for someone with deep hands-on experience who is ready to step into broader ownership, not someone who has moved away from the work. You should be comfortable shipping code, working closely with engineers, and making pragmatic decisions that balance risk and velocity.

You will also play a key role in how we adopt and scale AI across the organization. This includes evaluating the security implications of AI-assisted development, establishing practical guardrails, and enabling teams to use AI tools effectively without introducing unnecessary risk.

This is a builder role in a maturing environment. You will shape how we approach security, design systems that scale through automation and self-service, and create clarity where processes are still evolving. If you are someone who enjoys operating close to the work while building for the future, this role will be a strong fit.

You must reside in one of these US states: AZ, CO, FL, GA, IL, IN, KY, MA, MD, MI, MN, NC, NV, OR, PA, RI, TX, VA, VT, WI, or one of these provinces in Canada: Ontario

What You'll Do

Security Ownership and Accountability

• Serve as the single-threaded owner of Kalkomey’s security posture.
• Establish and enforce practical security standards that empower teams to move quickly and securely, with clear guidance on when risk-based tradeoffs require additional scrutiny.
• Escalate material risks clearly and early to executive leadership.
• Lead incident response with authority and composure.
• Own quarterly security reporting to the executive team and board.
  
  

Embedded Engineering Partnership

• Work directly inside the engineering development process: attend engineering leadership meetings and architecture reviews, review PRs for security concerns, and block releases when warranted.
• Instill a defensive security mindset across the engineering team. That means walking engineers through real attack vectors in their own code, threat modeling with the team, and demonstrating how an attacker would get in. Coaching through showing, not through policy decks.
• Own static code analysis, dependency scanning (Dependabot), and security-focused CI/CD pipeline integration.
• Understand containerized and ephemeral deployment patterns. Calibrate security controls to the actual architecture, not theoretical enterprise frameworks.
• Partner closely with the Director of Platform Engineering. Cloud infrastructure architecture is his domain; security posture of that infrastructure is yours. This is a partnership, not a boundary.
  
  

Endpoint and Identity Security

• Own endpoint security tooling (EDR, device control, monitoring) and evaluate the current stack for friction-to-value ratio.
• Oversee MDM, device compliance, and identity access controls.
• Ensure timely vulnerability remediation and patch management.
• Own the security posture of onboarding/offboarding processes.
  
  

Risk, Compliance, and Audit

Interested in remote work opportunities in Cyber Security? Discover Cyber Security Remote Jobs featuring exclusive positions from top companies that offer flexible work arrangements.

• Own SOC 2 program operations, ongoing audit readiness, and remediation tracking.
• Own the compliance tooling stack (Drata, Safebase) and maintain audit evidence.
• Lead third-party vendor security reviews and contract security assessments, including evaluating vendors for state contract compliance.
• Maintain a current risk register with prioritized mitigation plans.
• Coordinate annual penetration testing and remediation.
• Own state contract security requirements: SAM.gov registration, data residency, and agency-specific security asks.
• Produce quarterly boz`ard-ready security and compliance reporting.
  
  

Incident Response and Monitoring

• Own incident response plan and execution.
• Ensure monitoring coverage across endpoints, identity systems, and cloud infrastructure.
• Conduct post-incident reviews with corrective action plans.
• Validate readiness through tabletop exercises.
  
  

AI Security and Enablement

• Evaluate security implications of AI coding agents, LLM-powered workflows, and agentic tool use across the organization. Understand how context windows, tool access, and agent autonomy create new attack surfaces.
• Set and maintain AI/LLM usage policy and data boundaries. Define what goes into a prompt and what stays out. Make the policy short, clear, and enforceable.
• Use AI yourself. Apply disciplined agent workflows (research, plan, implement) to your own security and compliance work, including offensive security: reconnaissance, vulnerability scanning, pen test preparation. Model what good AI usage looks like in practice, not just in policy.
• Stay current on AI security risks: prompt injection, data exfiltration, context poisoning, supply chain risks from AI-generated code, and the evolving threat landscape around agentic systems.
  
  

Operational Leverage and Self-Service Enablement

• Own the Rippling IT relationship end-to-end. Maximize its capabilities for endpoint management, MDM, onboarding/offboarding, and device compliance so these functions run on automation, not headcount.
• Build AI-powered self-service tools (Slack chatbots, automated triage, knowledge bases) that resolve common IT requests without human intervention. Design the system so most issues never reach you. Handle tier 1/2/3 support when needed, but that should be the exception, not the operating model.
• Use AI agents to automate repetitive security and IT tasks: vendor assessment prep, compliance evidence collection, runbook generation, ticket triage. Build workflows, not queues. The goal is a function that scales through tooling and engineering discipline, not through adding people.
• Maintain concise documentation and runbooks. Documentation is a deliverable, not a side project.
  
  

What You'll Need

• 5-8 years in information security, application security, or security engineering roles.
• Experience owning security operations in a SaaS or cloud-based product company, not just consulting or compliance.
• Hands-on experience with EDR, IAM, vulnerability management, incident response, and penetration testing coordination.
• Demonstrated experience working embedded with engineering teams: PR reviews, CI/CD security integration, shift-left practices.
• You have written production code. Not as a hobby. You have shipped software in a team environment and can read a codebase, trace a vulnerability through it, and explain the fix to the engineer who owns it.
• Familiarity with SOC 2, NIST, CIS, or ISO frameworks in a practitioner capacity, not just an auditor capacity. Current on the modern engineering security toolchain: dependency scanning, SAST/DAST, container security, secrets management. You should already know what Dependabot is and why it matters.

Browse our curated collection of remote jobs across all categories and industries, featuring positions from top companies worldwide.

• Hands-on experience using AI coding agents and LLM-powered workflows in your own work. You do not need to be a prompt engineer, but you need to have shipped real work with these tools and formed your own opinions about context management, agent reliability, and security implications.
• A clear-eyed perspective on security in a product engineering environment: comfortable enforcing standards and equally comfortable recognizing when a control creates more friction than the risk it mitigates.
• Ability to partner effectively across teams without direct authority. Influence through technical credibility and clear communication.
• Strong written and verbal communication skills. Comfortable briefing an executive, coaching an engineer, and writing a vendor risk assessment with equal clarity.
  
  

Bonus Points

• Experience with state or government contract compliance requirements: data residency, SAM.gov, agency security assessments.
• Experience managing or optimizing an MSP/Rippling IT relationship.
• Background in Ruby on Rails application security or familiarity with Rails-specific vulnerability patterns.
• Genuine interest in hunting, fishing, boating, or other outdoor sports and activities.
  
  

Competencies

Security Ownership & Accountability: Owns the company’s security posture end-to-end. Establishes standards, manages risk, and ensures security outcomes align with business needs.

Engineering Partnership: Works directly with engineering teams to embed security into development workflows. Reviews code, influences architecture, and drives shift-left practices.

Execution & Delivery: Delivers security initiatives with speed and precision. Balances risk, velocity, and practicality to support continuous delivery.

Technical Judgment: Applies strong judgment to security decisions, balancing real-world risk with business impact. Avoids over-engineering while maintaining effective controls.

AI Fluency & Security Application: Leverages AI tools to improve workflows, automate tasks, and scale operations. Evaluates risks of AI usage and establishes practical, enforceable guidelines.

Operational Excellence & Automation: Builds scalable systems, automation, and self-service models that reduce manual work. Designs processes that scale without adding headcount.

Incident Response & Risk Management: Leads incident response with clarity and urgency. Identifies risks early and ensures effective mitigation strategies are in place.

Cross-Functional Collaboration: Partners across Product, Engineering, Platform, and leadership teams to drive alignment and execution. Influences without relying on authority.

Communication: Communicates risks, tradeoffs, and decisions clearly to both technical and non-technical audiences. Provides executive-level visibility when needed.

Ownership & Initiative: Takes full ownership of outcomes and proactively drives improvements. Operates independently while maintaining alignment with leadership.

What We Offer

In addition to a competitive salary and annual bonus, we offer these great benefits:

• We are a fully distributed company – unless specifically indicated in the job description, this is a work from home position
• Employer matched 401(k)
• Medical/Dental/Vision insurance with generous employer contributions (including HSA)
• Maternity and Paternity leave and benefits
• Three weeks of paid vacation, 12 paid holidays, a paid community service day, and a flexible work schedule
• Annual wellness allowance, as well as a paid mental health day once a year for when you need it
• Automatic WFH contribution to each paycheck
• Employee Assistance Program (EAP)
  
  

Kalkomey is an equal opportunity employer. We are committed to building a diverse and inclusive workforce and do not discriminate based on race, religion, color, national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, veteran or military status, or any other legally protected characteristics, Kalkomey is committed to providing reasonable accommodations for candidates with disabilities who need assistance during the hiring process. To request a reasonable accommodation, please email pops@kalkomey.com