Position Overview

Asurion is building a modern, AI-native Human Risk Management function—and this role leads it. Reporting to the Senior Director, Cyber Risk & Trust, the Senior Manager designs, builds, and operates an enterprise program that measurably reduces human-driven cyber risk. This leader will pivot the company from traditional awareness training to behavior and culture change, measured by risk reduction, faster reporting, and resilient habits at scale. The program integrates across HR, Legal & Privacy, Internal Communications, IT & Identity, Security Operations, and AI & Data Governance, and rolls into executive and board-level reporting as a cornerstone of the multi-year security maturity roadmap.

The ideal candidate is a builder with executive presence who uses telemetry, experimentation, and AI to drive targeted interventions across distinct workforce populations. Success is defined by reduced risky behaviors, improved reporting rates and time-to-report, and a positive, psychologically safe security culture.

Key Responsibilities

• Define and own the enterprise Human Risk Management strategy, operating model, charter, and roadmap aligned to NIST CSF 2.0 (Govern and Protect) and Asurion’s security maturity program.
• Establish governance for the human-risk domain; represent human risk in security leadership forums; deliver regular executive and board-level reporting focused on risk reduction.
• Build, lead, and develop a small expert team; manage budget, vendors, and platforms; scale reach through a distributed Security Champions network.
• Partner with HR, Legal & Privacy, Internal Communications, IT & Identity, Security Operations, and AI & Data Governance to embed human-risk practices into the flow of work.
• Design and maintain per-person and per-team human risk scores by aggregating signals from phishing simulations and reports, DLP, CASB, EDR, identity, access sensitivity, and engagement data.
• Use analytics and AI to identify high-risk cohorts, predict likely compromise, and drive targeted interventions; quantify ROI in risk-reduction terms.
• Build privacy-by-design into all capabilities in partnership with Legal & Privacy—aggregated and role-based views by default, with clear policy and lawful basis for any individual-level monitoring.
• Replace annual CBT with continuous, role- and risk-personalized learning pathways for varied populations (general workforce, developers/engineers, finance/AP, executives/EAs, privileged admins, HR/recruiting, contact-center/customer-facing teams).
• Own an AI-threats education track covering GenAI phishing and BEC, deepfakes, voice cloning/vishing, synthetic identities, quishing, MFA fatigue, and shadow-AI data leakage; reinforce out-of-band verification habits.
• Run a full-spectrum, ethically governed simulation function beyond email phishing, including spear-phishing, vishing, smishing, quishing, USB/physical-media, physical social engineering/tailgating, and help-desk callback drills.
• Pilot controlled, consented deepfake voice/video drills for finance and executive populations; prioritize reporting rate and time-to-report over click rate; deliver immediate teachable moments with no shaming.
• Implement in-the-moment behavioral guidance: inline email banners, DLP and browser nudges, identity-aware prompts, and one-click phishing reporting with AI auto-triage and closed-loop feedback.
• Stand up an always-on “ask security anything” conversational assistant leveraging the company’s AI direction.
• Brand and communicate the program with consistent campaigns; secure visible executive sponsorship; recognize positive behaviors; embed security into onboarding, role changes, and offboarding; enable manager visibility consistent with privacy principles.
• Lead the human side of secure AI adoption with AI & Data Governance: acceptable-use policy, enablement of approved tools, shadow-AI reduction, AI-builder training, and alignment with partner/regulatory obligations.

Education and Experience

• Bachelor’s degree or equivalent practical experience.
• 8+ years in cybersecurity, information security, or closely related fields, including substantial experience in security awareness, human risk management, or security culture.
• 3+ years leading programs and/or people, with demonstrated success building or significantly maturing a human-risk or awareness program at enterprise scale.
• Hands-on familiarity with phishing-simulation and human-risk platforms, and how DLP, CASB, EDR, and identity signals inform a human-risk profile.
• Working knowledge of NIST Cybersecurity Framework (CSF) 2.0 and mapping a human-risk program to it.
• Strong command of modern and AI-enabled threats (GenAI phishing, deepfakes, voice cloning, shadow AI) and the defensive behaviors that counter them.
• Experience building programs with privacy-by-design in global, regulated environments in partnership with Legal & Privacy.
• Nice to have: global/multi-region experience (e.g., EU works councils), instructional design or behavioral science background, marketing/communications or change management expertise, Security Champions networks, AI/automation at scale, contact-center risk familiarity, and relevant certifications (e.g., SANS SSAP, CISSP, CISM).

Knowledge, Skills, and Abilities

• Behavior-first, data-driven mindset; defines clear outcome metrics and proves risk reduction.
• Strategic builder who can operate from zero-to-one and scale sustainably with AI and automation.
• Exceptional communication, storytelling, and stakeholder influence; strong executive presence.
• Ability to partner cross-functionally and drive change without direct authority.
• Expertise in experimentation, A/B testing, telemetry, and dashboarding for leaders and managers.
• Ethical judgment and privacy-by-design orientation that preserves employee trust.
• Positive, psychologically safe leadership style that encourages reporting and learning.
• Relentless focus on measurable outcomes and continuous improvement.

Travel Requirements

N/A

Physical Demands

• Stationary Position: Frequently
• Vision: 20/20 corrected vision
• Hearing: Receive detailed information if spoken to