Cyber Risk Program Manager

The Cyber Risk Program Manager leads the operationalization of Yum!’s enterprise cyber risk management initiatives, including the Crown Jewels Program — ensuring risks are identified, assessed, and managed in alignment with NIST CSF 2.0, CIS Controls, and FAIR principles. This role embeds risk governance practices across brands and markets, overseeing the cyber risk lifecycle, exception management, and continuous improvement of the risk operating model.  The Program Manager acts as a coach and mentor to Cyber Risk team members and stakeholders, strengthening Yum!’s risk culture through leadership, data-driven insight, and effective cross-functional engagement. 

Cyber Risk Program Operationalization 
•    Lead the operationalization of Yum!’s enterprise cyber risk management framework across brands, enabling measurable, repeatable, and scalable processes. 
•    Maintain and continuously refine the enterprise risk register, ensuring risks are consistently assessed, updated, and tracked through mitigation or acceptance. 
•    Translate risk appetite and tolerance thresholds into actionable decision criteria and embed these into enterprise processes. 
•    Develop and report Key Risk Indicators (KRIs), leveraging automation and data analytics for timely insights. 
•    Partner with IT, Security Engineering, and ERM to ensure risk data quality and alignment with enterprise priorities. 

Governance, Risk, and Compliance (GRC) Operations 
•    Manage daily operations within the GRC platform, ensuring data integrity and accurate reporting. 
•    Oversee risk assessments, remediation tracking, and control validation across cybersecurity domains. 
•    Enhance automation and reporting pipelines in collaboration with BI and data teams, leveraging prompt engineering to improve risk insight generation and dashboarding. 

Control Framework and Exception Management 
•    Oversee the operationalization of Yum!’s control alignment model across CIS, PCI DSS, ISO 27001, and SOC 2 frameworks as applicable.  
•    Lead exception management, ensuring exceptions are risk-assessed, approved, tracked, and reviewed according to enterprise policy. 
•    Manage the lifecycle of risk issues — classification, remediation, and closure validation — ensuring proper documentation and leadership visibility. 

Stakeholder Engagement and Communication 
•    Serve as a key liaison between Cyber Risk, ERM, and Compliance teams to align methodologies and governance reporting. 
•    Communicate risk insights to senior leaders, translating technical data into business impact. 
•    Promote a risk-aware culture through targeted engagement, education, and communication initiatives. 

Leadership and Coaching 
•    Lead and coach a team of Cyber Risk Analysts, fostering professional development and technical growth. 
•    Provide leadership oversight on prioritization, performance management, and delivery alignment. 
•    Actively mentor team members and peer leaders on effective risk communication, analysis methods, and GRC tool utilization. 
•    Represent the Cyber Risk function on steering committees and cross-functional governance councils. 

 
Key Performance Indicators (KPIs) 
 

Functional Areas 
•    Technical Delivery: Effective use of automation and prompt-engineering-driven analytics for GRC insights. 
•    People Management: Demonstrated team skill growth and engagement improvement (measured via feedback and performance outcomes). 
•    Operational Efficiency: Improved exception turnaround time and policy compliance adherence. 
•    Product Impact: Clear linkage of cyber risk insights to business outcomes and investment decisions. 
 

Required Skills 
•    Expertise in cyber risk governance, risk assessment methodology, and risk analytics. 
•    Proficiency in GRC platforms (Auditboard, ServiceNow, or similar). 
•    Advanced prompt engineering skills for generative AI use cases in data analysis, reporting, and communication. 
•    Strong stakeholder engagement, coaching, and cross-functional collaboration skills. 
•    Analytical mindset with ability to operationalize frameworks into measurable outcomes. 
 
Qualifications 
•    Bachelor’s degree in Cybersecurity, Risk Management, or related discipline. 
•    8+ years of experience in cybersecurity risk or governance functions. 
•    Deep understanding of NIST CSF 2.0, CIS Controls, FAIR, and enterprise risk governance principles. 
•    Proven success in program operationalization (not just implementation) and leading cross-functional teams. 
•    Excellent written and verbal communication skills. 
•    Proficient in written and spoken English. 
Salary Range: $114,900 - $154,185 annually + bonus eligibility. This is the expected salary range for this position. Ultimately, in determining pay, we'll consider the successful candidate’s location, experience, and other job-related factors.