At IMCO, our talent is among the best! IMCO offers a uniquely stimulating and rewarding environment where you can help build and drive organizational transformation, all while seeking to challenge yourself, learn, and grow your career.

Our culture is built on collaboration and passion, with a shared commitment to delivering lasting value to the clients we serve. Located in downtown Toronto, our vision is to be the partner of choice for Ontario’s public sector funds and to build a high-performing, value-driven asset management firm.

This job posting is for an existing vacancy. If you are ready to deliver best-in-class service and join a collaborative, motivated and fun team of professionals, IMCO offers the opportunity to do impactful work and broaden your expertise.

If you’re looking to use your expertise to drive strategic outcomes, we’d love to hear from you.

‎

The Manager, Cyber Risk supports IMCO’s cyber risk program by coordinating risk assessments, managing third‑party security reviews, and helping ensure adherence to IMCO policies and standards. The role partners with IT & Data, Enterprise Risk Management (ERM), Legal/Compliance, and business teams to identify, assess, and track cyber risks, providing actionable insights and clear communication.

As a Member of Our Team, You Will be Responsible For:

Risk Assessments & Tracking

• Execute and document cyber risk assessments for projects, applications, infrastructure and material changes (using defined methodologies).

• Conduct cloud security risk assessments across SaaS, PaaS, and IaaS solutions, including shared responsibility considerations, data protection, identity, and resilience risks.

• Assess cyber risks associated with emerging technologies (e.g., AI/GenAI, new data platforms, automation tools) and advise on appropriate controls and risk treatments.

• Maintain entries in the cyber risk register; track remediation actions with accountable owners and follow up on due dates.

Third‑Party Security Reviews

• Perform security due diligence for new vendors and periodic reviews for existing vendors/critical fourth parties.

• Evaluate vendor and cloud provider control environments (e.g., SOC reports, ISO certifications, architecture summaries) and identify residual risk.

• Record findings, recommend risk treatments, and escalate material issues in line with risk appetite and thresholds.

Policy & Standards Support

• Support the currency of cybersecurity policies, standards, and guidelines through drafting updates and stakeholder review.

• Coordinate and document exceptions/deviations and risk acceptance requests with clear expiry and compensating controls.

Control Testing & Assurance

• Assist with control self‑assessments and collection of evidence for internal/external audits and attestations (e.g., SOC 2).

• Support assurance activities related to cloud and third‑party controls, including tracking gaps and remediation actions to closure.

• Track audit/assessment action items to closure and provide status updates to leaders.

Reporting & Communication

• Prepare concise dashboards and reports (KRIs/KPIs, risk themes, third-party risk trends, remediation status) for management and governance forums.

• Translate technical, cloud, vendor, emerging risks into business‑friendly summaries with clear impact, likelihood, and recommended next steps.

Awareness & Engagement

• Promote security awareness to top risk themes.

• Support readiness activities (e.g., tabletop logistics and follow‑ups, risk workshops).

• Respond to risk‑related inquiries from project teams and vendor managers with timely, practical guidance.

What do you need to succeed?

• 5–6 years of experience in information security, IT risk, or related roles (financial services/investment management is an asset).

• Working knowledge of cyber risk frameworks and controls (e.g., NIST CSF/800‑53, ISO 27001/27002/27004/27005) and third-party risk management practices.

• Hands‑on experience conducting technology and cloud risk assessments, documenting issues, and tracking remediation to closure.

• Familiarity with cloud service models (SaaS, PaaS, IaaS) and shared responsibility concepts

• Comfort interpreting audit/assessment requests and assembling clear, accurate evidence packages.

• Strong analytical, organisational, and stakeholder communication skills; able to explain risk in plain language.

• Undergraduate degree in a relevant field; security/risk certifications (e.g., CRISC, CISSP, CISM) are assets.

‎

The base salary range for this position is CAD $105,000.00 - $138,000.00. The placement within the range is determined by the range of market pay for the specific position, as well as the candidate's knowledge, skillset and experience relative to the requirements of the position and to internal peers. In addition to base salary, this position is eligible to participate in IMCO's annual incentive plan. As a candidate, you are encouraged to ask compensation related questions and have an open dialogue with your recruiter who can provide you with the specific details for this position, as well as the total rewards offering at IMCO including our comprehensive benefits package and defined benefit pension plan.

‎

We thank all applicants for their interest. Only those selected for an interview will be contacted.

Our hybrid work model prioritizes an office-first approach, encouraging employees to make the most of our collaborative workspace at 16 York Street, Suite 2400, Toronto, ON M5J 0E6. This welcoming environment fosters teamwork, connection, and professional growth. While flexibility remains a key component of our model, we believe that regular in-office engagement enhances productivity and strengthens our culture. Our approach supports a fulfilling lifestyle that balances professional ambition with personal wellbeing.

IMCO is committed to providing accommodation for people with disabilities throughout the recruitment process. If you require support, please let us know and we will work with you to meet your needs. Artificial intelligence (AI) tools may be used to support parts of our recruitment process, such as screening and assessments. However, all hiring decisions are made by our recruitment team. Candidates being considered for this position will be required to undergo background screening.