FanDuel Group is a world-class team of brands and products all built with one goal in mind — to give fans new and innovative ways to interact with their favorite games, sports, teams, and leagues. That’s no easy task, which is why we’re so dedicated to building a winning team. And make no mistake, we are here to win, but we believe in winning right. That means we’ll never compromise when it comes to looking out for our teammates. From our many opportunities for professional development to our generous insurance and paid leave policies, we’re committed to making sure our employees get as much out of FanDuel as we ask them to give.

FanDuel Group is based in New York, with offices in Georgia, California, New Jersey, Florida, Oregon and Scotland. Our brands include:

  • FanDuel — A game-changing real-money fantasy sports app
  • FanDuel Sportsbook — America’s #1 sports betting app
  • TVG — The best-in-class horse racing TV/media network and betting platform
  • FanDuel Racing — A horse racing app built for the average sports fan
  • FanDuel Casino & Betfair Casino — Fan-favorite online casino apps
  • FOXBet — A world-class betting platform and affiliate of FanDuel Group
  • PokerStars — The premier online poker product and affiliate of FanDuel Group


Our roster has an opening with your name on it

We are looking for a Risk Assessment Manager in the Information Security Governance, Risk, and Compliance (GRC) team. Our GRC team has the unique opportunity and visibility to actively partner with departments across FanDuel Group taking a holistic view of the entire company and reducing risk. The GRC the Risk Assessment Manager will lead risk Assessments related to solutions using native cloud service provider.

Everyone on our team has a part to play

  • Lead Cybersecurity Department Risk Assessment (CSD-RA)  team by managing and performing Security Risk Assessments (SARs) for Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) cloud computing models to align against Information Security Policies for the security of confidentiality, availability, and integrity of information, business delivery and technology.
  • Manage SAR reports for continuous assessment to identify data at risk, provide remediation recommendations for applications to transition into production and follow approval process for business owners to obtain the Authority to Operate contingent on business risk.
  • Lead assessing innovative solutions using native Cloud Service Provider (CSP) components to transition legacy applications from closing data centers to the public Cloud.
  • Communicate and identify issues, which could potentially pose risk to the brand and provide recommendations for controls to mitigate those risks and increase the company's overall security posture.
  • Provide technical leadership for FanDuel divisions migrating to the public cloud to protect data in transit and at rest within and outside of the corporate boundaries (i.e., IaaS, PaaS, and SaaS).
  • Manage the delivery and plan effectively quality assurance, appraisal and approval of security deliverables to include revising and drafting test plans, security specification reviews and standards and technical documentation.
  • Manage Risk Assessments using FanDuel Group GRC platform, organizing and tracking all supporting evidence for closure, risk management and recommendations regarding cybersecurity controls throughout an asset's lifecycle and create standard process documentation to incorporate within the risk assessment.
  • Manage security posture during the early stages within Global Procurement and initiate/create a new documentation to combine within the procurement process for vendor management.
  • Lead the initiative to train all new hires on the SRA team and create a continuous yearly training process for member firms within the organization to understand the Risk Assessment process and act as a mentor/subject matter expert.
  • Bring your expertise in risk assessment to assess and report on our information systems ensuring processes and procedures are followed according to Information Security Policy requirements and best practices.
  • Work with the GRC team to create, enhance, support, and enforce company policy and practices for risk mitigation.
  • Identify and analyze the inherent risks in applications and supporting infrastructure and the controls that management has implemented to mitigate risks.
  • Lead, manage and execute complex IT assessment projects including internal audits, system implementations and specialized IT areas (cloud, devsecops, agile development).
  • Drive a culture of risk awareness, risk and control visibility with measurable risk reduction and effective reporting, and governance of risk reduction activities.
  • Perform onsite assessments and technical review of key vendors to ensure adherence to contractual obligations.
  • Document, assess, investigate and map known and unknown areas of risk, then present steps to lower or remove the risk, as appropriate.
  • Evaluate risks — known and unknown — within the company and its operations in accordance with known industry frameworks (i.e., ISO, SCF, NIST, GLI-33).
  • Manage and report on resolution of SAR findings, including provision of evidence for closure and create risk register. 


What we’re looking for in our next teammate

  • Experience running and managing risk assessments for a company with significant regulatory requirements, preferably Financial Services is required.
  • Risk Management experience, including developing and deploying remediation action plan is required.
  • Design and document IT compliance-specific process and procedure, as needed.
  • Strengthen relationships with cross functional teams to promote collaboration and cohesiveness.
  • Easily adapt to a rapidly evolving, faced paced, cyber security environment as it relates to changes in strategy or risk.
  • Demonstrate a strong understanding of the Information Security, IT environment and its impact on business risk. 
  • Strong understanding of technical terminology (e.g., platforms, architecture, ISO 27001, GLI-33 and SCF).
  • Public Cloud experience preferred.
  • Experience with using GRC platforms like ZenGRC considered a major plus.
  • Demonstrate ability to develop a strategy, and design and execute on the associated plan.
  • Strong verbal and written communication skills.
  • Strong organizational skills and attention to detail.
  • Professional presence and demeanor.
  • Demonstrated ability to work with all levels in an organization.
  • Minimum of 5 years of Risk Management, Information Security, IT Auditing or equivalent experience preferred

We treat our team right

Competitive compensation is just the beginning. As part of our team, you can expect:

  • An exciting and fun environment committed to driving real growth
  • Opportunities to build really cool products that fans love
  • Mentorship and professional development resources to help you refine your game
  • Flexible vacation allowance to let you refuel
  • Hall of Fame benefit programs and platforms

FanDuel Group is an equal opportunities employer. Diversity and inclusion in FanDuel means that we respect and value everyone as individuals. We don't tolerate bias, judgement or harassment.  Our focus is on developing employees so that they reach their full potential.

Apply for this Job

* Required


Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in FanDuel’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.