Director, Enterprise Cybersecurity Risk

Job Description:

The Role

Do you want to join a team focused on developing Next-Gen capabilities in Technology Risk? The Enterprise Technology Risk & Analytics (ETRA) group is seeking a passionate, driven and experienced professional to lead the Enterprise Cybersecurity Risk team. This highly visible and exciting role will include partnering with the various enterprise cybersecurity (ECS) functions to execute second line of defense risk activities such as performing risk assessments, evaluating applicability to external audit, testing controls, and supporting the design and implementation of new controls to mitigate emerging risks. This role will require strong networking and relationship management skills to collaborate with the various ECS teams including Application & Infrastructure Security, Workforce & Identity Management, External & Vendor Defense, Threat Detection and Response, Data Protection & Analytics, Information Security Office, and Fraud Intelligence Unit.

• 8-10 years' experience in information technology risk, cyber security, controls or audit roles
• Experience in fraud risk frameworks a plus
• Prior experience in team management and leadership is preferred
• Bachelor's Degree in Computer Science, Technology, or a related field of study preferred
• Professional technology and associated risk certifications (CISSP, CISA, CRISC, CISM), Certified risk/fraud examiners (CRE, CFE), and/or Cloud Certification(s) (CCSP, CCSK, AWS) preferred
• Experience performing Technology risk assessments, Control assessments or IT Audits or implementing Cybersecurity controls for large scale financial service organizations (cloud, distributed, vendor solutions, mainframe, and network environments)
• Demonstrated technical abilities in multiple areas (e.g., technology infrastructure and application controls, cyber security, access management, network and cloud, resiliency, etc.)
• Working knowledge of Cloud security and controls and cloud technology environments (AWS/Azure, SaaS, PaaS)
• You have a strong knowledge of information technology processes and controls and a comprehensive understanding of risk, quality control and assurance functions.
• Your love of solving complex problems, and comfort with ambiguous situations, and your ability to help solution innovative ways to mitigate risk using your advanced analytical and critical thinking skills
• Your ability to build and maintain collaborative working relationships with Information Technology and Business personnel to design and assist in the execution of appropriate controls design and monitoring
• Your process orientation and understanding of operations and technology enabling you to provide support in the analysis, development and monitoring of controls
• Knowledge of Industry standards, frameworks and best practices, such as NIST SP 800-53, COBIT, AICPA Trust Principles, ISO27001, HITRUST is preferred
• Knowledge of Governance, Risk, and Compliance (GRC) tools, such as Archer or Open Pages is preferred
• Your excellent verbal and written communication skills enabling you to prepare and present recommendations to senior management

• Providing technical direction and professional guidance to technology risk associates that fosters individual growth and development as well as team and organizational deliverables
• Assessing the various information technology risks that the business faces in its operations and implement action plans, policy and procedural changes for risk avoidance and mitigation
• Evaluating control maturity by performing control design and operating effectiveness reviews and peer reviewing as needed
• Conducting in-depth information technology risk assessments including documenting controls, identifying potential gaps and/or inconsistencies and making sound recommendations for improvement and/or mitigation
• Assist with developing and monitoring controls related to cybersecurity and to meet applicable security, audit, and regulatory requirements
• Provide technical assistance on risk related systems issues, and serve as a liaison for technology risk management
• Determining appropriate KPIs/KRIs for IT risk monitoring
• Understanding and consulting on information security standards and industry best practices
• Manage IT Controls program activities; this includes managing the Controls Inventory in GRC/OpenPages and control documentation, and performing IT Controls Testing to meet internal assurance and external audit requirements.
• Liaison with Internal and External audit teams, tracking of internal and external audit findings, perform issues follow-up, consulting and action plans with owners and issue resolution.