Director, Information Security Risk & Control Lead

New York, United States of America

The Information Security Governance, Risk and Compliance (GRC) function is an integrated component of the Santander US Information Security Program.

As part of the Technology Information Security GRC Team this role will report to the Head of Information Security GRC. The Director, Information Security GRC, will play a key role in the GRC team driving strategic initiatives alongside maintaining operational excellence of existing processes.

Specifically this role be responsible for the following:

• Proactively identify, assess and manage Information security risks. Provide guidance/ advice of remediation activities and oversee implementation for timely remediation.
• Ensure timely registration of Information Security issues/findings in the Corporate Governance Risk and Compliance tool. Ensure that issues/findings are appropriately mapped to risks and controls.
• Execute and maintain quarterly Control Maturity Assessment and annual Cyber Risk Assessment reporting for the Information Security Committee.
• Maintain Control Maturity Score and Control Suite Effectiveness metric within expected annual objective by proactively tracking remediation, identification of control improvements and appropriate documentation/evidence.
• Collaborate with the testers in the semi-annual control testing by coordinating and facilitating the Information Security process and control assessment through evidence collection and appropriate documentation of existing processes.
• Provide Information Security Risk Management guidance and support to the Information Security leads and operational teams e.g.: Cyber Operations, Identity and Access Management, Security Architects, etc.
• Build partnership and collaboration with the different areas involved in risk management across the organization e.g.: Second Line of Defense Operational and Information Risk Management teams, Business Control Office, Business Information Security Office, etc.
• Build partnership and integrate into governance routines for Santander Global CISO initiatives within the Information Security Risk domain.
• Perform risk aggregation and risk analysis to identify top risks and areas of focus/improvement for prioritization.
• Manage key strategic initiatives relating to Third Party Risk Management In relation with Information Security requirements. This includes experience evaluating TPRM controls and processes at the vendor side as well as definition of the appropriate evidences of compliance and evaluation of SOC2 reports when needed.
• Experience working with Legal to evaluate and define contractual clauses. Maintain Data Security Exhibit clauses up to date and aligned with industry best practices and Santander standards.
• Manage and coach a team of 5 internal team members and ability to influence others to achieve risk management goals.

• Demonstrated experience working with key Information Security frameworks including NIST, FFIEC CAT, CIS Control library, etc.
• Pro-active approach to problem solving, with experience in identifying areas of improvement, determining, and implementing solution.
• Knowledge of technologies and technology-based solutions dealing with information security issues; ability to apply these in protecting information security across the organization.
• Knowledge of tools, techniques, approaches and processes of cybersecurity risk management; ability to ensure organizational network operation and minimize negative effect by cybersecurity risks.
• Understanding of the importance of inter-team collaboration in breaking down silos and achieving business results; ability to lead employees from various functions to communicate, coordinate work across divisions, and collaborate in solving problems as one team.
• Understanding of the importance of "big picture" thinking and planning and ability to apply organizational acumen to identify and maintain focus on key success factors for the organization.
• Demonstrated understanding of technological trends and developments in the areas of information security, risk management, web architectures, and cloud computing.
• Ability to maintain and implement best practices within Information Security
• Ability to drive execution of goals through effective planning, prioritization, resource management and follow through.
• Ability to manage multiple, ongoing initiatives