Job Specific Responsibilities
This position is responsible for directing and overseeing information risk management strategy and processes for the largest consumer lender in the U.S. The candidate will implement, and enforce policies, procedures, and programs to identify, assess, and reduce cyber risk to the enterprise including Cyber security; Information security; Cyber resiliency.
Develop and implement enhanced cyber risk monitoring and reporting including key risk indicators (KRIs) and risk dashboards. Update Enterprise Risk Appetite to reflect enhanced metrics.
- Work with Information Security and IT to develop and implement strategies to reduce cyber/info sec related operational risk (i.e., authentication standards and use of MFA, data encryption)
- Work with CISO to ensure regular external threat assessments and develop informal network regarding environmental risks and trends
- Ensure review of cyber related risks is incorporated in development of corporate online strategy and appropriate cyber/info sec related control framework is established
- Ensure/coordinate regulatory compliance related to cyber risk management including NYDFS policy adherence and certification requirements
- Enhance and maintain enterprise level cyber and information security policies and standards including appropriate annual review processes and necessary governance framework
- Perform periodic risk assessments to identify gaps in Information Technology and Information Security controls and assist in the development of the firm’s risk mitigation strategies and programs
- In cooperation with Legal and Compliance Teams ensure ongoing monitoring of Information Security and Cyber related operational risk to the enterprise related to changing laws, regulations, and industry standards
- In cooperation with CISO, continue to enhance Incident Response Plan and process and support programs necessary to remediate identified risks and vulnerabilities
- Monitor industry trends and emerging risks related to cyber risk and information security to ensure corporate awareness and recommend changes to policy, processes, and controls
- Participate in appropriate opportunities for continuing education, seminars, participation in field-related professional organizations to remain current on developments in information security profession
- Work with the appropriate Information Security, Office of General Counsel, Risk Management, and engagement leaders to determine scope of onsite visits, audits, and assessments as part of Enterprise Third Party Risk Management process
- Support the Company’s cyber risk awareness program and training efforts to help assure that stakeholders understand risk concepts, and contribute to the risk management process, thereby promoting a risk-aware culture
- Support internal and external audits
The successful candidate will have extensive experience in Information Security and Cyber Risk from an Enterprise Risk Management perspective. The position will require the ability to build relationships to interface with multiple teams to perform risk assessments to effectively identify and communicate related risks within the environment and a track record of development and implementation of risk mitigation strategies.
- Bachelor’s degree in Computer Science, Business Administration or equivalent educational or professional experience and/or qualifications.
- 3-5 years of experience in Risk Management related to Information Security and Cyber Risk Management or as an Auditor in these fields
- Experience with various industry standard frameworks such as ISO 27001, SSAE 18 SOC 1 and SOC 2, etc.
- Strong project management and consultative skills with the ability to build collaborative relationships within all levels of an organization
- Understanding of Risk Management frameworks as well as risks and best practices related to key areas of cyber and info security related risk
- Strong written and oral communication skills including the ability to create organized and articulate summaries of risk assessment findings/points of view that are easily understood by Teammates and Business Partners
- Strong detail orientation with ability to research, compile, and report on data
- Industry certification (e.g., CISA, CISSP, CISM etc.) a plus