DescriptionOur Information Security professionals are passionate about information security and control solutions for computing environments. While managing a world-class team of technology experts, you'll partner with one or more disciplines, lines of business, regions or locations to respond to evolving business requirements and emerging threats. You'll also leverage your expert knowledge of today's ever-changing cybersecurity and risk landscape to influence IT operations across the firm. Responsibilities include offering guidance, best practices, and support across businesses, leading risk reviews and vulnerability assessments, identifying threats, communicating with senior leaders and other stakeholders, and managing budgets.
Success in the role requires being adept at developing relationships with senior business executives; reputation for partnering across organization lines to mitigate risks. Ability to collaborate with high-performing teams and diverse stakeholders to accomplish common goals, including experience working with geographically distributed and culturally diverse colleagues is also critical. This position requires the ability to be flexible, follow tight deadlines, and operate under pressure.
Responsibilities
- Fostering an inclusive, collaborative workplace environment and building/maintaining productive working relationships with all team members and stakeholders
- Expert understanding of the firm wide framework which governs management of the firm’s operational risk and control environment
- Functioning as a subject matter expert and advisor to all of global technology regarding requirements and approach to expression of the technology risk and control environment
- Working within the Cybersecurity Technology Controls Frameworks Team, in partnership with stakeholders from across Global Technology, managing the ongoing program to accurately represent and maintain the firm’s complex technology operations within the Corporate Operational Risk Environment (CORE) system. This includes:
- Consulting with technology owners in Product, Engineering and Operations to appropriately model their processes, sub-processes, risks and controls for assessment.
- Ensuring technology risk and controls reference data (e.g., risk scenarios, policies, standards, procedures, etc.) is available and aligned for use in Corporate Operational Risk Environment system , such that assessments are consistent and can be justifiably informed by the performance data gathered from the technology estate (i.e., metrics & measures).
- Consulting with business-aligned information risk managers to ensure technology assessments are aligned and inform business operational risk assessments in a meaningful, actionable manner.
- Collaborating closely with Operational Risk Management and Business Controls Management to ensure that technology risk and control taxonomies are optimized, with supporting systems able to interoperate.
- As the system is used to manage and report the firm’s Operational Risk (including information, technology & cybersecurity risk), it is referenced by a majority of the independent assessments, audits and regulatory exams that the firm’s technology is continuously subject to. As a result, there are a significant number of partners from across Global Technology and beyond interested in the content of the Corporate Operational Risk Environment system. Effective communications, influencing and stakeholder management are key aspects of this role, including with senior and executive management.
- Facilitating firm wide working groups comprised of representatives from each line of business and function to:
- discuss and maintain awareness of changes to relevant requirements/expectations, related challenges, and dependencies
- understand and articulate problem statements, performing root cause analysis as needed
- propose and develop strategies/best practices for efficient achievement of target state
- outline and monitor critical path to implementation, facilitating as needed
- Maintaining and enhancing guidance documents, execution templates, report designs, etc. providing guidance and direction as needed
- Generating reporting and perform data analysis related to line of business and corporate function implementation of requirements/expectations for firm wide standards and frameworks
- Generating volume analyses, trending, and/or tracking, as needed, to justify proposed changes or monitor completion progress for agreed deliverables
- Collecting and aggregating feedback on opportunities to simplify and/or clarify requirements/expectations with relevant Standards, escalating to applicable document/framework owners
Requirements
- Formal training or certification on technology controls concepts and 5+ years applied experience
- Experience in the technology risk & controls and information risk management fields (e.g., identification of technology risks & effective mitigants, technology risk & controls assessments, associated governance & reporting, etc.)
- Knowledge of compliance, conduct, and operational risk management frameworks and processes
- Experience in using common technology controls industry best practice (e.g., from NIST, ISO, ISACA, etc.) frameworks
- Knowledge of technology-relevant financial services regulation (e.g., FFIEC handbooks, etc.)
- Inquisitive nature and comfort challenging current practices; proven track record of driving ideas forward and influencing
- Experience in identifying and using data from large data sets to support enterprise scale initiatives via analytics
- Strong leadership skills with exceptional communication and presence
- Advanced knowledge of multiple IT control and project management practices and experience working across large environments
- Ability to collaborate with high-performing teams and individuals throughout the firm to accomplish common goals
- Expertise in application and infrastructure high-availability and resiliency architectures with demonstrated experience in business
- Proficiency in information security domains, including policies and standards, risk and control assessments, access controls, regulatory compliance, technology resiliency, risk and control governance and metrics, incident management, secure systems development lifecycle, vulnerability management, and data protection
