Senior Manager, Cyber Resilience Oversight

Your Opportunity

In Corporate Risk Management (CRM), our mission is to execute an independent and coordinated risk management program that supports delivery of predictable long-term financial and operational performance in order to produce successful client and shareholder outcomes. In CRM’s Technology Risk Management (TRM), we support CRM’s mission by managing information and technology risks to protect client assets, client information and firm assets. The Sr. Manager, Cyber Resilience Oversight role reports into the Director of Cyber Resilience Oversight. As a 2nd line of defense function, this position is responsible for collaborating with the broader TRM team as well as 1st line of defense partners to establish, maintain, report on, and continuously mature the Firm’s Cyber Resilience (CR), in support of the firm’s Operational Resilience framework.

What you are good at

• Contribute to the development of policies, standards, and methodologies for implementation of resilience program elements

• Provide an independent voice and effective challenge responsive to identified CR risk, and the risk treatment of findings
• Perform risk assessments to determine the appropriate level of cybersecurity enhancements and recovery considerations for Firm business processes
• Partner with 1st line of defense risk to oversee cybersecurity response and recovery playbooks with a focus on recovery steps
• Partner with Business Continuity team to oversee integration points between business continuity and cyber resilience programs
• Champion the inclusion of CR controls within the Firm’s Risk and Control Self-Assessment (RCSA) program by: ensuring technology owners are properly assessing cyber resilience risk in their environments, identifying breaks in the effectiveness of their CR controls, and mitigating discovered gaps
• Partner with other risk oversight functions, technology owners, and 1st line of defense risk managers to drive measurable and sustainable improvements within the control environment
• Create, maintain, and report on Issues/Findings, Action Plans, Risks, and Controls within the IBM OpenPages and/or Archer Governance, Risk, and Compliance (GRC) platform(s).
• Prepare regularly-scheduled and ad-hoc reports for management and risk committees regarding status of risk treatment activities
• Define management reporting requirements and metrics, including risk appetite metrics and key risk indicators
• Participate in strategic and tactical planning with 1st line of defense to mature the Firm’s CR posture

What you have

• 5+ years of experience in, and a solid understanding of, any of the following: Cyber Resilience, Cybersecurity, Risk Management, IT Risk/Control, and/or IT Audit domains,
• Experience with Internal Audits, SSAE16, SOX, and/or regulatory assessments
• Understanding of control frameworks, industry standards, and regulatory guidance, including: NIST CSF, NIST SP800-53, NIST SP800-160 v2, FFIEC, Center for Internet Security (CIS) Critical Security Controls, MITRE ATT&CK Framework, etc.
• Understanding of the ‘Three Lines of Defense’ governance model
• Extensive experience with driving change to risk programs and policies/procedures
• Ability to assess and effectively communicate the operational, technical, and financial impact of findings and control issues to executive and business leadership, using language that is relevant to and understandable by the business
• Broad, high-level understanding of the retail and institutional broker/dealer and banking industry, including technology, back-office operations, and servicing
• Ability to manage multiple efforts simultaneously across a large matrixed environment
• CISSP, CISM, CISA, CRISC, or equivalent certifications
• BS degree in related fields (Cybersecurity, Computer Science, etc.)