Under the leadership of the Chief Information Security Officer (CISO), Security Risk Manager is tasked to protect information assets in support of business objectives and in conformity with policies. The Manager will manage security and risk programs to identify, classify, remediate, monitor and mitigate security risks and vulnerabilities throughout the company. Primary responsibilities include management of a security operations monitoring, risk assessment programs, development and review of assessment reports and statistics and briefing of risk findings to company stakeholders.
- Develops, manages and improves information security risk-based programs to ensure the integrity, confidentiality and availability of information assets;
- Conducts security risk assessments of business processes, technology designs, security controls, technology architectures, product designs, network systems and application security;
- Defines and facilitates the information security risk assessment process and works effectively with technology and risk group in implementation of security measures;
- Manages the development and implementation of the security policy, standards, guidelines and procedures for responsible security programs;
- Leads or manages security monitoring and resulting incident management;
- Evaluates new security technology and trends, evolving threats, risks and vulnerabilities and provides recommendations to strengthen internal and external information security environment;
- Coordinate definition, production and continual improvement of security metrics across technology, security and business units;
- Partner with peers to analyze and collect risk data and metrics from existing vulnerability, vendor management, security operations, threat management, and application related processes;
- Recommend security controls and/or corrective actions for mitigating technical and business risk;
- Participate in technology and security strategy planning processes to ensure identified risk mitigation is addressed in departmental planning;
- Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business
- Oversees, develops and/or delivers initial and ongoing security training to promote activities that foster information security awareness within the organization and related entities;
- Works closely with the Legal Department to ensure alignment between security and privacy compliance programs; and
- Has responsibility for following regulatory requirements including those pertaining to the Bank Secrecy Act (BSA), Anti-Money Laundering (AML), Customer Identification Program (CIP), and OFAC to assist in the identification, detection and determent of money laundering or other unlawful activities;
- Has responsibility to follow and implement IT security best practices as outlined by the Federal Financial Institution Examination Council (FFIEC) through its IT Examination Handbook booklets specifically as it pertains to information security; and performs other duties as required.
- Must be an intelligent, articulate and persuasive leader who is able to communicate security-related concepts to a broad range of technical and non-technical staff;
- Comprehensive knowledge of IT security technologies, techniques and best practices that cover all levels of IT architecture, including those that affect business processes, data applications and network and systems infrastructure and their effects on a diverse computing environment;
- Thorough knowledge of relevant information security laws, guidance and policies applicable to the financial industry.
- Thorough knowledge of the various Bank industry and government standards in privacy and security;
- Knowledge of business continuity planning, auditing and risk management;
- Experience in general IT, TCP/IP networking, intrusion detection systems, firewalls, security monitoring, access controls, encryption techniques, security solution deployment strategies, and network/application vulnerability assessments;
- Excellent Project Management, written and oral communication skills; and
- Ability to work with a broad range of constituencies
- Bachelors degree in Computer Science, Information Systems or equivalent experience is required; and
- Industry security certifications preferred (CISSP, CISA/M, CEH, GSEC, SSCP, etc…).
- Minimum of 3-5+ years in an advanced information security, information technology or related role;
- Proven track record and experience in developing Information Security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment;
- Working knowledge and experience in the policy and regulatory environment of information security, specifically the financial industry and banking;
- Experience with advance security monitoring solutions (SEIM, IDS, IPS, etc…), corporate security tools, and network and application security assessments;
- Must be an innovator, keeping up–to-date on security initiatives and standards;
- Must be a critical thinker, with strong problem-solving skills;
- Demonstrated organization, facilitation, written and oral communication, and presentation skills; and
- A high level of integrity and trust.
Physical Demands/Work Environment Requirements:
- Vision, hearing, speech, movements requiring the use of wrists, hands and/or fingers;
- Able to sit, stand, stoop and bend; and
- The ability to work the days and hours required to fulfill the essential functions of the position.
- Learning, thinking, concentration;
- The ability to interact with others and exercise self-control;
- The ability to work under stressful conditions, particularly in customer situations; and
- The ability to make decisions and exercise discretion, when necessary.