Cyber Security Risk Governance Associate Director

About The Position

Requirements

• Minimum of 8 years of cybersecurity risk governance, control framework management or enterprise risk management in a highly regulated environment.
• Bachelor's degree preferred or equivalent experience preferably with a technology-related major.

Nice To Haves

• Certifications related to the candidate’s coverage responsibilities are beneficial, but not required, such as Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified Information Systems Security Professional (CISSP).
• Demonstrated experience establishing enterprise risk governance methodologies.
• Experience developing or mapping policies and standards to regulatory expectations, industry standards and enterprise frameworks.
• Strong written and executive communication skills.
• Experience supporting regulatory examinations and internal audit reviews.
• Support in the development, design and implementation of integrated GRC solutions.

Responsibilities

• Manage and align the governance frameworks to enterprise and industry models (e.g., CRI, DTCC Corporate risk management policy) and define governance processes for risk oversight, aggregation and enterprise reporting.
• Own the enterprise methodology for mapping policies to control standards, to cyber risks to KRIs, ensuring traceability into reporting and risk treatment.
• Develop and maintain the Cyber Security Risk Appetite Statements and Risk Tolerance Statements, ensuring alignment with Board‑approved metrics, tolerance levels, and enterprise risk principles.
• Support in the development and maintenance of cybersecurity policies and control standards within the Cyber GRC solution, SmartSuite.
• Establish and govern the cyber risk taxonomy, top risks, and enterprise risk family classification standards to promote consistency across enterprise reporting, including change management process for frameworks, taxonomy, and methodology updates.
• Lead and facilitate the top cyber risk identification and prioritization by performing an annual top risk assessment and maturing the methodology and practices across the enterprise.
• Manage and coordinate the credible challenge of top risks in support of cyber security risk strategy.
• Support Cyber Risk Institute (CRI) maturity and controls assessments, including coordination with internal stakeholders and external assessors.
• Define and standardize governance committee reporting templates, cadence, and expectations to ensure clarity and comparability of cyber risk reporting.
• Define governance standards, content expectations, and requirements for cyber risk reporting to Board and executive forums (e.g., cyber risk posture, trends, and emerging themes).
• Coordinate risk governance alignment across CSRO, GCRO, ORM, IT, and other stakeholders to ensure consistent interpretation and application of risk standards.
• Support alignment to applicable regulatory cyber risk management expectations (e.g., NIST CSF, CRI Profile, or equivalent).
• Partner across Cyber Security Risk Office and first-line leaders to ensure integrated governance, treatment, risk analytics and reporting lifecycle.
• Drive traceability and auditability of outputs, ensuring documentation, evidence, and decision logic meet regulatory, internal audit, and external examination standards.

Benefits

• Competitive compensation, including base pay and annual incentive
• Comprehensive health and life insurance and well-being benefits, based on location
• Pension / Retirement benefits
• Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.
• DTCC offers a flexible/hybrid model of 3 days onsite and 2 days remote (onsite Tuesdays, Wednesdays and a third day unique to each team or employee).