Director, Cybersecurity, Resilience & Governance

About The Position

Requirements

• 5+ Years of experience managing a diverse team of SME’s in one or more of the following disciplines: Disaster Recovery, Business Continuity, Information Technology/Systems, Project Management, Information Risk Management, Information Security, ideally with some of that time spent in a large, complex organization.
• Strong understanding of application security (OWASP Top 10, API security, secure coding practices)
• Experience with modern authentication and identity systems (OAuth2, OIDC, SAML, service principals, workload identity)
• Knowledge of secrets management and secure credential handling (e.g., Key Vault, vault-based patterns, eliminating hardcoded secrets)
• Familiarity with cloud security architectures (Azure/AWS), including IAM, networking, and workload protection
• Some familiarity with BCM Planning tools and/or relational databases – e.g., Fusion Risk Management.
• Ability to interpret and assess security findings (e.g., Snyk, code scanning, penetration testing results) and guide remediation
• Broad understanding of application system technologies and Business Continuity/Disaster Recovery tools and techniques.
• Excellent communication skills (oral and written) including ability to develop and deliver effective user education sessions and a willingness to present to all organizational levels.
• Achievement oriented with proven project management skills and the ability to work independently and as part of a team, managing multiple priorities within tight deadlines while maintaining a professional and friendly attitude.
• Ability to work off-hours to help manage incidents or communicate with colleagues in different time zones, occasionally.
• Proven ability to build relationships, engage and influence others, and work with diverse internal and international user communities as well as vendors

Nice To Haves

• Financial Services industry experience
• Professional certification in BCM – ABCP, CBCP, MBCI or MBCP
• Professional certification for information security – CISSP, CISA, CISM, CRISC, GIAC
• Solid understanding of Generative AI foundations, principles and tools
• The ability to work both independently and as part of a team, managing multiple priorities, people and deadlines

Responsibilities

• Lead and improve application and operational security consulting services to IT, partners and clients
• Serve as a technical security advisor to BUSOs and business-aligned teams, elevating their ability to identify, assess, and remediate risk beyond checklist-based approaches
• Provide hands-on guidance on secure architecture design, including application, cloud, and infrastructure security patterns
• Act as an escalation point for complex security issues, including authentication, authorization, secrets management, and data protection
• Guide teams on modern identity and access patterns (OAuth2, OIDC, SAML, service-to-service authentication, workload identity, etc.)
• Provide technical oversight on cloud security (Azure/AWS) including IAM, network segmentation, and workload protection
• Translate security requirements into practical, implementable solutions aligned with business and engineering constraints
• Drive adoption of secure-by-design principles across new initiatives and onboarding efforts
• Mentor BUSOs to become more technically fluent, enabling them to act as effective security consultants to the business
• Oversee and technically validate application risk assessments, ensuring findings are grounded in real architecture, data flows, and threat models (not just control checklists)
• Maintain a high level of awareness on security issues and control objectives among all levels of business line staff
• Embrace and deploy innovative solutions to manage the information risk associated with new technology and new processes
• Identify and communicate known security control issues to business area teams and leadership, providing guidance (as necessary) and oversight to ensure timely remediation
• Provide support to other risk teams as necessary to address high priority risks
• Ensure adherence to global information security policies and standards; work with the business and technical teams to implement solutions that comply with security policies and processes
• Actively participate in your team’s plans to achieve their goals, this includes goals that originate from the security team and the business.
• Participate in frameworks used to measure and report on progress towards the achievement of goals
• Stay current on emerging technologies, key business drivers, evolving threats and opportunities from both the business and the security team
• Collaborate with other security and risk professionals within the US segment and across the company
• Participate in divisional and global security and risk projects and initiatives as requested.
• Ensure business requirements and needs are considered in initiatives, projects and services.
• Ability to challenge and refine risk decisions by evaluating actual exploitability, attack paths, and compensating controls
• Manage the BCM Program - Lead, shape and deliver a practical and effective Business Continuity/Disaster Recovery program that ensures our critical applications, systems, networks and information assets are working and available whenever our business clients need them.
• Provide program oversight to ensure our partners in the Business and in IT are following best practices and remain compliant with Global Standards.
• Work with IT, Project Management colleagues and vendors to ensure systems are built with DR requirements embedded and recovery documentation is in place.
• Work with business areas to ensure recovery strategies and workarounds are documented in case of business interruption.
• Work with vendors and internal partners to provide alternate work areas for critical business processes to continue with minimal interruption in case a primary work area becomes inaccessible.
• Work collaboratively on projects and exercises that benefit the larger BCM program and organization.
• Develop, schedule and conduct BC/DR exercises in accordance with divisional goals and Global standards.
• Provide oversight for exercises run by the BU or IT teams themselves.
• Leverage Manulife’s global scale and work with partners worldwide to constantly improve the exercise process and recoverability of processes and systems.
• Use communication skills to provide calm and professional crisis management during disasters or business interruptions.
• Work with incident management and other BC/DR professionals across the company in delivering and gathering timely information and providing guidance in response to disasters.
• Perform quality assurance checks of the work done by the BU’s and IT to ensure they are meeting or exceeding Global standards.
• Move key elements of our program to higher levels of maturity (as measured by Capability Maturity Model) through continuous improvement of processes
• Provide advice, assistance and support to BU’s, IT and other project teams in the delivery of their projects or changes to ensure BC and DR considerations are included as required by Standards.
• Work with other IRM teams to identify areas of program improvement and drive execution through special projects and general working sessions
• Embrace and deploy innovative solutions to manage the information risk associated with new technology and new processes.
• Standardize/streamline our processes and metrics
• Find, devise and deploy ways to standardize our processes not only within BCM but across IRM, ERM and ORM functions to show a holistic view of Information Risk
• Automate the production of metrics and continue to move them to quantitative measures
• Collaborate with multiple levels and facets of internal Agile business teams to review and triage Agile business outcome-based road maps to identify level of risk associated and resulting risk mitigation actions.
• Participate in Agile ceremonies (Delivery Increment planning sessions, sync meetings and other key ceremonies, demos, etc.) that Business teams hold to ensure full understanding of business drivers / outcomes / shifts in direction.
• Facilitate discussions amongst the CRG team members, sharing Business outcome roadmaps and triage script outcomes on a regular basis
• Act as a change agent and customer relationship manager to the IT community on behalf of CRG.
• Collaborate with the Second Line of Defense Risk teams for highest risk initiatives to ensure Line 1 information is readily available for management assurance review.
• Be part of an active team who remains current on emerging risks and technologies, key developments and strategies for the businesses you support.
• Stay informed on emerging technologies, key business drivers, evolving threats and opportunities from both the business and CRG

Benefits

• health, dental, mental health, vision, short- and long-term disability, life and AD&D insurance coverage, adoption/surrogacy and wellness benefits, and employee/family assistance plans.
• various retirement savings plans (including pension/401(k) savings plans and a global share ownership plan with employer matching contributions) and financial education and counseling resources.
• up to 11 paid holidays, 3 personal days, 150 hours of vacation, and 40 hours of sick time (or more where required by law) each year
• full range of statutory leaves of absence.