Director, Information Security Program Manager

About The Position

Requirements

• 12+ years of program management in regulated cloud environments; 3+ years directly owning FedRAMP programs, artifacts, and Continuous Monitoring.
• Hands-on oversight, authorship, maintenance and response experience with SSP, POA&M, SAP/SAR; proven track record achieving/maintaining ATO for cloud services.
• Deep knowledge of NIST SP 800-53 control families, FedRAMP Moderate/High baselines, ConMon processes, and 3PAO engagements.
• Strong familiarity with Azure Government or GCC High and core security capabilities: identity/access, logging/monitoring, encryption, policy enforcement, landing zone patterns.
• Demonstrated success orchestrating cross-functional teams (security, cloud/platform, payments, operations, compliance, legal) to deliver complex regulatory programs.
• Exceptional communication skills: executive reporting, control narratives, audit responses, and stakeholder management.
• Bachelor’s degree in information security, Computer Science, Information Systems, or related field; equivalent experience considered.

Nice To Haves

• Direct experience enabling government payment transactions on cloud platforms and aligning control implementations to transactional risk profiles.
• Azure-focused security experience (Defender for Cloud, Sentinel, Azure Policy/Blueprints, Key Vault, Private Link, Purview).
• Prior experience collaborating with federal agencies, sponsoring organizations, or authorizing officials for ATOs.
• Experience with security compliance to IRS 1075 requirements
• Certifications: PMP, CISSP, CCSP, CISM, Azure Security Engineer Associate, or equivalent.

Responsibilities

• Own the multi-year FedRAMP roadmap for an Azure Government tenant supporting government transactions; define milestones, risks, dependencies, and decision gates.
• Establish governance forums and operating mechanisms across engineering, cloud platform, information security, risk/compliance, legal, payment operations, and 3PAOs.
• Maintain program OKRs/KPIs: POA&M closure velocity, control coverage, vulnerability SLAs, ConMon completeness, audit readiness, and 
• Drive disciplined change control, evidence management, , and control attestation workflows aligned to FedRAMP requirements.
• Manage external partners and 3PAO activities (readiness, assessments, remediation),.
• Lead authoring and maintenance of FedRAMP artifacts: SSP and associated FedRAMP appendices,  POA&M, policies/standards/procedures, boundary diagrams, and data flows tailored to Azure Government/GCC High constructs.
• Define and maintain the system boundary and data categorization supporting payment transactions; align to FedRAMP High baseline.
• Coordinate control implementation across all FedRAMP control families.  .
• Conduct gap analyses against NIST SP 800-53 controls; drive remediation plans and ensure traceability from control narratives to technical and process evidence.
• Stand up and run Continuous Monitoring, in alignment with FedRAMP High guidelines, for the Azure Government tenant: scanning cadence, patch cycles, configuration baseline monitoring, control effectiveness checks, incident handling, and change compliance.
• Own POA&M lifecycle: triage findings, prioritize by risk, execute corrective actions, validate closure, reporting outstanding actions, and update artifacts.
• Maintain real-time dashboards and reporting for control posture, exceptions, residual risk, and operational health across payment services and shared services.
• Ensure SSP and supporting documentation are promptly updated to reflect material changes to boundary, services, configurations, or controls.
• Coordinate security incident response processes with SOC teams and act as interface with the client throughout the incident lifecycle including root cause analysis and closure.
• Serve as the primary contact for internal/external audits, 3PAO assessments, and authorizing officials; coordinate evidence collection and subject matter responses.
• Prepare teams for assessments; lead walkthroughs, demos, and artifact reviews; shepherd remediation and risk acceptance processes as appropriate.
• Enable engineering, operations, and payment teams with training and lightweight process embeds to sustain day-to-day FedRAMP compliance.
• Maintain a program risk register spanning control gaps, architectural changes, data flows, vendor dependencies, and operational risks in payment services.
• Escalate issues with quantified impact; drive compensating controls or risk acceptance decisions in partnership with risk/compliance.

Benefits

• BNY offers highly competitive compensation, benefits, and wellbeing programs rooted in a strong culture of excellence and our pay-for-performance philosophy. We provide access to flexible global resources and tools for your life’s journey. Focus on your health, foster your personal resilience, and reach your financial goals as a valued member of our team, along with generous paid leaves, including paid volunteer time, that can support you and your family through moments that matter.