Director, Information Security Risk Management Lead

About The Position

Requirements

• 10+ years of experience building, maintaining, and managing information security and data management risk governance, operations, and risk management functions.
• Broad-based technology experience at substantial scale and complexity in a global, highly regulated, high-volume transaction environment. Experience must include time operating within transaction services environments characterized by the need for continuous availability and the highest levels of security.
• Experienced developing and managing Enterprise and Operational Risk programs related to information security and data management, including implementing risk and control frameworks in accordance with best practices and Basel requirements.
• Experienced leading in a complex matrixed organization, ideally in a global firm with a dynamic and rapidly changing environment.
• Experienced leading within a highly regulated environment, with a preference for experience at the international and federal levels.
• Deep knowledge of information security and data management risk and control frameworks and a strong understanding of related policies, procedures, guidelines, and structure.
• Functional expertise, with operational knowledge of and exposure to various current and emerging information security and data management areas such as: v Cyber resilience
• Identity & privileged access management
• Secure coding practices
• Cloud security configuration and control frameworks
• Artificial Intelligence
• Third-party risk management
• Incident management
• Threat/vulnerability management
• Network security
• Data governance
• Data quality
• Data architecture/lineage
• B.S. in a technology discipline (Computer Science, Information Management, Computer Engineering, Cybersecurity or equivalent). M.S. desired.
• Working knowledge of information security and data management life cycles based on an established framework: CRI, NIST CSF, NIST SP 800-53, ORX, ISO 27001, SANS, CERT, ENISA, CSA, OACA, ISACA, DAMA-DMBOK.
• Proficiency in MS PowerPoint and Excel.
• Judgement and decision making
• Communication & Influence
• Teamwork & Professionalism
• Able to work independently, as required
• Takes personal responsibility and accountability for solving ORM related problems to meet organizational standards
• Identifies and appropriately manages/escalates potential risks
• Assist business partners with their identification of process / control related issues.
• Makes decisions that have moderate and at times high impact within a function, producing positive or negative effect for efficiencies, delays, and contribute to financial gain or expense
• Contributes significantly to achieving cross-functional, consensus driven decisions by engaging and influencing others
• Manages work guided by established policies; and regularly establishes new procedures and policies as required
• Drives innovative solutions that contribute to the success of the department and/or viability of the organization
• Delivers, directs, and facilitates communication amongst the function and to business functions
• Resolves conflicts, influences outcomes on matters of significance for the division
• Identifies opportunities to improve the effectiveness or efficiency of key processes within a function and/or across functions
• Builds strong relationships across the organization
• Drives teamwork and cooperation with others to arrive at consensus driven decisions
• Demonstrates the CLS values, superior professionalism and ethical conduct
• Adapts to unexpected changes in circumstances and re-prioritises the team's approach and activities
• Plans and prioritises, establishing a course of action leading to successful achievement of the team's objectives
• Designs and implements new working practices and structures which deliver improvements for the team

Nice To Haves

• Relevant certification is desirable, e.g., CISSP, CISM, CISA, CRISC.
• Experience in broader MS Office suite, including Project and Visio is a plus
• Experience with enterprise GRC tools, e.g. Archer is a plus

Responsibilities

• Assist the Head of Technology and Information Security Risk Management and Head of Enterprise Risk and Operational Risk Management in driving the culture of engagement, teamwork and accountability.
• Work with the Information Security and Data Management teams to challenge risk assessments, and lead in efforts to strengthen the control environment in line with the evolving threat landscape.
• Support the CRO and Head of Enterprise Risk and Operational Risk Management in furthering the use and efficacy of the ERM and ORM framework while enhancing its applicability to manage information security and data management risk.
• Lead horizontal reviews of top information security and data management risks, identifying gaps in control coverage and recommending control improvements to address identified gaps.
• Complete thematic reviews of operational risk events and associated proposed actions to propose control enhancements that reduce risk of recurrence.
• Collaborate with the Information Security and Data Management teams to review control capabilities against industry standards and lead efforts to strengthen the control environment in line with the evolving threat landscape.
• Review and challenge actions to address gaps, monitor progress of actions, and validate sufficiency of closure evidence.
• Prepare status reports as needed and present to Technology Leadership, Audit, and regulatory bodies as required.
• Provide review and credible challenge of the information security and data management risk profile and all associated framework components, e.g., risk and control self-assessments, control testing, event management, metrics and indicators, risk appetite, finding management, and reporting.
• Provide subject matter expertise to business units to drive, guide and influence risk ownership, clarity and assessment of risks & controls.
• Review and monitor the progress of actions and validate appropriateness of closure evidence.
• Thematic review of operational risk events and associated proposed actions to reduce risk of recurrence.
• Document credible challenge of information security and data management appetite to support the Enterprise Risk management (ERM) program.
• Regular review and challenge of key risk indicators including thresholds and applicability to risk appetite.
• Prepare monthly and quarterly ORM/ERM reports and present to Technology Leadership, Audit, and regulatory bodies as required.
• Provide challenge of risk management of material information security and data management projects that may impact the firm’s risk profile.
• Work with business partners to challenge the quality of the project inherent risk assessments and contribute to the independent risk review for projects.
• Review project benefits and closure artifacts in preparation for transition to BAU.
• Review and challenge large-scale information security and data management risk remediation efforts
• Review and challenge the sufficiency of planned actions to address identified problems, provide stated benefits, and meet regulatory expectations.
• Review and monitor the progress of actions and validate sufficiency of closure evidence.
• Prepare status reports as needed and present to Technology Leadership, Audit, and regulatory bodies as required.
• Actively present to various committees and forums to keep management educated on changes and challenges to CLS risk appetite.
• Be a respected point of contact to stakeholders across the business and technology functions in providing credible operational risk coverage for information security and data management risk.
• Maintain and oversee relevant policies, standards, and procedures related to CLS information security and data management processes.
• Provide guidance and support to junior members of the team.
• Lead projects in co-ordination with Operational Risk team to enhance the ORM framework and assist with implementation of best practices
• Interact with and / present to the Federal Reserve Bank of New York in regular continuous monitoring meetings
• Ability to influence and gain credibility with the business

Benefits

• 2 paid volunteer days so that you can actively support causes within your community that are important to you.
• Generous parental leave policies to ensure you can enjoy valuable time with your family.
• Parental transition coaching programmes and support services.
• Wellbeing and mental health support resources to ensure you are looking after yourself, and able to support others.
• Employee Networks (including our Women’s Forum, Black Employee Network and Pride Network) in support of our organisational commitment to embrace and always be learning more about inclusivity.
• Hybrid working to promote a healthy work/life balance, enabling employees to work collaboratively in the office when needed and work from home when they don’t.
• Active support of flexible working for all employees where possible.
• Monthly ‘Heads Down Days’ with no meetings across the whole company.
• Generous non-contributory pension provision for UK/Asia employees, and 401K match from CLS for US employees.
• Private medical insurance and dental coverage.
• Social events that give you opportunities to meet new people and broaden your network across the organisation.
• Annual flu vaccinations.
• Discounts and savings and cashback across a wide range of categories including health and retail for UK employees.
• Discounted Gym membership – Complete Body Gym Discount/Sweat equity program for US employees.
• All employees have access to Discover – our comprehensive learning platform with 1000+ courses from LinkedIn Learning.
• Access to frequent development sessions on a number of topics to help you be successful and develop your career at CLS.