Head of IT Security, Controls & Technology Risk (LoD1)

We are seeking for a highly skilled and experienced Head of IT Controls, Security and Technology Risk (LoD1) who will lead a critical team within the Natixis CIB Americas (AMER) IT department. In this key role, you will oversee and be responsible for IT Security, Controls, Change Management, Incident Management, Disaster Recovery Planning and Remediation functions, while reporting directly to the AMER Chief Information Officer (CIO). You will lead three teams, comprising approximately seven direct reports, each focusing on specific areas of IT risk, controls and security (Access Management, Vulnerability and Patch Management, CyberSecurity..). As an executive in the First Line of Defense (LoD1), you will play a crucial role in ensuring that the AMER IT organization maintains a robust Technology Risk posture that aligns with the company and regulatory standards. You will facilitate effective change management and remediation processes across various IT teams, driving operational excellence and compliance. This position requires outstanding communication and interpersonal skills, as you will regularly engage with senior management, board members, and regulatory bodies. Your ability to clearly and persuasively convey complex information will be essential for ensuring alignment with organizational goals and adherence to industry regulations. Additionally, you will lead audits and examinations (both internal and external) related to your areas of responsibility, which include Controls, Change Management, Incident Management, Disaster Recovery Planning, Security, and Remediation functions for AMER IT (LoD1). Controls and Security Governance: Ensure adherence to policies, standards, and controls across the different IT taxonomies. Address exceptions and align security risks with the organization's risk management framework, in accordance with BPCE Group/Natixis CIB strategy, industry best practices (e.g., NIST, SOC2, ISO), and regulatory compliance requirements (e.g., NY DFS Part 500, FFIEC). Regularly assess the effectiveness of AMER IT's LoD1 controls to ensure they are well-designed and operational, thereby mitigating risks and maintaining compliance with regulations. Present findings to the board and regulatory bodies, serving as the primary point of contact for auditor inquiries. Controls and Security Compliance and Remediation: Regularly assess the effectiveness of AMER IT's LoD1 controls to ensure they are well-designed and operational, thereby mitigating risks and maintaining compliance with regulations. Present findings to the board and regulatory bodies, serving as the primary point of contact for auditor inquiries. Oversee the implementation of comprehensive remediation actions to effectively address identified security gaps. Project Planning and Tracking: Collaborate with the AMER Regulatory Affairs department and Head Office partners (BPCE Group and Natixis) to plan and prioritize AMER IT Controls, Disaster Recovery Planning (DRP), and Security projects and initiatives. Track progress and report deliverables to senior management. IT Change and Incident Management: Coordinate IT changes within AMER IT teams while overseeing the incident response process. Ensure timely identification, investigation, and remediation of security incidents. Work closely with the Second Line of Defense (Operational Risk, CISO-Technology Risk Management) for escalation, impact assessment, reporting, and follow-up on remediation actions. Incident Response Leadership: Lead the IT incident response process, including investigation, containment, eradication, recovery, and post-incident analysis to minimize the impact of IT breaches. IT Risk and Security Assurance and Reporting: Manage repositories of evidence and artifacts necessary for audits and regulatory compliance. Provide metrics and outcome-based performance indicators to assess risk management and remediation activities. Team Leadership and Development: Lead, mentor, and develop a team of security professionals and IT engineers. Foster their understanding of security gaps, encourage the evaluation of treatment options, and support the implementation of remediation strategies across your reporting scope and within AMER IT.