Lead – Cyber Risk & Control Monitoring

About The Position

Requirements

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Technology Risk Management, or a related field (or equivalent experience)
• 5+ years of experience in cybersecurity, architecture, IT risk, technology audit,
• Strong stakeholder management and communication skills; ability to translate technical control results into business risk
• Experience defining control objectives to address risks, designing controls, identifying residual risks, designing assurance approaches (manual and automated), and identifying corrective actions that address root cause
• Working knowledge of security, risk, regulatory, and control frameworks (e.g., NIST CSF/800-53, MAR, COBIT, SOC 2, NYDFS 500, etc.) and experience mapping controls across frameworks
• Experience producing management-ready artifacts and facilitating governance forums
• Experience working with and assessing cloud and SaaS environments (AWS, Azure, GCP) including shared responsibility models and cloud security controls
• Understanding of AI/ML security and governance considerations (e.g., data protection, model risk, third-party AI, secure use/monitoring) is a plus
• Ability to work with control telemetry and reporting and perform data analysis to identify trends, outliers, and control breakdowns
• Must be legally authorized to work in the United States, without the need for employer sponsorship.

Nice To Haves

• Relevant certifications preferred (e.g., CISSP, CISM, CRISC, CISA, Security+, CCSP)

Responsibilities

• Engage in new projects (Tech Governance process) to ensure the appropriate controls are designed and implemented to meet policies, including as appropriate those related to Key Financial Systems (KFS)
• Partner with internal audit Model Audit Rule team and risk team to ensure design is appropriate
• Perform initial validation of designed controls to ensure they are designed and operating effectively prior to go-live
• Help lead the design, execution, and continuous improvement of the first line information security continuous control monitoring program
• In partnership with 2nd line, maintain a prioritized control inventory and define control objectives, owners, evidence sources, testing frequency, and monitoring methods
• Identify coverage gaps, control weaknesses, and emerging risks through ongoing monitoring, drive changes to the 1st line monitoring program based on findings, and escalate to risk for issue management, remediation oversight, and risk trending
• Oversee control testing and monitoring cycles (manual and automated), including data quality checks, sampling standards, and alignment to internal frameworks
• Partner with control owners to instrument monitoring, improve known issues and risks, reduce manual evidence collection, and improve control reliability through automation
• Promote a culture of accountability, transparency, and continuous improvement through coaching, documentation standards, and consistent follow-through
• Coordinate with 2nd line liaison to ensure timely, accurate, quality and consistent responses to audit/regulatory requests and findings across D&T.
• Determine if any findings are pervasive across other applications, platforms etc. and identify opportunities for further investigation
• Support audit and regulatory assessments by ensuring 1st line evidence, documentation, and control artifacts are current and readily available
• Assist D&T control owners in designing remediation plans that address root-cause correction, appropriate compensating controls, and achieve measurable risk reduction
• Validate effectiveness of remediation actions identified through the 1st line monitoring program, confirm resolution and adequacy to prevent recurrence
• Promote a culture of accountability, transparency, and continuous improvement through coaching, documentation standards, and consistent follow-through

Benefits

• Skill-building
• leadership development
• philanthropic opportunities
• supportive, flexible, and inclusive benefits and resources