Manager, Information Security Assurance Services

About The Position

Requirements

• Minimum 10 years of progressive experience across GRC, information security, technology risk, internal/external audit, controls, cybersecurity assurance, or closely related disciplines.
• Minimum 5 years of direct people leadership experience, including coaching, performance management, workforce planning, and talent development.
• Demonstrated experience operating within or directly supporting PCI DSS environments, including scope definition, control design, testing, remediation, evidence management, and QSA/ISA interaction.
• Strong working knowledge of governance and control frameworks including NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, and PCI DSS, with the ability to design and defend control rationale to auditors and regulators.
• Demonstrated experience designing, testing, and remediating IT general controls (ITGCs) and application-level controls.
• Proven ability to communicate complex risk and control topics clearly to executive audiences, audit committees, regulators, and cross-functional stakeholders.
• Ability to operate independently under limited direction, prioritize competing demands, and consistently deliver results in ambiguous, fast-moving environments.
• Bachelor's degree in Information Security, Computer Science, Information Systems, related discipline, or equivalent professional experience.

Nice To Haves

• Experience implementing or operating ServiceNow Integrated Risk Management (IRM) or comparable GRC platforms (e.g., Archer, AuditBoard, OneTrust, MetricStream).
• Experience operating within a Product Operating Model, including roadmap planning, backlog grooming, sprint-based delivery, feature commitment management, and metrics-driven execution.
• Experience in financial services, banking, or other highly regulated industries, including direct interaction with regulators such as state banking authorities, the OCC, FDIC, or NYDFS.
• Industry certifications such as CISSP, CISA, CISM, CRISC, CGEIT, or CIA.
• Demonstrated success improving control automation, continuous control monitoring, assurance testing efficiency, audit-readiness practices, and evidence-as-code approaches.

Responsibilities

• Lead and continuously mature governance, controls design and testing, audit and regulatory response, security awareness, policy governance, third-party/vendor risk management (TPRM), and the PCI DSS program, with full accountability for adherence to established controls, policies, and regulatory requirements.
• Serve as the team's go-to expert across information security assurance disciplines. Step in as an active contributor on control narratives, audit walkthroughs, regulator engagements, and remediation plans when program needs demand it.
• Build, maintain, and continuously improve the control framework, ensuring alignment with NYDFS Part 500, NIST Cybersecurity Framework, CIS Controls, HIPAA, FDIC, PCI DSS v4.x, and other applicable standards. Maintain control libraries, control-to-framework mappings, and a defensible evidence model.
• Direct the end-to-end response to internal audits, external audits, regulatory examinations, and PCI engagements. Personally review high-risk responses, evidence packages, and management responses prior to submission.
• Provide senior oversight and governance of the PCI DSS v4.x program, including scope validation, strategy, control implementation, ISA coordination, AOC/ROC readiness, compensating controls, and establish a clear multi-year roadmap to support enterprise goals.
• Mature the TPRM program including inherent risk tiering, due diligence depth-of-review, contractual security requirements, ongoing monitoring, fourth-party visibility, and concentration risk reporting.
• Own the enterprise information security policy governance (policies, standards, procedures, guidelines), including a defined lifecycle, exception management, ownership accountability, and executive committee approval cadence.
• Direct the strategy, content, and measurement of the enterprise information security awareness program, including annual training, role-based training, phishing simulations, and Cybersecurity Awareness Month (CSAM) campaigns and activities.
• Translate strategic priorities, regulatory expectations, and informal executive conversations into structured roadmaps, OKRs, deliverables, sprint commitments, and team execution plans. Partner with business, technology, regulatory stakeholders, and third parties to communicate complex issues, drive alignment on contentious topics, and advocate for business-aligned outcomes.
• Manage, coach, and develop a multi-disciplinary team of assurance professionals. Set clear expectations, establish accountability, conduct performance management, and build a high-performing and high-trust team.
• Drive process maturity, automation of evidence collection and control testing, improved reporting routines, reduced manual effort, and effective use and management of GRC/IRM platforms (e.g., ServiceNow IRM) to scale the program and sustain operations.
• Define and operationalize KPIs/KRIs across each assurance domain. Deliver board-ready and executive-ready dashboards, and narrative reporting that articulate program health and remediation trajectory.
• Make and own operational and strategic decisions with significant impact to program effectiveness, and guide senior leaders through informed recommendations, best practices, and trade-off discussions.

Benefits

• various bonuses (including, for example, annual or long-term incentives)
• medical, dental, and vision insurance
• health savings account
• flexible spending account
• 401k
• pension
• life and accidental death and dismemberment insurance
• disability insurance
• supplemental protection insurance
• 20 days of Paid Time Off each year
• Sick and Safe Time
• 10 paid company holidays
• Volunteer Time Off
• paid parental leave
• EAP
• well-being benefits