Sr. Manager Information Security Governance

CIBC•Chicago, IL

2d•$160,000 - $190,000•Hybrid

About The Position

We’re building a relationship-oriented bank for the modern world. We need talented, passionate professionals who are dedicated to doing what’s right for our clients. At CIBC, we embrace your strengths and your ambitions, so you are empowered at work. Our team members have what they need to make a meaningful impact and are truly valued for who they are and what they contribute. Protect the bank’s regulatory standing by ensuring compliance and exam readiness, managing regulatory risk. This is a high visibility/high impact role. There are 3 primary components of the role: regulatory support, internal audit support, regulatory program compliance. The Sr Manager, Information Security Regulatory & Exam is responsible for regulatory exam support, quarterly regulatory briefings and adhoc regulator asks. You will also support Internal Audit activities. You will also be responsible for overall regulatory compliance, including regulatory compliance program ownership (e.g. NY-DFS, GLBA, FFIEC), performing/overseeing assessments, monitoring regulatory changes and recommending action. Provide regulatory reporting requirements and ensure timely, accurate and message appropriate reporting. Support may also include other teams under the Chief Security Office. Support may include and is not limited to Fraud, Operational Resilience, Third Party Governance & Physical Security. This is a hands on role with prep, coordination, direct activity ownership and oversight.

Requirements

10 years in Information Security, IT Risk Management, regulatory compliance or audit functions, within a US or Canadian bank (preferably at least 5 years in a leadership role)
Deep knowledge of key information security domains including network security, IAM, data protection, vulnerability management, application security, etc.
Awareness of emerging technologies and risks
Proven track record of managing banking regulatory examinations (e.g. FRB) and state specific oversight (e.g. NYDFS)
Demonstrated experience with FFIEC IT/Cyber Exam Handbook and GLBA Safeguards rule compliance.
Strong understanding of control frameworks (e.g. NIST CSF)
Ability to identify regulatory themes, assess control effectiveness and spot emerging gaps
Hands on experience preparing and delivering materials for regulatory agencies and internal/external auditors.
Skilled in exam logistics
Ability to determine and draft formal regulatory responses to information security issues which are clear, defensible and aligned with the overall risk posture
Experienced influencing and presenting to sr. leadership, boards and regulators
Exceptional written and verbal communication skills, with the ability to translate technical requirements into clear actionable language for regulators and executives.
Strong interpersonal skills to influence without direct authority
Experience with GRC platforms (e.g. MetricStream,OneTrust, Archer)
Certified professional with current Industry recognized certifications such as CISSP, CISM, CISA
Analytical Thinking
Group Problem Solving
Information Security
Network Operations
Security Operations
Security Risk Assessment
Technical Knowledge

Nice To Haves

You see the big picture and operate strategically
You act like an owner. You are action oriented, thriving when you're empowered to take initiative, go above and beyond, and deliver results.
You have a passion for excellence, holding yourself and others accountable.
You know that details matter. You notice and question things that others don’t.
Your critical thinking skills help to inform your decision-making.
You are a strong communicator, verbally and in writing, with the ability to flex to needs of executives and team members within and outside of US Information Security.
You’re goal-oriented. You’re motivated by accomplishing individual and team based goals and consistently delivering your best to make a difference.
You are a curious learner, staying current on industry trends.
You challenge the status quo and have a passion for continuous improvement.

Responsibilities

End to end exam management
Ensure regulatory exam readiness
Review and suggest approach (responses, evidence) to regulatory exam letters
Coordinate response and evidence collection (which may include direct response/fulfillment), evaluating and questioning, aligning on strategic messaging, presenting to sr. leadership to align on audit ready responses
Actively engage in regulatory remediation activities, which may include analysis of regulatory feedback, suggesting recommended action, coordinating and evaluating responses, performing remediation actions, preparing regulatory update decks, creating speaking notes, ensuring messaging alignment with internal stakeholders and addressing any post meeting follow ups.
Prepare oversight briefing materials, which includes recommendations on approach/key themes, with speaking notes
Coordinate follow up activities
Ensure internal teams are prepared for Internal Audit activities
Manage and socialize Internal Audit calendar
Coordinate audits, including fulfillment and evaluation of responses and evidence provided
Escalate potential issues before formal identification
Ensure timely review and response to audit reports
Oversee creation of new audit related deficiencies
Serve as point for monthly continuous monitoring
Ensure NY DFS program annual activities are completed, including the NY Branch assessment, surveys, with risks identified and actioned
Ensure FFIEC/GLBA program activities are completed, including the annual assessment with risks identified and actioned
Complete annual Regulatory Control Management activities
Complete annual Regulatory Control Requirement Assessment
Ensure overall CSO organization regulatory reporting dashboard is delivered
Monitor relevant laws, regulations and standards to ensure organization’s security practices align with regulatory requirements.
Create and distribute monthly regulatory development update reporting.
Assist with creation of materials for Annual Cyber Security Board Review and Quarterly Board Risk Committee Meetings
Creation of materials for various reporting committees and forums, including weekly status
Creation of materials for various reporting committees and forums, including weekly reports, business unit reviews and horizontal reviews
Oversee or complete specific enterprise, US region or department initiatives
Build strong relationships with internal and external partners, seen by them as a trusted partner
Complete ad hoc and urgent requests from internal and external partners, and recommend new controls to reduce risks
Work closely with US TI&I Risk & Controls Team, Regulatory Affairs, Operational Risk Management (ORM) and Internal Audit as required.
Foster collaborative relationships with a wide range of stakeholders to identify opportunities to enhance Information Security processes and controls, understand pain-points and priorities, influence direction, solve problems, and ensure successful adoption and operation of policies and standards.
Will be required to foster relationships with middle to senior management, and senior executives across a range of functions including Risk Management and Technology.
Share governance best practices, based on regulatory and audit observations and feedback identified
Provides ongoing advice and direction on a variety of complex conceptual or interpretative issues
Perform regulatory controls as assigned control performer
Implement continuous improvement areas
Create and maintain procedural documentation