SMBC is seeking a 1st Line of Defense GRC Specialist at the Associate level who has a strong passion for Information Security risk management and is interested in building a career at a fast-growing reputable bank.
As an Associate within GRC, you will play a vital role in protecting SMBC s information assets by conducting comprehensive risk assessments, collaborating with stakeholders, and driving process improvements. Reporting to the Head of Security Risk Assessments, you will help shape the bank s security risk management practices and ensure compliance with internal and external standards.
Core Responsibilities
Perform information security risk assessments for new and existing SaaS and cloud-based solutions, client initiatives, and regulatory-driven requests.
Review and assess thirdparty security postures by analyzing SOC 1 and SOC 2 reports, ISO 27001 certifications, penetration test summaries, SIG responses, and security questionnaires.
Evaluate SaaS architectures, data flows, and hosting models, with particular attention to data protection, encryption, identity and access management, logging, and monitoring.
Identify control gaps, assess both inherent and residual risk, and partner with stakeholders to define practical mitigation strategies or compensating controls.
Translate technical and operational risks into clear, businessfocused language that resonates with both technical and nontechnical audiences.
Collaborate regularly with IT, business, risk, and compliance teams to support timely, wellinformed decision making.
Support remediation efforts by tracking open issues, validating responses, and documenting outcomes through established governance processes.
Stay current with information security policies, standards, and procedures, and help stakeholders understand how changes may impact risk assessments.
Contribute to the ongoing improvement of risk assessment processes, templates, and tooling.
Required Experience and Skills
2 3 years of experience in banking, financial services, or another highly regulated environment.
Hands-on familiarity with cloud service providers such as AWS, Azure, or Google Cloud Platform, and an understanding of how SaaS applications are built on cloud infrastructure.
A solid foundation in information security principles, risk assessment concepts, and control-based evaluations.
Working knowledge of common security and regulatory frameworks, including NIST, NYDFS Cybersecurity Regulation, GLBA, ISO 27001, NIST CSF, and data privacy regulations such as CCPA/CPRA.
Basic understanding of enterprise systems, operating systems, databases, identity and access concepts.
Strong written and verbal communication skills, with the ability to explain security risk clearly and concisely.
Comfortable working independently while also collaborating effectively across technical and business teams.
Well-organized, detail-oriented, and able to manage multiple assessments and competing priorities.
A strong sense of ownership and follow-through.
Ability to track and maintain risk assessment data and metrics using tools such as Microsoft Excel, Jira, or similar platforms.
Preferred / Nice to Have
Experience supporting thirdparty or vendor risk management programs.
Exposure to GRC platforms or security risk assessment tools.
Experience reviewing and interpreting SOC reports.
Current or in progress security certifications (e.g., CompTIA Security+, CompTIA Cloud+, AWS, Azure, Google Cloud Platform, CCSP, CRISC).
Never miss an opportunity! Create an alert based on the job you applied for.
