Cyber Security Risk Governance Associate Director

Are you ready to make an impact at DTCC?

Do you want to work on innovative projects, collaborate with a dynamic and supportive team, and receive investment in your professional development? At DTCC, we are at the forefront of innovation in the financial markets. We're committed to helping our employees grow and succeed. We believe that you have the skills and drive to make a real impact. We foster a thriving internal community and are committed to creating a workplace that looks like the world that we serve.

Pay and Benefits:

• Competitive compensation, including base pay and annual incentive
• Comprehensive health and life insurance and well-being benefits, based on location
• Pension / Retirement benefits
• Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.
• DTCC offers a flexible/hybrid model of 3 days onsite and 2 days remote (onsite Tuesdays, Wednesdays and a third day unique to each team or employee).

The Impact you will have in this role:

Cyber Security Risk Office (CSRO) is responsible for setting strategic directions in the areas of cybersecurity. Maintains corporate security policies and control standards, acts as a second line of defense via a robust collection of risk and control assessments, reports to leadership and the Board on the status of the Cyber Security Programs, acts as an operational arm for monitoring threat intelligence, understanding when threats are being targeted against the firm, and responding to potential incidents, and serves as the main interface for Regulatory and Client reviews that focus on cybersecurity. The Cyber Security Risk Governance role defines the enterprise cybersecurity risk framework, supports the establishment and maintenance of policies and control standards, and oversight mechanisms that establish clear expectations for managing cyber risk. The individual will ensure second-line governance and oversight practices are consistent, defensible, and aligned to regulatory, audit, and enterprise risk management standards.

Your Primary Responsibilities:

• Manage and align the governance frameworks to enterprise and industry models (e.g., CRI, DTCC Corporate risk management policy) and define governance processes for risk oversight, aggregation and enterprise reporting.
• Own the enterprise methodology for mapping policies to control standards, to cyber risks to KRIs, ensuring traceability into reporting and risk treatment.
• Develop and maintain the Cyber Security Risk Appetite Statements and Risk Tolerance Statements, ensuring alignment with Board-approved metrics, tolerance levels, and enterprise risk principles.
• Support in the development and maintenance of cybersecurity policies and control standards within the Cyber GRC solution, SmartSuite.
• Establish and govern the cyber risk taxonomy, top risks, and enterprise risk family classification standards to promote consistency across enterprise reporting, including change management process for frameworks, taxonomy, and methodology updates.
• Lead and facilitate the top cyber risk identification and prioritization by performing an annual top risk assessment and maturing the methodology and practices across the enterprise.
• Manage and coordinate the credible challenge of top risks in support of cyber security risk strategy.
• Support Cyber Risk Institute (CRI) maturity and controls assessments, including coordination with internal stakeholders and external assessors.
• Define and standardize governance committee reporting templates, cadence, and expectations to ensure clarity and comparability of cyber risk reporting.
• Define governance standards, content expectations, and requirements for cyber risk reporting to Board and executive forums (e.g., cyber risk posture, trends, and emerging themes).
• Coordinate risk governance alignment across CSRO, GCRO, ORM, IT, and other stakeholders to ensure consistent interpretation and application of risk standards.
• Support alignment to applicable regulatory cyber risk management expectations (e.g., NIST CSF, CRI Profile, or equivalent).
• Partner across Cyber Security Risk Office and first-line leaders to ensure integrated governance, treatment, risk analytics and reporting lifecycle.
• Drive traceability and auditability of outputs, ensuring documentation, evidence, and decision logic meet regulatory, internal audit, and external examination standards.

**NOTE: The Primary Responsibilities of this role are not limited to the details above. **

Qualifications:

• Minimum of 8 years of cybersecurity risk governance, control framework management or enterprise risk management in a highly regulated environment.
• Bachelor's degree preferred or equivalent experience preferably with a technology-related major. Certifications related to the candidate's coverage responsibilities are beneficial, but not required, such as Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified Information Systems Security Professional (CISSP).

Talents Needed for Success:

• Demonstrated experience establishing enterprise risk governance methodologies.
• Experience developing or mapping policies and standards to regulatory expectations, industry standards and enterprise frameworks.
• Strong written and executive communication skills.
• Experience supporting regulatory examinations and internal audit reviews.
• Support in the development, design and implementation of integrated GRC solutions.

The salary range is indicative for roles at the same level within DTCC across all US locations. Actual salary is determined based on the role, location, individual experience, skills, and other considerations. We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, sex, gender, gender expression, sexual orientation, age, marital status, veteran status, or disability status. We will ensure that individuals with disabilities are provided reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. Please contact us to request accommodation.

About Us

With over 50 years of experience, DTCC is the premier post-trade market infrastructure for the global financial services industry. From 20 locations around the world, DTCC, through its subsidiaries, automates, centralizes, and standardizes the processing of financial transactions, mitigating risk, increasing transparency, enhancing performance and driving efficiency for thousands of broker/dealers, custodian banks and asset managers. Industry owned and governed, the firm innovates purposefully, simplifying the complexities of clearing, settlement, asset servicing, transaction processing, trade reporting and data services across asset classes, bringing enhanced resilience and soundness to existing financial markets while advancing the digital asset ecosystem. In 2024, DTCC's subsidiaries processed securities transactions valued at U.S. $3.7 quadrillion and its depository subsidiary provided custody and asset servicing for securities issues from over 150 countries and territories valued at U.S. $99 trillion. DTCC's Global Trade Repository service, through locally registered, licensed, or approved trade repositories, processes more than 25 billion messages annually. To learn more, please visit us at or connect with us on LinkedIn , X , YouTube , Facebook and Instagram .

DTCC proudly supports Flexible Work Arrangements favoring openness and gives people freedom to do their jobs well, by encouraging diverse opinions and emphasizing teamwork. When you join our team, you'll have an opportunity to make meaningful contributions at a company that is recognized as a thought leader in both the financial services and technology industries. A DTCC career is more than a good way to earn a living. It's the chance to make a difference at a company that's truly one of a kind.

Learn more about Clearance and Settlement by clicking here .

About the Team

Our Risk Management teams work to protect the safety and soundness of our systems and are responsible for identifying, managing, measuring and mitigating a spectrum of key risk types including credit, market, liquidity, systemic, operational and technology in all existing and new products, activities, processes and systems.