Sacramento, CA Salary:
The Judge Group has partnered with one of the largest and most reputable Financial Services companies in CA and is currently seeking a Director of Information Security Risk Management. This is a permanent, direct hire role that includes great pay and full benefits. This is a hybrid remote position and candidate must live in Sacramento Area.
*** For immediate consideration, qualified candidates can send resumes directly to firstname.lastname@example.org ***
The Director, Information Security Risk Management is responsible for implementing and monitoring Company's information security program; ensuring processes are effective in managing security risks in a manner that is consistent with strategic goals, organizational objectives, and risk appetite. Including establishing and maintaining risk management programs to ensure that all company and member information assets and associated technology, applications, systems, infrastructure, and processes are protected in the digital ecosystem in which we operate. This role requires a strong, dynamic leader with sound knowledge of business management, and deep knowledge of risk management, cybersecurity technologies, and security best practices. This role is responsible for maintaining the confidentiality, integrity, and availability of all Company data as well as ensuring compliance with all information security laws, regulations, policies and best practices. The Director, Information Security Risk Management will collaborate with various stakeholders and cross functional teams to evaluate, recommend, and drive improvements to enterprise security practices and processes across the Company. WHAT YOU WILL DO:
WHAT YOU MUST HAVE:
- Lead the second line information security function by providing leadership, innovation, governance, reporting and effective challenge necessary to identify, measure, mitigate, monitor and report on Company's information security risk program in accordance with the established risk management framework.
- Continuously improve the Company's ability to identify, assess, prioritize and mitigate information security risks throughout the organization and create recommendations on how to integrate security controls as part of daily operations.
- Oversee risk identification activities and processes that continuously identify threats and vulnerabilities, including cybersecurity threats, to determine the Company's information security risk profile, including cybersecurity risk.
- Establish and maintain appropriate policies, standards and procedures to support the information security program.
- Monitor information security issues related to Company systems and workflows to ensure internal security controls are appropriately designed and operating as intended, ensuring risk mitigation activities support the information security program.
- Develop risk management tools, practices, and policies to analyze and report information security risks, and to manage risks according to an enterprise risk management framework.
- Design, implement and execute second line information security risk assessment processes. Perform independent review and challenge of the first line security assessments and remediation plans.
- Develop and maintain an information security risk management program, including a strategic roadmap for maturing the program that is aligned with the business to mitigate or lessen the impact of current and future security risks for Company. Understand the dynamic threat landscape and strategically adjusts and aligns the roadmap on an ongoing basis to ensure it addresses the changing security risk environment.
- Promote a culture of security by providing and maintaining effective information security and awareness training and ongoing security-related communications to all levels of the organization.
- Monitor and assess current technologies, systems, processes and procedures, current and proposed laws, regulations, and industry standards related to information security to ensure the Credit Union remains compliant.
- Work with outside consultants, as appropriate, for independent audits and assessments.
- Tactfully yet assertively challenge assumptions and perspectives on information security risk throughout the organization. Recommend improvements to policies, procedures, and practices to reduce costs, improve internal controls and/or drive efficiencies.
- Engage with senior leadership and provide detailed insights into areas of information security risk for the organization.
- Provide key inputs to risk oversight committees, including creating and updating risk management reports and presentations on the evaluation of information security program effectiveness, level and direction of risks, key and emerging risks, and status of previously identified risk and control issues.
- Develop standardized metrics and reporting to enable continuous monitoring against program goals. Identify and implement improvements which support the overall maturity and growth of the program. Prepare and deliver executive-level presentations.
- Coordinate and collaborate with line of business and support functions (e.g., Legal, Compliance, Fraud, Privacy, Physical Security, and Vendor Management, among others), to integrate the information security program across all areas of the credit union.
- Participate in and report on security incidents and events managed by the first line in accordance with the Incident Response policy to protect the credit union's information assets, including intellectual property, regulated data, and reputation.
- Foster a positive and engaging work environment where team members can grow in relevant knowledge and experience.
- Recruit and develop talent; manage an organization that keeps resources productively engaged in moving the business forward.
- Maintain current knowledge of security domain industry trends, best practices and techniques that can be practically applied at Company. Partner with external agencies and peer companies to coordinate information exchange and leverage best practices for information security.
- Perform other duties as required to support the enterprise risk management program and the business, such as developing ad-hoc analysis, performing deep dive investigations, or driving specific risk initiatives.
- Maintain a thorough understanding of state and federal laws and regulations related to credit union compliance including bank secrecy and anti-money laundering laws appropriate to the position.
- Bachelor's degree, preferably in a Management Information Systems, Information Security, Information Technology/Computer Sciences field, or equivalent job experience preferred.
- 10+ years' of relevant experience in information security and risk management in a financial institution.
- 5+ years' direct supervisory experience. Experience developing and managing an information security risk management strategy and program is required.
- Knowledge of risk management governance models, methods, practices, and processes inclusive of risk identification, analysis, mitigation/control, communication, monitoring, reporting and escalation.
- Demonstrated knowledge of information security standards, rules and regulations related to information security and data confidentiality, and server, application, database, network security principles for risk identification and analysis.
- Experience in security policy development, security education, network testing, application vulnerability assessments, risk analysis, and compliance testing required.
- In-depth knowledge of information security technology. Proficient in network security design and architecture, capacity planning, end-point protection, patch-management, vulnerability management, penetration testing, intrusion detection, risk management, mobile device management, identity and access management, and data loss prevention. Experience in managing information security risks in a cloud-based environment.
- Strong knowledge of concepts and best practices including, but not limited to, security frameworks and guidelines established by the Federal Financial Institutions Examination Council (FFIEC), National Institute on Standards in Technology (NIST), the International Information Systems Security Certification Consortium (ISC), International Standards Organization (ISO), and the Control Objectives for Information Technology (COBIT) established by the Information Systems Audit and Control Association (ISACA).
- Strong leadership skills and ability to organize and motivate others.
- Demonstrated experience with regulatory agencies, requirements, and/or regulatory compliance, including familiarity with GLBA and CCPA requirements.
- Ability to interface and build good working relationships with regulators/examiners.
- Strong network within the information security/information risk management community contacts and the ability to represent the Credit Union.
- In-depth understanding of financial services and high degree of business acumen.
- Strong analytical, problem-solving and workflow analysis skills, including demonstrated ability to quickly synthesize information from various sources, identifying key points and issues and strategize for solutions.
- Ability to apply judgment around risk management and control frameworks and industry best practices and make sound risk/reward decisions using a balance of data, logic and intuition to inform critical business strategies and processes.
- Proven strong interpersonal and customer service skills; ability to negotiate, influence, and build collaborative, cross-organization relationships, even in difficult situations or where there is varying experience about information security risks.
- Excellent communication (verbal, written and presentation) skills, including ability to convey complex situations and relationships concisely to management and executive level audiences, and/or non-technical stakeholders.
- Strong organizational skills, with a high degree of initiative and ability to self-start and self-prioritize assignments and make timely and effective decisions.
- Strong process facilitation, process management and improvement skills; ability to independently and effectively handle multiple priorities and deliver a quality result within tight deadlines.
- Information Security Certification preferred:
- Certified Information Systems Security Professional (CISSP),
- Certified Information Security Manager (CISM),
This job and many more are available through The Judge Group. Find us on the web at www.judge.com