Job Description

The Information Security Manager (ISM) Governance, Risk & Controls Analyst will focus on recently acquired technology to identify applicable control requirements to protect and enable the business, assess control compliance and risk exposure, and manage risk exposure through prioritized risk treatment and remediation programs.

The candidate will also be expected to influence effective risk & control management practices, provide governance and support to technology businesses through risk consultancy, identification of control weaknesses and recommendations for improvement opportunities, as well as providing training and reporting of risk issues.

This includes:

* Understand the firms Cybersecurity and Technology Controls (CTC) control framework, as well as the framework and evaluation results of legacy policies, standards and controls.
* Interpret corporate policies and regulatory requirements, inform technology teams on their applicable control requirements and advise on target state solutions to meet those control requirements
* Analyze existing control evaluation results and execution of control evaluations to determine weaknesses in control design and/or effectiveness.
* Consider impacting risk factors including compensating controls, impact and likelihood to determine severity of identified weaknesses.
* Work with other ISMs, Heads of Technology (HoTs), Chief Technology Officers (CTOs) and their management teams to efficiently identify remediation actions, where necessary.
* Influence and Drive control and supporting CTC product adoption within the organization for risk identification, treatment and control assessments and assurance.
* Socialize change, model pro formas, and cascade communications within the organization
* Liaise and oversee the delivery of services performed by CTC product teams
* Design controls in partnership with the technology teams, including how to continuously measure its operating effectiveness, providing control implementation support and control validation
* Develop and maintain strong business and technology relationships, becoming a trusted partner to these groups
* Identify requirements needed for uplift, and identify critical challenges to achieving end-state operating model
* Interface with Business Control Managers teams to ensure technology risk impacting the business is effectively tracked and communicated

Required Qualifications

This role requires a wide variety of strengths and capabilities, including:

* 7+ years of experience in risk, controls and/or audit role with solid understanding of technology.
* Highly motivated team player with excellent analytical, written and verbal communication skills.
* Ability to quickly analyze and understand technology policies, standards and procedures and identify areas of overlap and discrepancies across various control frameworks
* Ability to apply various control frameworks (PCI, COBIT, ITIL, ISO, SOC, etc.) in practice.
* Strong communication skills with ability to translate technical and non-technical jargon to commonly understood terminology.
* Professional presence with ability to articulate technical risks in terms of business impact.
* Ability to collaborate with high-performing teams and individuals throughout the firm to accomplish common goals.
* Proven comfort working across large complex environments in virtual settings with ability to quickly acclimate.
* Ability to understand CTC vision and strategy and translate into clear actionable goals, establish priorities and achieve measurable results.
* Proficiency in information security domains, including policies and standards, risk and control assessments, access controls, regulatory compliance, technology resiliency, risk and control governance and metrics, incident management, secure systems development lifecycle, vulnerability management and data protection
* Strong influencing skills, comfortable executing against recommendations and plans by overcoming barriers and resistance