VP, IT Risk Management & Compliance
About the Opportunity
The VP Security Risk Management is responsible for establishing and maintaining Epsilon’s overall IT security risk management program, which is designed to ensure that the company’s IT systems and information assets are adequately protected. The individual in this position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets Epsilon’s regulatory and other compliance requirements. The VP works proactively with the various clients, business units and other internal departments and organizations to implement practices that meet Epsilon’s defined policies and standards for information risk management.
The VP Security Risk Management is the “process owner” for all of Epsilon’s IT-related security risk assessment and identification activities, for the company’s IT systems and information assets and for its IT-dependent strategic business objectives. A crucial element of the risk VP’s role is working with senior executives, line-of-business leadership and other key decision makers to determine acceptable levels of residual risk for the company as a whole and for various internal departments and organizations.
The ideal candidate for this position is a proven thought leader, problem solver and integrator of people and processes, as well as an effective internal consultant. The person must also possess solid domain competencies in a number of IT-risk-related disciplines, including security, business continuity management, privacy and compliance.
While some company’s IT risk management activities focus largely on technical solutions, effective risk management requires a more-comprehensive and performance-based approach that aligns levels of protection with business needs. For this reason, the VP, IT Risk Management must be much more than simply a technology and controls expert, it must also possess significant management and communications skills and extensive business knowledge. Candidates must have implemented a security risk management program previously that clearly demonstrates the organization’s ability to track, prioritize, remediate, and report on risks (whether generated from internal/external audits, technical issues, etc) to the organization.
Duties & Responsibilities
- Manage all the security risk-related activities of Epsilon’s IT organization, including budgeting, planning, testing, reporting, and recommending appropriate remediation measures.
- Manage oversight and monitoring of risk mitigation and coordination of internal and external audits, customer related audits, 3rd party audits, and Compliance/Infosec controls, to ensure that other departments are taking effective remediation steps
- Benchmark the risk management practices of other companies — particularly those in related industries or with similar business models — maintain an up-to-date understanding of industry best practices, and monitor the legal and regulatory environment for developments that could require changes to Epsilon’s established IT policies and practices
- Create, disseminate, and (as required) update documentation of Epsilon’s matrix of identified IT risks and controls
- Work directly with the business units and other internal departments and organizations to facilitate IT risk analysis and risk management processes, identify acceptable levels of residual risk, and establish roles and responsibilities related to information classification and protection
- Coordinate information security and risk management projects with personnel from the IT organization, lines of business, and other internal departments and organizations
- Review risk assessments, analyze the effectiveness of Epsilon’s IT control activities and report on them — with actionable recommendations — to the CISO, the CIO, and applicable Lines of Business executive leadership
- Follow up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken
- Provide monthly/quarterly/annual risk management metrics for individual Lines of Business, IT, and the overall company
- Reports directly to Epsilon’s Chief Information Security Officer (CISO) and on IT-related risk management activities
- Tracks and reports risk management trends, opportunities, and remediation quarterly
- Works closely with the CIO and the security, compliance, business continuity management and privacy organizations to develop and implement effective IT risk management practices
- Makes recommendations for the CISO, appropriate risk governance committees, line-of business leadership and the board of directors concerning IT-risk-related controls
- Acts as risk management liaison with all levels of the IT organization and with the lines of business and other internal departments and organizations
- Supervises direct reports, as well as, the IT-risk-management-related activities of indirect reports and others
- In-depth knowledge of a broad range of standards and frameworks — for example, International Standards Organization (ISO) 27001, IT Infrastructure Library and ISO 20000, Capability Maturity Model Integration and Six Sigma
- Certified Information Security Auditor, Certified Information Security Manager, Certified Information Systems Security Professional, or equivalent certification is beneficial
- 7-10 years of experience in a large complex IT risk management or a related discipline
- Proven track record for documenting, tracking, reporting, and closing identified risks within the environment
- Knowledge of common risk management methodologies — for example, Control Objectives for Information and Related Technology and Committee of Sponsoring Organizations Enterprise Risk Management
Conditions of Employment
All job offers are contingent upon successful completion of certain background checks which unless prohibited by applicable law may include criminal history checks, employment verification, education verification, drug screens, credit checks, DMV checks (for driving positions only) and fingerprinting.
Great People, Deserve Great Benefits
We know that we have some of the brightest and most talented associates in the world, and we believe in rewarding them accordingly. If you work here, expect competitive pay, comprehensive health coverage, and endless opportunities to advance your career. From tuition reimbursement to scholarship programs to employee stock purchase plans and 401(k)s, we offer associates a variety of benefits that work as hard for them as they work for us.
Epsilon is a global leader in creating connections between people and brands. An all-encompassing global marketing company, we harness the power of rich data, groundbreaking technologies, engaging creative and transformative ideas to get the results our clients require. Recognized by Ad Age as the #1 Largest World CRM/Direct Marketing Network, #1 Largest U.S. Agency from All Disciplines and #1 Largest U.S. Mobile Marketing Agency, Epsilon employs over 7,000 associates in 70 offices worldwide. Epsilon is an Alliance Data company. For more information, visit http://www.epsilon.com/, follow us on Twitter @EpsilonMktg or call 1.800.309.0505.
Alliance Data provides equal employment opportunities without regard to race, color, religion, gender, age, national origin, disability, sexual orientation, gender identity, veteran status or any other characteristic protected by law.
Alliance Data participates in E-Verify
For San Francisco Bay Area:
Alliance Data will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of San Francisco Police Code Sections 4901 – 4919, commonly referred to as the San Francisco Fair Chance Ordinance.
Meet Some of Epsilon's Employees
Director Of Learning & Development
Helen brainstorms and researches new ways for teams to work together by introducing training at the individual and team level. She helps Epsilon’s employees achieve their goals.
Back to top