Manager I, Technical Risk (Information Security Program Risk Assessment Manager)

Overview

Responsible for overseeing and managing the Information Security Program Risk Assessment. The Information Security Program Risk Assessment encompasses analyzing the environment for potential threats and vulnerabilities that, if not mitigated, may pose a risk to the confidentiality of NFCU member data. The incumbent will be responsible for assisting in the development of the assessment strategy, the management, and overall execution of this second-line of defense risk management and governance activity. This role will collaborate with NFCU business unit Sr. leaders across the enterprise to identify, mitigate and manage information security risks. The incumbent will be expected to leverage their extensive industry and real-world experience to manage information security governance and risk management activities, developing pragmatic solutions to address gaps in line with established risk appetites. Ensure information security governance and risk management activities align with strategic business initiatives, achieve business and quality objectives, mitigate risk and enhance operating procedures. Develop dashboards, metrics and reporting data to provide consultative guidance during monthly and quarterly governance committees. Promote operational efficiency and service excellence through appropriate risk controls, process improvements and training while reducing and mitigating financial losses.

Responsibilities

• Leading a team of Information Security Risk Analysts through the planning and execution of the Information Security Program Risk Assessment
• Managing the development and leading comprehensive Information Security Program Maturity Assessment and Risk Assessment initiatives in line with the enterprise goals and regulatory expectations
• Responsible for ensuring the effective identification, mitigation and management of information security risks arising from business activities. In addition, provide guidance and advice to senior management on the status of their control environment related to standards compliance, risk identification and control issues. Identify critical areas to monitor and escalate issues and findings to appropriate stakeholders and governance committees
• Leverage effective oral and written communication skills to ensure the effective articulation and implications of risks and issues related to data management and protection to sponsors and risk owners and, if necessary, oversee security exceptions or issue management
• Ensure the team translates control deficiencies into action plans and provide recommendations to enhance governance practices in alignment with risk and compliance frameworks
• Participate in Security-related special projects, councils, working groups, etc. as a Risk SME
• Other duties as assigned

• Bachelor's degree in Information Technology, Computer Science, Cybersecurity, or related field required
• 10+ years hands on experience leading and performing information security program risk assessments, program level maturity assessments and cyber security technical assessments
• 10+ year's experience in Cyber Security Governance, IT Governance, and Compliance leadership roles
• 10+ years of demonstrated leadership and team management experience of teams of risk professionals
• Extensive hands on experience applying risk management frameworks in financial services organizations (e.g., NIST Cybersecurity Framework / 800.53)
• Extensive hands-on experience presenting, creating materials for, and participating in Information Security / IT financial institution regulatory examinations (NCUA, or Federal Reserve, or OCC)
• Extensive hands-on experience applying FFIEC IT Handbook guidance, focused on the Information Security and IT Management booklet
• Broad knowledge of information security technologies (e.g., firewalls, intrusion detection systems, encryption, identity and access management)
• Excellent problem-solving, analytical, and decision-making skills
• Excellent communication skills with the ability to present complex technical information to non-technical stakeholders
• Broad knowledge of Risk management
• Broad knowledge of Cybersecurity risk
• Ability to guide, influence and persuade others, primarily internally

• Graduate education in Business, Cyber/Information Security Risk, Information Systems, Computer Science, Engineering, Quantitative discipline, or related field desired
• Professional Certifications include, but not limited to CISA, CISSP, CISM, CRISC, etc.