Information Security Risk Manager

Description

Information Security Risk Manager (ISRM) position requires a seasoned risk professional with strong knowledge of risk management, control testing and assurance, cybersecurity, and information technology best practices. This role involves managing, guiding, and training a team to oversee IT and information security risk and controls assurance efforts. The ISRM is responsible for assisting in the design, implementation, monitoring, testing, reporting, and governance of the second line information security risk management framework and managing a team to ensure information assets and associated technology, applications, systems, infrastructure, and processes are protected. Strong leadership skills, a deep understanding of information security risks, and the ability to effectively communicate and implement risk management strategies is required.

To be effective, an individual must be able to perform each job duty successfully.

Assist the VP Information Security Officer (VP ISO) in monitoring and continuous improvement of a risk-based comprehensive enterprise security program across all IT and cyber-security risk domains including cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, cyber incident management, and resilience.
Direct team members in the design and performance of quarterly IT risk assessments and testing of controls across all IT and cyber-security risk domains to ensure that appropriate controls are in place, are effective, and any findings are reported.
Train 2nd line Information Security Risk team members in testing strategies and documentation of IT and information security controls assessments.
Direct team in monthly reporting of reportable incidents, risk assessments, metrics / KRIs, and control validation results.
Manage team in quality assurance (QA) reviews and intake of IT and information security:
- Issues for the Issues Management program
- Exceptions for the Exceptions Management program
Review and provide guidance on 1st line IT and information security metrics/KRIs, policies, procedures, standards, and controls.
Lead team in managing and coordinating 3rd party assessments, including regular penetration testing and social engineering testing.
Assist in build-out of Archer GRC information security solutions to improve efficiency and effectiveness of governance, risk, and control activities. Ensure control procedures are accurately documented, maintained, and mapped to control standards (e.g., NIST SP800-171, NIST CSF, etc.).
Review and provide guidance on 1st line IT Security handling and reporting of security incidents. Coordinate reporting to NCUA and other entities as required for reportable incidents.
Guide 2nd line Information Security Risk team in assisting MACU business units to prepare for regulatory exams (e.g., NCUA, CFPB, etc.) and improve the organization's risk posture.
Develop relationships and partner with business stakeholders across the company, including IT, IT Security, Digital Solutions, Risk, and Compliance, to influence decision makers and raise awareness of risk management concerns.
Provide training in risk identification and risk mitigation strategies in the information security and technology domains.
Balance the protection of information assets and IT risks with the needs of the business and organizational priorities.
Use AI and develop AI prompts to automate and improve manual tasks.
Perform other duties as assigned.

KNOWLEDGE, SKILLS, and ABILITIES

The requirements listed are representative of the knowledge, skills, and/or abilities required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential job functions.

Experience

6+ years of relevant experience in the information security and risk management
3+ years of designing test of controls (test of design and test of effectiveness), training teams on documenting testing, QA reviewing (attention to detail and accuracy), summarizing results, and presenting to executives – IT audit experience is a plus
2+ years in a direct leadership capacity overseeing IT security, IT audit, or IT risk (or similar role)
Working knowledge of cloud security, platforms, and services, including understanding of current security offerings from leading cloud service providers (e.g., AWS/Azure), and their applicability to securing a SaaS enterprise security environment
Experience in the evaluation and assessment of industry standard enterprise-wide information security technologies and concepts, including but not limited to: Application Security, Cloud Security (Azure, AWS, etc.), Data Loss Prevention, Security Event Management, GRC Tools, Threat and Vulnerability Management and Identity and Access Management.
Clear understanding of relevant information security governance, technical and security standards and regulations
Familiarity with industry and regulatory security standards including FFIEC, NIST CSF / 800-53 / 800-171, SOC 2, ISO 27001 and ISO 27018 as well as current data privacy regulations, including GDPR and regional standards.
Knowledge of networking and network security.
Understanding of Secure SDLC and DevSecOps or security automation

Education

Bachelor’s degree in Information Security, Computer Science, Information Management, Business or related field OR 2 additional years combined experience in information technology, risk or information security setting. Education must be from an accredited institution and will be verified.

Licenses, Certifications, Registrations

At least one of the following certifications:

CISSP
CISM
CISA or equivalent preferred

Managerial Responsibility

Has leadership/managerial responsibilities that are direct or through work leaders or assistants, typically with a subordinate group of 3 to 10 employees. Estimates personnel needs and assigns work to meet these needs. Supervises, coordinates and reviews the work of assigned staff. Recommends candidates for employment, conducts performance evaluations and salary reviews for assigned staff, and applies company policy.

Computer/Office Equipment Skills

Advanced skills with Microsoft Office Suite including Outlook, Word, PowerPoint, and Excel, including use of advanced formulas, graphs, charts

Language Skills

Demonstrated ability to clearly communicate verbally and in writing. Excellent report writing and QA / detail review skills for an executive audience.
Demonstrated ability to read and follow instructions.

Other Skills and Abilities

Demonstrated excellent customer service skills.
Proactively solves problems and actively improves processes and create efficiencies.
Professional, exercises personal discretion and independent judgement.
Adaptive to change, responds positively to altered circumstances or conditions.
Excellent inter-personal skills, including the ability to lead and collaborate with multiple teams.

Possess a desire and willingness to learn and continually update knowledge of financial concepts, strategies, systems etc.
Excellent at team building and motivating people. Skilled at accomplishing goals through others. Proficient at being a teacher, mentor and coach.
Strong collaborative problem solving skills that demonstrate the ability to gather and analyze information and identify and resolve issues or improve processes in a timely manner.

PHYSICAL ABILITIES / WORKING CONDITIONS

Physical Demands

Ability to sit, talk and hear consistently

Ability to stand, walk, and use hands to handle or reach occasionally

Vision Requirements

Close vision (clear vision at 20 inches or less)

Distance vision (clear vision at 20 feet or more)

Weight Lifted or Force Exerted

Ability to lift up to 25 pounds occasionally may need to lift up to 40 pounds.

Environmental

There are no unusual environmental factors (such as a typical office)

Noise Environment