Information Security Risk DirectorRisk Dallas, Texas
Summary of Responsibilities:
- The Vice President of Information Risk is responsible for leading and managing the Information Risk Management Program. Reporting to the SVP of Operational Risk, the incumbent shall employ sufficient measures to comprehensively identify, assess, mitigate, manage, monitor and report information security risk and protect the information assets of the institution. The VP shall work with business functions, corporate areas and clients and partners to implement and maintain practices in line with SC defined policies and standards for information risk and security, reflective of corporate, regulatory and industry best practices.
- Develop and maintain the SC Information Risk Management Policy
- Oversee the creation, management, and development of information security standards, procedures, and guidelines in line with the Information Risk Management Policy
- Establish and maintain procedures to ensure information is protected in compliance with information risk management standards and applicable laws
- Oversee the execution of information risk assessments
- Provide input into the corporate information and technology risk strategy and tactical execution thereof
- Collaborate with stakeholders (e. g. , IT, Legal, Audit, HR, and Risk Management) to help develop a consistent process for identifying, developing, and implementing controls to address information security risks
- Escalate policy exceptions and risk tolerance breaches in a timely manner
- Manage the implementation of an Information Risk Management Program and related risk analytical activities for SC that is consistent with applicable regulatory requirements
- Execute information risk assessments and implement risk assessment framework for 1st line of defense
- Continue to build capabilities (technical and soft skills) in IRM to support the Operational Risk Management Framework
- Direct the development and execution of 2nd line of defense project plans for SC.
- Report and monitor conformance and delivery against program objectives, making adjustments and recommendations, where justified
- Oversee the development of key risk indicators, key performance indicators and risk tolerances
- Monitor risk acceptances, risk tolerance breaches and significant control gaps. Escalate pertinent findings in a timely manner.
- When appropriate, develop programs to meet regulatory standards and monitor and report conformance and delivery against project plans, making adjustments and recommendations, where justified
- Facilitate the completion of effective regulatory examinations and audit reviews of information risks, when required
- Communicate updates and ensure leadership and management behaviors support the many change initiatives
- Collaborate with peers and support direct reports in exercising opportunities to credibly challenge risk assessments and mitigation plans
- Build and maintain high-performance teams within the risk organization with the capabilities for risk identification, assessment, measurement, mitigation, aggregation and reporting
- Performs other duties and special projects as assigned
- May assist in other related departments as required by business needs.
- BS or BA degree in computer science or related field
- Minimum five (5) year’s management experience, preferably in senior leadership role.
- Specific experience in assessing and measuring information risk and developing contingency plans for IT breaches
- Minimum ten (10) years’ of experience in information risk management or related field for large complex global financial organizations, including experience dealing with U. S. regulatory agencies.
- Demonstrated expertise in operational practices related to information risk and proficiency with US regulatory requirements for these programs
- Extensive experience with regulatory bodies, particularly the Federal Reserve Board and Federal Reserve Banks, the Office of the Comptroller of the Currency and the Consumer Finance Protection Bureau
- Proficient with regulatory standards, requirements, and best practices pertaining to information risk
- Demonstrated capabilities in implementing enterprise information security programs and familiarity with Federal Financial Institutions Examination Council standards for such programs
- Broad understanding and knowledge of industry best practices and regulatory expectations for operational risk management
- Excellent oral and written communication skills to influence peers and Business Units and interact effectively with senior management and regulators
- Proficient at managing disparate stakeholders with differing interests, including strong negotiation skills; ability to influence beyond immediate teams in order to fully implement the information risk management program
- Must be able to multi-task, prioritize activities, manage conflicts, delegate and meet deadlines while working in a fast-paced environment
- Demonstrated skill at building, leading and managing high-performance teams
- Sound understanding of the automated tools and methodologies used to develop and implement programs and to measure and quantify information risk
- Demonstrated executive presence and judgment to effectively interact with regulatory bodies
- Capability to sponsor, direct and deliver improvements and corrective action programs. Preferences:
- Master’s degree in computer science or a related field preferred
- Certifications in one or more information security/control disciplines strongly preferred, including: CISSP, CISM, CISA
- Extended working hours may be required by management and business needs.
- Travel to multiple facilities may be required. Employer’s Rights: This job description does not list all the duties of the job. You may be asked by your supervisors or managers to perform other duties. You will be evaluated in part based upon your performance of the tasks listed in this job description. The employer has the right to revise this job description at any time. This job description is not a contract for employment, and either you or the employer may terminate employment at any time, for any reason.