Director Cyber Risk Assurance Posted Sep 16
Request Technology - Craig Johnson , San Francisco, CA
 
Prestigious Enterprise Company is currently seeking a Director of Cyber Risk Assurance. Candidate will be responsible for leading the assurance of information security, appropriate use, and technology continuity risk management completeness and effectiveness.

RESPONSIBILITIES:

Define, design, build, staff, and deliver to customers and stakeholders services to obtain and maintain a level of comfort that the company's and business partner cyber risk management capabilities are appropriate, effective and adhere to business needs, regulations and customer contracts, support internal and external audits of IT, test the effectiveness of threat management, technology continuity, and facility continuity capabilities through risk event simulations, support the company's sales processes, and evaluate potential partner cyber risk management capabilities and risk appetite.

Build and lead a team of senior cyber risk assurance experts to develop and maintain an innovative principles-based risk control framework/requirement catalog for the organization (framework must be built from scratch, not a modification of NIST CF, HITRUST CSF, ISO 270XX, or similar), harmonize and map requirements from current and future laws, regulations, customer contracts, and business mandates, and plan, scope and conduct formal control monitoring and validation engagements with varying levels of assurance.

Build and lead a team of senior cyber risk assurance experts to develop and maintain an innovative cyber risk control framework for the organization's business partners (framework must be built from scratch, not a modification of BITS SIG, NIST CF, HITRUST CSF, ISO 270XX, or similar), harmonize and map requirements from current and future laws, regulations, customer contracts, and business mandates, evaluate cyber risk management capabilities of potential business partners, develop and negotiate appropriate business agreement language, and plan, scope and conduct formal monitoring and validation of business partner cyber risk management capabilities with varying levels of assurance.

Build and lead a team of experienced assurance process automation solution designers and developers to envision, design, build, and implement solutions to automate internally focused and third party assurance engagements by leveraging leading continuous control monitoring and risk quantification/reporting technologies.

Build and lead a team of industry-recognized ethical hackers to envision, plan and execute live simulations of attacks by sophisticated threat actors in order to test and measure the effectiveness of security risk controls and threat management capabilities.

Collaborate closely with the leader of the Cyber Risk Solutions organization to form and lead a team of senior technology DR/continuity experts to plan and execute live simulations of technology continuity risk events in order to test and measure company's ability to restore appropriate functionality of technology solutions in accordance with business requirements.

Collaborate closely with the leader of the Cyber Risk Solutions organization to form and lead a team of physical facility continuity experts to plan and execute live simulations of facility continuity risk events in order to test and measure company's ability to restore business processes to the appropriate level of functionality in accordance with business requirements.

Build and lead a team of security marketing specialists and assurance analysts to create and maintain standard audit response database, coordinate internal and external (regulators, customers, etc.) audits of the IT organization, respond to auditor requests for information and control testing, develop management responses to audit findings, track and report audit finding resolution, create and maintain standard RFP response database, respond to RFPs from current and prospective customers, coordinate availability of cyber risk management SMEs to participate in customer visits, address ad-hoc inquiries from customers on cyber risk management topics.

Build and lead a team of senior security assurance experts to participate in merger an acquisition due diligence projects and formally compare the risk appetite and cyber risk management capabilities of potential merger targets to those of the company.

Establish and sustain strong working relationships with the organization's customers and stakeholders.

Partnering closely with the HR team hire, mentor, coach, train and manage the performance of the organization's leaders and individual contributors.

Develop and continuously evolve the organization's processes/methodologies, structure, culture, skills/experience, process support tools, knowledge resources, and other components.

Design and execute all of the organization's repeatable activities as mature (equivalent to CMMI maturity Level 3) processes.

Establish and maintain strong working relationships with industry peers and other external stakeholders including federal/local law enforcement agencies, industry organizations/consortia.

Communicate the status and accomplishments of the organization's operational activities and projects to company's executive leaders, peers in the IT organization, customers and stakeholders.

Partnering closely with the procurement and legal teams identify, select and actively manage the organization's suppliers, service providers and business partners.

Partnering closely with the Compliance and Audit teams ensure adherence to all applicable legal, regulatory and contractual requirements in all activities of the organization.

Manage the organization's operating and project budgets and ensure executive leadership's support for appropriate funding levels.

Instill and promote a strong results-oriented culture centered on business value creation, collaboration, commitment, merit-based recognition, personal development and external benchmarking.

Promote the company's image as a leader in setting strategy and developing services and capabilities as compared to competitors and peers in other industries.

Share leading practices and lessons learned in managing customer engagements, delivering services, and operating solutions with industry peers, other industries, professional consortia, and relevant government organizations.

QUALIFICATIONS

Strong experience of senior leadership experience in information security or other cross-functional IT discipline (eg IT architecture) in very large enterprise organizations.

Exceptional written, visual and verbal communication skills and experience communicating effectively with executive business leaders and external customers.

Proven track record of identifying, hiring and retaining the top talent in cyber security, survivable system engineering, and IT risk management resource markets.

Industry-recognized experience in designing and building from scratch innovative risk control frameworks that overcome the limitations of prevailing checklist-based approaches to risk control evaluation and monitoring.

Exceptional sales and marketing skills applied in pre-sales and post-sales interactions with Fortune 100-scale organizations.

Experience in staffing, mentoring, coaching, and managing leadership teams consisting of multiple directors and senior managers.

Minimum 3 years of experience in working at a Big Four or equivalent advisory organization in support of multinational enterprises across several industries.

Demonstrated track record of successfully developing and maturing cyber risk organizations with the emphasis on delivering results.

Deep understanding of and prior hands-on experience in all major information security, appropriate use, and survivable system engineering functions and activities including policy setting, vulnerability/risk research, security/availability architecture, system security/survivability engineering, incident response, cyber risk operations, cyber risk audit/compliance.

Track record of successfully executing profound organizational changes while maintaining support, buy-in and commitment from all stakeholders.

Complete architecture-level understanding of all major information security and appropriate use enforcement technology solutions including advanced malware detection/prevention, mobile device virtualization/MDM, cloud security management, structured and unstructured database encryption, mobile application and remote API security, fine-grained application authorization and access control, security event visualization, big data user and entity behavior analytics, active adversary deception, and others.

Deep understanding of all applicable regulatory standards and requirements, including HIPAA, NAIC ORSA, FISMA, NAIC MAR, and others, and experience in interpreting the requirements in the context of different industries.

Demonstrated ability to influence business leadership and cross-functional teams.

Proven track record of managing all aspects (scope, budget, schedule, quality) of cross-functional large-scale IT/business projects in Fortune 100 scale global environments.

Externally recognized information security and IT risk management industry thought leadership and innovation accomplishments.

Strong skills and experience in designing and documenting complex processes, and identifying and eliminating deficiencies in existing process designs.

Understanding of contemporary security vulnerabilities, exploitation techniques and attack vectors.

Demonstrated ability to establish and maintain strong working relationships with external customers, suppliers, business partners, industry peers.

CISM or CISSP is strongly preferred.

Employment Type: Permanent
Work Hours: Full Time
Other Pay Info: Open + Bonus

TO APPLY
Click here to apply - Please mention that you saw the job on About Leaders

Share