VP - Cyber Security
New York, NY
The purpose of this position is to manage, support and coordinate all Information Security (IS) activities, programs and initiatives for the Bank.
The Information Security Officer (ISO) manages a major functional area of the Bank's Information Security Policy, Governance, Risk and Compliance. Among other responsibilities, oversees some of the key functions, including:
" Policies, Standards, Guideline and Procedures
" Risk Assessments
" Third Party risk management
" Framework management and maintenance
" Incident Response planning and management
" Reporting Material for the office of the CISO Group
" Control monitoring and surveillance
" Regulatory Affairs / Audit Management
" Training and Awareness
" Develop and manage the IS Policies, Standards, Guidelines and Procedures in alignment with the standard framework and Headquarter requirements.
" Lead the development and implementation of effective and reasonable policies and practices to secure sensitive data and ensure security and compliance with contracts, regulatory requirements, and industry standards.
" Develop and manage the IS risk management strategy, framework, guideline and approach for IDBNY's systems and infrastructure landscape.
" Integrate IS risk reporting and aggregate reporting into an Enterprise risk framework. Provides a briefing to CISO and report critical issues that may affect business or enterprise IS objectives.
" Develop strategies and action plans to drive control maturity improvement in areas where controls do not adequately mitigate risks.
" Partner with cyber architecture and engineering teams to develop risk mitigation strategies, solutions, and recommendations to reduce components, systems, or enterprise security risk.
" Manage the 3rd party's IS risk assessments process to ensure risk transparency and business acceptance, contractual obligations, due diligence assessments and enable risk-based decision making to support the Bank's Third Party Risk Program.
" Develop, assess, support and sustain IS framework ISO 27001, NIST 800-53, NIST Cybersecurity Framework, FFIEC CAT, NYDFS 500, etc.
" Manage IS framework using a GRC platform such as, Service Now, or any other
" Manage Bank's Incident Response Plan and the plan's point-of-contact (POC).
" Working with the other Bank departments to ensure respective play books are properly developed and have aligned with the Bank's Incident Response Plan.
" Act as the Bank's IS Incident Response Handler responsible for responding to security incidents, threats and vulnerabilities through analysis of event logs, computer artifacts, and other data sources to contain and resolve incidents or events, provide recommendations for remediation and determine the root cause.
" Plan and conduct Incident Response Plan table top exercises on a periodic basis with subsequent remediation planning, tracking and completion roadmap in place.
" Developing, updating and providing an effective reporting (framework) for the CISO on a frequent basis. The reporting may be used for the Board of Directors, Senior Management and/or other key stake holders.
" Develop, document, and assess measures, metrics, and internal controls related to IS/Cyber security assessments and acceptance.
" Support the CISO in establishing annual and long-term goals, defining risk and governance strategies, metrics, and reporting mechanisms.
" As part of the second line of defense, evaluating, validating and performing test of controls with subsequent remediation planning and tracking in place.
" Performing and supporting day-to-day IS security monitoring using SIEM, DLP, End-point solution, IDS/IPS, malware detection, etc.
" In conjunction with Legal, identify information security management laws and regulations and implement actions to ensure compliance.
" Recommend strategies to ensure a common approach towards regulatory authorities and obtain internal efficiency.
" Ensures a comprehensive understanding of existing requirements and ongoing monitoring of new regulatory requirements.
" Identify global IS/Cyber security regulatory, legislative, and industry specific compliance requirements and applicability to each line of business.
" Coordinate and track all information technology and security related audits including scope of audits, business units involved, timelines, and outcomes. Liaise with Internal Audit, maintaining excellent relationships and provide transparency.
" Provide guidance, evaluation and advocacy on audit responses.
" Develop and maintain a strategy for managing IS related audits from planning to remediation and sustainability thereafter. Not limited to but this may include internal/external audits, penetration test, third party assessments, regulatory examinations, compliance checks for Sarbanes-Oxley (SOX)/ Gramm Leach Bliley Act (GLBA)/ NYDFS 500, and other applicable industry standards.
" Develop, update and ensure completion of IS training and awareness initiatives throughout the Bank on a periodic basis. In addition, ensure respective reporting tracking metrics in place.
" Evaluate and recommend security products, services, and/or procedures to enhance productivity and effectiveness.
" Manage specified IS related projects from inception to completion
" Bachelor's degree in Computer Science or related discipline or equivalent work experience
" Minimum 8 years in Information Technology with 3 years of Information and Cybersecurity relevant experience
" One of the following information security certifications preferred: CISSP, CISM, CISA or Equivalent (Note If not certified, willing to obtain the CISO approved IS/Cyber certification(s) in the first-year of employment)
" Strong knowledge of Information Security concepts including, but not limited to, Audit Reviews, Risk Assessment, Awareness & Training, Identity Access & Management, Data Protection, Secure SDLC, Incident Management, Vulnerability Assessment, Third Party IS Assessment, Secure Configurations, Patch Management, etc.
" Thorough understanding of fundamental security and network concepts (Operating systems, intrusion/detection, TCP/IP, ports, etc.)
" Strong knowledge of Information Security related frameworks/US Regulations such as, ISO 27001, NIST 800-53, NIST Cyber Security Framework, Cobit, FFIEC CAT, GLBA, SOX, NYDFS 500, etc.
" At least 1-2 years implementing/using a GRC platform such as Service Now or any other
" Hands-on troubleshooting, analysis, and technical expertise to resolve incidents and service requests; previous experience in troubleshooting day-to-day operational processes such as security monitoring, data correlation, security operations etc.
" Competence in using both internal and external ticketing systems for ITIL-based incident, problem and change management.
" Employ influencing skills to obtain buy-in and participation from various groups and stakeholders without direct control.
" Build and maintain collaborative relationships with partners, clients and peers.
" Ability to communicate effectively at different levels of the organization, and with various technical and business audiences.
" Excellent problem solving abilities and analytical skills. Ability to see the big picture with high attention to critical details.
" Results oriented, is able to achieve desired outcomes independently and at appropriate priority levels
" Highly motivated, energetic, detail-oriented with ability to multi-task effectively
" Ability to complete projects and perform daily tasks with minimal supervision
" Excellent oral, written, and presentation skills
" Ability to set and meet deadlines
" Strong interpersonal skills