Our client is hiring a Director, Cybersecurity and Risk Management. This role resides in the Technology department of a dynamic alternative investment management firm. The Director, Cybersecurity and Risk Management will be responsible for the firm' s cybersecurity program as well as the technology risk and IT controls functions. The ideal candidate has significant experience across security disciplines, both technical and non-technical, and has a deep understanding and appreciation for how to thrive in a highly regulated public company. This role reports to the Chief Technology Officer.
This is a leadership role. This person will manage a nimble team of cybersecurity engineers and analysts as well as a team of governance, risk and controls specialists. We are looking for a leader who wants to operate as a player/coach. When needed, this person is expected to be hands-on in investigations and, where necessary, remediating issues and participating, often leading, the design and implementation of new security solutions.
Our client has adopted a cloud-first strategy. Over 90% of our infrastructure resides in Azure and AWS. We are progressive in our embrace of new technology and are looking for team members who enjoy being on the cutting edge. The firm' s investment in our NIST-based security program is fierce. Our administrative controls are comprehensive - which is a requirement for a highly regulated firm such as ours. Our technical security controls are numerous and include what you would expect (firewalls, intrusion prevention, SIEM, vulnerability management, etc.). While the cybersecurity program is mature, we are looking for an innovator. Someone interested in challenging what we do and why we do it. A leader that wants to take us forward.
This role and this team will focus on security and governance of our people, our systems / data, and our facilities. You will be responsible for the development, execution, and governance of security programs around disaster recovery, business continuity, configuration management, security policies and standards, technical security, and the assessment of the firm' s critical vendors. We are looking for someone with a passion for service resiliency and governance through the application of progressive technology, and with deep appreciation for the foundation of a good security program - our people and processes.
Specific responsibilities include:
Ownership of the firm' s information security policies, procedures, standards, and guidelines.
Accountable for the ongoing development, application, and maintenance of a cyber risk framework, qualitative and quantitative-based models, and risk quantification tools & techniques.
Leading the firm' s vendor risk program.
Oversight and accountability for the firm' s disaster recovery and business continuity program, including driving our annual disaster recovery and business continuity simulations.
Oversight of third-party risk assessments and scheduled and ad-hoc internal risk assessments.
Shared accountability for the technology change management program.
Driver of the firm' s incident response program.
Accountable for the cybersecurity risk posture of the enterprise with a focus on privacy, policy management, third-party vendor risk management, and data protection and governance.
EDUCATION, SKILLS AND EXPERIENCE REQUIREMENTS
The ideal experience and critical competencies for the role include the following:
Bachelor' s degree or equivalent relevant experience.
6 years' experience in areas of IT and security governance, risk management, and/or compliance; minimum of 2 years of security leadership experience.
Experience with audit programs, including SOC1, SOC2 and SOX.
Experience owning a disaster recovery and business continuity program.
Experience writing security policies and procedures, system requirements, and other technical documents.
Ability to apply network security architecture concepts including topology, protocols, components, and principles governing both on premise and public cloud infrastructures.
Familiarity with zero-trust security model.
Experience owning vendor risk management programs and processes.
Knowledge and experience with various IT governance, control frameworks, and standards such as NIST CSF, CIS Controls, and security regulations/directives including GPDR, CSA, CCPA etc.
Ability to influence without authority, and to work with and through others to achieve desired results, demonstrating strong leadership skills.
Ability to work independently and multi-functionally to drive organizational change required to efficiently meet strategic and tactical goals.
Demonstrates analytical skills to gain insights, technical proficiency to deliver right-fit solutions, and stellar communications skills to present findings, discovery, and recommendations in a logical and easily understandable manner.
Demonstrated team player, self-starter, and independent thinker.
Ability to articulate thoughts in a clear and concise manner to both business users and IT staff through written correspondence, presentations and/or meetings.
Related certifications such as CISM, CISSP, CRISC, CGIET a plus.
Global experience is a plus.