Risk Management - Director - Information Security and Third-Party Risk Mgmt

TITLE: DIRECTOR - INFORMATION SECURITY AND THIRD-PARTY RISK MGMTSTATUS: EXMEPTREPORTS TO: VP - ENTEPRRISE RISK OFFICERDEPARTMENT: RISK MANAGEMENTJOB CODE: 11641 PAY RANGE: $ 170,300.00- $ 190,000.00 ANNUALLY   GENERAL DESCRIPTION:   The Director, Information Security and Third-Party Risk Management is responsible for implementing and monitoring Golden 1’s information security and third-party risk management programs; ensuring processes are effective in managing risks in a manner that is consistent with strategic goals, organizational objectives, and risk appetite. Including establishing and maintaining risk management programs to ensure that all company and member information assets and associated technology, applications, systems, infrastructure, and processes are protected in the digital ecosystem in which we operate.   This role requires a strong, dynamic leader with sound knowledge of business management, and deep knowledge of risk management, cybersecurity technologies, and security best practices. This role is responsible for maintaining the confidentiality, integrity, and availability of all Credit Union data as well as ensuring compliance with all information security laws, regulations, policies and best practices. This role is also responsible for maintaining a third-party risk management program, including communication of policies, standards, procedures, and reporting to ensure quality, compliance, and security in the Credit Union’s third-party relationships.   The Director, Information Security and Third-Party Risk Management will collaborate with various stakeholders and cross functional teams to evaluate, recommend, and drive improvements to enterprise security and third-party risk management practices and processes across the Credit Union.     TASKS, DUTIES, FUNCTIONS:   Leads the second line information security and third-party risk management functions by providing leadership, innovation, governance, reporting and effective challenge necessary to identify, measure, mitigate, monitor and report on Golden 1's information security and third-party risk programs in accordance with the established risk management framework.   Continuously improve the Credit Union’s ability to identify, assess, prioritize, and mitigate information security and third-party risks throughout the organization and create recommendations on how to integrate controls as part of daily operations.   Oversee risk identification activities and processes that continuously identify threats and vulnerabilities, including cybersecurity threats, to determine the Credit Union’s information security and third-party risk profiles, including cybersecurity risk.   Establish and maintain appropriate policies, standards and procedures to support the information security and third-party risk management programs.   Monitor information security and third-party issues related to Credit Union systems and workflows to ensure internal controls are appropriately designed and operating as intended, ensuring risk mitigation activities support the information security and third-party risk management programs.   Develop risk management tools, practices, and policies to analyze and report information security and third-party risks, and to manage risks according to an enterprise risk management framework.   Design, implement and execute second line information security and third-party risk assessment processes. Perform independent review and challenge of the first line assessments and remediation plans.   Develop and maintain an information security and third-party risk management programs, including a strategic roadmap for maturing the programs that are aligned with the business to mitigate or lessen the impact of current and future security and third-party risks for Golden 1. Understand the dynamic threat landscape and strategically adjusts and aligns the roadmap on an ongoing basis to ensure it addresses the changing risk environment.   Promote a culture of security by providing and maintaining effective information security and awareness training and ongoing security-related communications to all levels of the organization.   Monitor and assess current technologies, systems, processes and procedures, current and proposed laws, regulations, and industry standards related to information security and third-party risk management to ensure the Credit Union remains compliant.   Work with outside consultants, as appropriate, for independent audits and assessments.   Tactfully yet assertively challenge assumptions and perspectives on information security and third-party risk throughout the organization. Recommend improvements to policies, procedures, and practices to reduce costs, improve internal controls and/or drive efficiencies.   Engage with senior leadership and provide detailed insights into areas of information security and third-party risk for the organization.   Provide key inputs to risk oversight committees, including creating and updating risk management reports and presentations on the evaluation of the information security and third-party risk management programs’ effectiveness, level and direction of risks, key and emerging risks, and status of previously identified risk and control issues.   Develop standardized metrics and reporting to enable continuous monitoring against program goals. Identify and implement improvements which support the overall maturity and growth of the information security and third-party risk management programs. Prepare and deliver executive-level presentations.   Coordinate and collaborate with line of business and support functions (e.g., Information Technology, Legal, Compliance, Fraud, Privacy, Physical Security, and Finance, Enterprise Project Management Office, among others), to integrate the information security and third-party risk management programs across all areas of the credit union.   Participate in and report on security and third-party incidents and events managed by the first line in accordance with the Incident Response policy to protect the credit union’s information assets, including intellectual property, regulated data, and reputation.   Foster a positive and engaging work environment where team members can grow in relevant knowledge and experience.   Recruit and develop talent; manage an organization that keeps resources productively engaged in moving the business forward.   Maintain current knowledge of security domain and third-party risk management industry trends, best practices and techniques that can be practically applied at Golden 1. Partner with external agencies and peer companies to coordinate information exchange and leverage best practices.   Perform other duties as required to support the enterprise risk management program and the business, such as developing ad-hoc analysis, performing deep dive investigations, or driving specific risk initiatives.     Develop and maintain an understanding of the pertinent regulatory requirements and risks inherent to job responsibilities, establish, and maintain control activities that mitigate those risks consistent with the Credit Union’s risk appetite, and ensure operational integrity and compliance with applicable regulations.   PHYSICAL SKILLS, ABILITIES, AND EXERTION UTILIZED IN THE PERFORMANCE OF THESETASKS:   1.  Effective oral and written communication skills required to interact with credit union staff, management, and all member channels. 2.  Must possess sufficient manual dexterity to skillfully operate an on-line computer terminal and other standard office equipment, such as financial calculators, personal computer, facsimile machine and telephone.   ORGANIZATIONAL CONTACTS & RELATIONSHIPS:   1.  INTERNAL: All levels of staff and management.   2.  EXTERNAL: Volunteers, external auditors, regulators/examiners, professional   and community organizations and others, as needed.   QUALIFICATIONS:   1. EDUCATION: Bachelor’s degree, preferably in a Management Information Systems, Information Security, Information Technology/Computer Sciences field, or equivalent job experience preferred.   2.  EXPERIENCE: At least 10 years’ of relevant experience in information security and risk management in a financial institution with a minimum of 5 years direct supervisory experience. Experience developing and managing an information security risk management strategy and program is required. Relevant third-party risk management experience also required.   3.  KNOWLEDGE/SKILLS:   •     Knowledge of risk management governance models, methods, practices, and processes inclusive of risk identification, analysis, mitigation/control, communication, monitoring, reporting and escalation.   •     Demonstrated knowledge of information security standards, rules and regulations related to information security and data confidentiality, and server, application, database, network security principles for risk identification and analysis.   •     Experience in security policy development, security education, network testing, application vulnerability assessments, risk analysis, and compliance testing required.   •     In-depth knowledge of information security technology. Proficient in network security design and architecture, capacity planning, end-point protection, patch-management, vulnerability management, penetration testing, intrusion detection, risk management, mobile device management, identity and access management, and data loss prevention. Experience in managing information security risks in a cloud-based environment.   •     Strong knowledge of concepts and best practices including, but not limited to, security frameworks and guidelines established by the Federal Financial Institutions Examination Council (FFIEC), National Institute on Standards in Technology (NIST), the International Information Systems Security Certification Consortium (ISC)², International Standards Organization (ISO), and the Control Objectives for Information Technology (COBIT) established by the Information Systems Audit and Control Association (ISACA).   •    Demonstrated knowledge of third-party risk management standards, rules and regulations, with experience in development, management, and/or oversight of third-party lifecycle elements, such as program governance, risk assessment processes, performance monitoring, and contracting.   •    Experience reviewing third-party agreement terms and conditions.   •    Strong leadership skills and ability to organize and motivate others.   •     Demonstrated experience with regulatory agencies, requirements, and/or regulatory compliance, including familiarity with GLBA and CCPA requirements. Ability to interface and build good working relationships with regulators/examiners.   •     Strong network   within   the   information   security/information   and/or third-party risk   management community contacts and the ability to represent the Credit Union.   •    In-depth understanding of financial services and high degree of business acumen.   •     Strong analytical, problem-solving and workflow analysis skills, including demonstrated ability to quickly synthesize information from various sources, identifying key points and issues and strategize for solutions.   •     Ability to apply judgment around risk management and control frameworks and industry best practices and make sound risk/reward decisions using a balance of data, logic and intuition to inform critical business strategies and processes. •     Proven strong interpersonal and customer service skills; ability to negotiate, influence, and build collaborative, cross-organization relationships, even in difficult situations or where there is varying experience about information security and third-party risks.   •     Excellent communication (verbal, written and presentation) skills, including ability to convey complex situations and relationships concisely to management and executive level audiences, and/or non-technical stakeholders.   •     Strong organizational skills, with a high degree of initiative and ability to self-start and self-prioritize assignments and make timely and effective decisions.   •     Strong process facilitation, process management and improvement skills; ability to independently and effectively handle multiple priorities and deliver a quality result within tight deadlines.   •    Highly proficient in Microsoft Office Suite (Word, Excel, Visio, Outlook, PowerPoint).   •    Solid work ethic and able to work effectively both independently and in a team.   PHYSICAL REQUIREMENTS:   1.  Prolonged sitting throughout the workday with occasional mobility required.   2.  Corrected vision within the normal range.   3.  Hearing within normal range.  A device to enhance hearing will be provided if needed.   4.  Ability to lift 15 lbs. as may be required.   5.  Occasional movements throughout the department daily to interact with staff, accomplish tasks, etc.   6.  Unusually long or inconsistent hours may be required to accomplish tasks.   7.  Travel may be needed to accomplish tasks. Overnight travel is sometimes necessary. Occasional weekend and evening schedules required.   LICENSES/CERTIFICATIONS:   Information Security Certification preferred: 1)  CISSP (Certified Information Systems Security Professional), 2)  CISM (Certified Information Security Manager), and/or 3)  Certified Internal Systems Auditor (CISA)   Relevant third-party risk management certifications or credentials beneficial.

Salary : $170,300 - $190,000