To maintain and implement Navy Federal’s enterprise Information Security Governance Metrics & Analytics Program to assure management and the board of directors are fully informed of information security related risks. Build strong relationships across information security governance, information security operations, and information technology control and monitoring solutions owners with sufficient awareness for each function that enables evaluating the quality and accuracy of risk-related metrics and narratives. Partner with solutions owners to identify reportable metrics to inform management information security risk awareness and decisions.
Navy Federal’s Information Security Governance team has undertaken an effort to define OKRs (Objectives and Key Results), in addition to identifying KRIs and KPIs for the CISO to track performance across security functions. Data sources and owners, including current gaps in data availability have been identified. The Manager, Information Security Governance Metrics & Analytics will facilitate efforts to • Manage the consolidation of data for Information Security OKRs across information security governance and operations teams, including identifying data sources defining processes to populate OKRs, analyzing trends and producing quarterly OKR progress reports • Manage the collection, processing and analysis of data to produce and continuously update the CISO level dashboard, including populating new sections of the dashboard as new data becomes available (from programs delivering) • Analyze data and identify trends and insights. Communicate these in addition to Information Security Governance progress against quarterly and annual OKR targets, and Navy Federal risk posture to Information Security Governance leadership and an executive audience through reports and presentations • Partner with Information Security Governance, IT and relevant BU SMEs to help teams define team-level OKRs, KPIs and KRIs, identify data sources, create repeatable data collection processes and ensure consistent data quality and build dashboards and reports across functions such as IRM (Incident and Response Management) vulnerability management, endpoint protection, phishing, etc. • Analyze data to discern lessons learned and action items in order to improve security performance and risk posture; partner with the appropriate teams to help them understand the how the data can drive improvements • Manage process or team that builds a data-repository of metrics information extracted from sources across Information Security Governance and IT, including executing data normalization steps • Drive the metrics program to higher levels of maturity with a focus on automation of data collection and dashboard creation • Maintain a catalog of security data, reports and dashboards that can be tailored for audience (Board, Business Executives, CISO, technical, operational) and frequency in order to support scheduled and ad-hoc requests • Identify and determine acceptable risk tolerance levels to establish information classification standards • Perform supervisory/managerial responsibilities • Perform other duties as assigned
Qualifications and Education Requirements:
• Bachelor's degree in Information Systems, Computer Science, Engineering, or related field, or the equivalent combination of education, training and experience • Expert level PowerPoint and Excel skills • Some SQL server experience, the ability to own and maintain SQL databases, connectors, feeds and API’s from systems that provide metrics data • Strong experience with data visualization concepts and tools • Experience with the tableau visualization tool is preferable • Ability to analyze data using Excel including use of complex Excel macros / scripts for reporting and data mining purposes from sources such as SQL databases, SharePoint and other enterprise data repositories is essential; some development experience with data extraction is preferable • Experience with Splunk, Archer and ServiceNow is preferable • Ability to work individually, and as part of a team • Significant, proven experience defining key measurements that will drive visibility, accountability, quality and overall IT/Security effectiveness • Strong written and oral communication skills • Strong presentation skills; ability to adjust message and filter details based on audience (e.g. technical, business, management) • Working knowledge of NCUA and FFIEC regulations, GLBA, PCI and other information security requirements and frameworks • Working knowledge of at least one industry-leading risk management framework (e.g. OCTAVE, COBIT etc.) • Experience in risk mitigation, strategic planning, and management of personnel • Experience with information security concepts, principles, technologies, and methods, and translating best practices in information security to operations in a risk management framework • Advanced knowledge of information technology systems, processes, and application development • Advanced organizational, planning and time management skills • Advanced research, analytical, and problem solving skills • Advanced skill developing and implementing programs in a leadership role • Advanced skill building effective relationships with all levels of staff, management, stakeholders, and vendors, through rapport, trust, diplomacy and tact • Significant experience working with internal audit and external examiners • Significant experience collaborating across organizational boundaries and building partnerships across functions • Effective skill to influence, negotiate and persuade to reach agreeable exchange and positive outcomes • Advanced skill exercising initiative and using good judgment to make sound decisions • Advanced verbal, written, interpersonal, and presentation skills to communicate clearly and concisely technical and non-technical information to all levels of management
Desired Qualifications and Education Requirements:
• Master’s degree in Information Systems, Computer Science, Engineering, or related field • Professional certification in the information security sector (CRISC, CISM, CISSP, CISA)