Within Information Security Second Line of Defense, the Security Risk Team is responsible for providing 2nd-line of defense (2LOD) oversight of the enterprise’s security supporting all the operating activities of NFCU. The primary responsibilities include developing and supporting the enterprise policy and standard, aligning and maintaining to the enterprise risk framework, monitoring and reporting aggregated risk and risk treatments, performing risk reviews and evaluation to identify & treat risks and enable business objectives & decision making, and driving continuous improvement of cyber and Info Security risk management capabilities across businesses and divisions.
Working closely with all business units, and particularly with ISD and Digital, the position will be directly accountable for driving the design and implementation of Security risk methodology and capabilities across NFCU in order to achieve overall mission of managing risk efficiently and effectively in conjunction with strategic objectives and mission.
• Develop and establish Enterprise Risk profile and reporting requirements related to technology, data, and resiliency risk for the enterprise • Drive and execute risk oversight agenda as part of the risk transformation objectives, across governance, enterprise and divisional policy, standards, procedures, risk assessment and treatment, testing, metrics and reporting • Conduct 2LOD independent risk reviews of the security and technology functions and processes and recommend corrective actions • Establish and rationalize security and 2LOD risk related policies, standards and procedures at enterprise level, and review divisional policy and procedures for alignment and adherence • Provide leadership and direction across enterprise for proper planning, execution and escalation for security risk across all businesses and divisions • Coordinate oversight and effective challenge of other specialized domains that impact the ISD, Digital, lending, (e.g. business resiliency, third party risk) with input from the domain risk leads, including 1LOD risk assessment and mitigation efforts • Understand industry trends and best practices: engage with the industry and broader ecosystem to understand industry trends, create business cases for best practices and implement changes • Assess, manage and attract talent • Establish and expand existing team, retain and motivate the group, attract outside talent and improve the overall quality of the team • Be key partner with the 1LOD business teams, especially ISD, Digital and Lending, to mature risk management capabilities • Engage stakeholders at all levels across business units to achieve effective communication and sufficient stakeholder input and buy-in • Provide regular updates to key stakeholders on the overall cyber and security risk posture and communicate recommendations for improvement. Prepare necessary information to facilitate management discussion and decision making; including Board presentation and relevant committees. • Perform supervisory/managerial responsibilities o Set direction to ensure goals and objectives align with corporate and division strategy o Select management and other key personnel; oversee talent development/succession planning o Collaborate with leadership/executive colleagues to develop/execute corporate initiatives and/or department strategy o Oversee the preparation and execution of department/division AFP o Manage merit pay in accordance with specified objectives and guidelines o Leadership Level – Lead staff &/or supervisors • Perform other duties as assigned
Qualifications and Education Requirements:
• Bachelor's degree in Cybersecurity, Information Security, Information Technology, or related field, or the equivalent combination of education, training and experience • Advanced knowledge of federal and state laws, rules and regulations governing information security requirements, frameworks, privacy and data protection (e.g., FFIEC, NCUA, CFPB, GLBA, etc.) • 10+ years of experience in risk, control and governance disciplines • 10+ years of experience in security such as architecture, software development and technology operations • Significant experience in enterprise-wide security and IT risk • Significant experience in operating within a complex organization that requires interacting with and influencing a wide range of multiple stakeholders • Significant experience developing an enterprise-wide security risk framework that defines the metrics used for reporting and monitoring, setting the thresholds, and determining the escalation process in the event risk tolerances are breached • Significant experience developing processes to identify and evaluate security risks and control self-assessments • Advanced skill of all security and cyber risk management standards including key risk indicators, risk limits and approval authorities • Significant experience operating within three lines of defense • Proven ability to build positive, collaborative relationships at all levels of the enterprise and across a diverse set of functions; Able to develop strong relationships and influence multiple stakeholders to gain alignment and buy-in on key issues will be critical for success • Skilled in project management as well as work plan development and implementation; astute in strategic planning, budgeting, and allocation • Demonstrated track record of proactive approach to mitigating risk for technology risk • Strong abilities to influence those outside his/her organization • Excellent team building skills with a track of attracting, developing, and retaining high-performing talent • A self-starter with a “can-do” attitude; a driver and implementer who possesses the poise and ability to act calmly and competently in high-pressure, high stress-situations • Demonstrated ability to lead through ambiguity, and persistence to move ahead regardless of barriers • Excellent leadership skills to maximize continuity, stability and controls throughout the organization • Advanced skill developing and maintaining collaborative relationships with all levels of leadership, staff and vendors
Desired Qualifications and Education Requirements:
• Master’s Degree • Professional Certifications (CISSP,CRISC,CIA,CISA,CISP,etc.)